Retire project
Change-Id: I9471d2c2cda98fd13940c4c6f3e4bf482ce6aa6f
This commit is contained in:
parent
99f008c105
commit
d8b1acadc8
4
.gitignore
vendored
4
.gitignore
vendored
@ -1,4 +0,0 @@
|
||||
tests/build/
|
||||
*.swp
|
||||
*.pyc
|
||||
.ropeproject
|
@ -1,4 +0,0 @@
|
||||
[gerrit]
|
||||
host=review.openstack.org
|
||||
port=29418
|
||||
project=openstack/salt-formula-keystone.git
|
@ -1,10 +0,0 @@
|
||||
keystone formula
|
||||
================
|
||||
|
||||
2016.4.1 (2016-04-15)
|
||||
|
||||
- second release
|
||||
|
||||
0.0.1 (2015-08-03)
|
||||
|
||||
- Initial formula setup
|
8
FORMULA
8
FORMULA
@ -1,8 +0,0 @@
|
||||
name: keystone
|
||||
os: Debian, RedHat
|
||||
os_family: Debian, RedHat
|
||||
version: 201606
|
||||
release: 1
|
||||
summary: Formula for installing and configuring keystone
|
||||
description: Formula for installing and configuring keystone
|
||||
top_level_dir: keystone
|
201
LICENSE
201
LICENSE
@ -1,201 +0,0 @@
|
||||
Apache License
|
||||
Version 2.0, January 2004
|
||||
http://www.apache.org/licenses/
|
||||
|
||||
TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
|
||||
|
||||
1. Definitions.
|
||||
|
||||
"License" shall mean the terms and conditions for use, reproduction,
|
||||
and distribution as defined by Sections 1 through 9 of this document.
|
||||
|
||||
"Licensor" shall mean the copyright owner or entity authorized by
|
||||
the copyright owner that is granting the License.
|
||||
|
||||
"Legal Entity" shall mean the union of the acting entity and all
|
||||
other entities that control, are controlled by, or are under common
|
||||
control with that entity. For the purposes of this definition,
|
||||
"control" means (i) the power, direct or indirect, to cause the
|
||||
direction or management of such entity, whether by contract or
|
||||
otherwise, or (ii) ownership of fifty percent (50%) or more of the
|
||||
outstanding shares, or (iii) beneficial ownership of such entity.
|
||||
|
||||
"You" (or "Your") shall mean an individual or Legal Entity
|
||||
exercising permissions granted by this License.
|
||||
|
||||
"Source" form shall mean the preferred form for making modifications,
|
||||
including but not limited to software source code, documentation
|
||||
source, and configuration files.
|
||||
|
||||
"Object" form shall mean any form resulting from mechanical
|
||||
transformation or translation of a Source form, including but
|
||||
not limited to compiled object code, generated documentation,
|
||||
and conversions to other media types.
|
||||
|
||||
"Work" shall mean the work of authorship, whether in Source or
|
||||
Object form, made available under the License, as indicated by a
|
||||
copyright notice that is included in or attached to the work
|
||||
(an example is provided in the Appendix below).
|
||||
|
||||
"Derivative Works" shall mean any work, whether in Source or Object
|
||||
form, that is based on (or derived from) the Work and for which the
|
||||
editorial revisions, annotations, elaborations, or other modifications
|
||||
represent, as a whole, an original work of authorship. For the purposes
|
||||
of this License, Derivative Works shall not include works that remain
|
||||
separable from, or merely link (or bind by name) to the interfaces of,
|
||||
the Work and Derivative Works thereof.
|
||||
|
||||
"Contribution" shall mean any work of authorship, including
|
||||
the original version of the Work and any modifications or additions
|
||||
to that Work or Derivative Works thereof, that is intentionally
|
||||
submitted to Licensor for inclusion in the Work by the copyright owner
|
||||
or by an individual or Legal Entity authorized to submit on behalf of
|
||||
the copyright owner. For the purposes of this definition, "submitted"
|
||||
means any form of electronic, verbal, or written communication sent
|
||||
to the Licensor or its representatives, including but not limited to
|
||||
communication on electronic mailing lists, source code control systems,
|
||||
and issue tracking systems that are managed by, or on behalf of, the
|
||||
Licensor for the purpose of discussing and improving the Work, but
|
||||
excluding communication that is conspicuously marked or otherwise
|
||||
designated in writing by the copyright owner as "Not a Contribution."
|
||||
|
||||
"Contributor" shall mean Licensor and any individual or Legal Entity
|
||||
on behalf of whom a Contribution has been received by Licensor and
|
||||
subsequently incorporated within the Work.
|
||||
|
||||
2. Grant of Copyright License. Subject to the terms and conditions of
|
||||
this License, each Contributor hereby grants to You a perpetual,
|
||||
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
|
||||
copyright license to reproduce, prepare Derivative Works of,
|
||||
publicly display, publicly perform, sublicense, and distribute the
|
||||
Work and such Derivative Works in Source or Object form.
|
||||
|
||||
3. Grant of Patent License. Subject to the terms and conditions of
|
||||
this License, each Contributor hereby grants to You a perpetual,
|
||||
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
|
||||
(except as stated in this section) patent license to make, have made,
|
||||
use, offer to sell, sell, import, and otherwise transfer the Work,
|
||||
where such license applies only to those patent claims licensable
|
||||
by such Contributor that are necessarily infringed by their
|
||||
Contribution(s) alone or by combination of their Contribution(s)
|
||||
with the Work to which such Contribution(s) was submitted. If You
|
||||
institute patent litigation against any entity (including a
|
||||
cross-claim or counterclaim in a lawsuit) alleging that the Work
|
||||
or a Contribution incorporated within the Work constitutes direct
|
||||
or contributory patent infringement, then any patent licenses
|
||||
granted to You under this License for that Work shall terminate
|
||||
as of the date such litigation is filed.
|
||||
|
||||
4. Redistribution. You may reproduce and distribute copies of the
|
||||
Work or Derivative Works thereof in any medium, with or without
|
||||
modifications, and in Source or Object form, provided that You
|
||||
meet the following conditions:
|
||||
|
||||
(a) You must give any other recipients of the Work or
|
||||
Derivative Works a copy of this License; and
|
||||
|
||||
(b) You must cause any modified files to carry prominent notices
|
||||
stating that You changed the files; and
|
||||
|
||||
(c) You must retain, in the Source form of any Derivative Works
|
||||
that You distribute, all copyright, patent, trademark, and
|
||||
attribution notices from the Source form of the Work,
|
||||
excluding those notices that do not pertain to any part of
|
||||
the Derivative Works; and
|
||||
|
||||
(d) If the Work includes a "NOTICE" text file as part of its
|
||||
distribution, then any Derivative Works that You distribute must
|
||||
include a readable copy of the attribution notices contained
|
||||
within such NOTICE file, excluding those notices that do not
|
||||
pertain to any part of the Derivative Works, in at least one
|
||||
of the following places: within a NOTICE text file distributed
|
||||
as part of the Derivative Works; within the Source form or
|
||||
documentation, if provided along with the Derivative Works; or,
|
||||
within a display generated by the Derivative Works, if and
|
||||
wherever such third-party notices normally appear. The contents
|
||||
of the NOTICE file are for informational purposes only and
|
||||
do not modify the License. You may add Your own attribution
|
||||
notices within Derivative Works that You distribute, alongside
|
||||
or as an addendum to the NOTICE text from the Work, provided
|
||||
that such additional attribution notices cannot be construed
|
||||
as modifying the License.
|
||||
|
||||
You may add Your own copyright statement to Your modifications and
|
||||
may provide additional or different license terms and conditions
|
||||
for use, reproduction, or distribution of Your modifications, or
|
||||
for any such Derivative Works as a whole, provided Your use,
|
||||
reproduction, and distribution of the Work otherwise complies with
|
||||
the conditions stated in this License.
|
||||
|
||||
5. Submission of Contributions. Unless You explicitly state otherwise,
|
||||
any Contribution intentionally submitted for inclusion in the Work
|
||||
by You to the Licensor shall be under the terms and conditions of
|
||||
this License, without any additional terms or conditions.
|
||||
Notwithstanding the above, nothing herein shall supersede or modify
|
||||
the terms of any separate license agreement you may have executed
|
||||
with Licensor regarding such Contributions.
|
||||
|
||||
6. Trademarks. This License does not grant permission to use the trade
|
||||
names, trademarks, service marks, or product names of the Licensor,
|
||||
except as required for reasonable and customary use in describing the
|
||||
origin of the Work and reproducing the content of the NOTICE file.
|
||||
|
||||
7. Disclaimer of Warranty. Unless required by applicable law or
|
||||
agreed to in writing, Licensor provides the Work (and each
|
||||
Contributor provides its Contributions) on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
|
||||
implied, including, without limitation, any warranties or conditions
|
||||
of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
|
||||
PARTICULAR PURPOSE. You are solely responsible for determining the
|
||||
appropriateness of using or redistributing the Work and assume any
|
||||
risks associated with Your exercise of permissions under this License.
|
||||
|
||||
8. Limitation of Liability. In no event and under no legal theory,
|
||||
whether in tort (including negligence), contract, or otherwise,
|
||||
unless required by applicable law (such as deliberate and grossly
|
||||
negligent acts) or agreed to in writing, shall any Contributor be
|
||||
liable to You for damages, including any direct, indirect, special,
|
||||
incidental, or consequential damages of any character arising as a
|
||||
result of this License or out of the use or inability to use the
|
||||
Work (including but not limited to damages for loss of goodwill,
|
||||
work stoppage, computer failure or malfunction, or any and all
|
||||
other commercial damages or losses), even if such Contributor
|
||||
has been advised of the possibility of such damages.
|
||||
|
||||
9. Accepting Warranty or Additional Liability. While redistributing
|
||||
the Work or Derivative Works thereof, You may choose to offer,
|
||||
and charge a fee for, acceptance of support, warranty, indemnity,
|
||||
or other liability obligations and/or rights consistent with this
|
||||
License. However, in accepting such obligations, You may act only
|
||||
on Your own behalf and on Your sole responsibility, not on behalf
|
||||
of any other Contributor, and only if You agree to indemnify,
|
||||
defend, and hold each Contributor harmless for any liability
|
||||
incurred by, or claims asserted against, such Contributor by reason
|
||||
of your accepting any such warranty or additional liability.
|
||||
|
||||
END OF TERMS AND CONDITIONS
|
||||
|
||||
APPENDIX: How to apply the Apache License to your work.
|
||||
|
||||
To apply the Apache License to your work, attach the following
|
||||
boilerplate notice, with the fields enclosed by brackets "[]"
|
||||
replaced with your own identifying information. (Don't include
|
||||
the brackets!) The text should be enclosed in the appropriate
|
||||
comment syntax for the file format. We also recommend that a
|
||||
file or class name and description of purpose be included on the
|
||||
same "printed page" as the copyright notice for easier
|
||||
identification within third-party archives.
|
||||
|
||||
Copyright [yyyy] [name of copyright owner]
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
26
Makefile
26
Makefile
@ -1,26 +0,0 @@
|
||||
DESTDIR=/
|
||||
SALTENVDIR=/usr/share/salt-formulas/env
|
||||
RECLASSDIR=/usr/share/salt-formulas/reclass
|
||||
FORMULANAME=$(shell grep name: metadata.yml|head -1|cut -d : -f 2|grep -Eo '[a-z0-9\-]*')
|
||||
|
||||
all:
|
||||
@echo "make install - Install into DESTDIR"
|
||||
@echo "make test - Run tests"
|
||||
@echo "make clean - Cleanup after tests run"
|
||||
|
||||
install:
|
||||
# Formula
|
||||
[ -d $(DESTDIR)/$(SALTENVDIR) ] || mkdir -p $(DESTDIR)/$(SALTENVDIR)
|
||||
cp -a $(FORMULANAME) $(DESTDIR)/$(SALTENVDIR)/
|
||||
[ ! -d _modules ] || cp -a _modules $(DESTDIR)/$(SALTENVDIR)/
|
||||
[ ! -d _states ] || cp -a _states $(DESTDIR)/$(SALTENVDIR)/ || true
|
||||
# Metadata
|
||||
[ -d $(DESTDIR)/$(RECLASSDIR)/service/$(FORMULANAME) ] || mkdir -p $(DESTDIR)/$(RECLASSDIR)/service/$(FORMULANAME)
|
||||
cp -a metadata/service/* $(DESTDIR)/$(RECLASSDIR)/service/$(FORMULANAME)
|
||||
|
||||
test:
|
||||
[ ! -d tests ] || (cd tests; ./run_tests.sh)
|
||||
|
||||
clean:
|
||||
[ ! -d tests/build ] || rm -rf tests/build
|
||||
[ ! -d build ] || rm -rf build
|
426
README.rst
426
README.rst
@ -1,421 +1,9 @@
|
||||
==================
|
||||
OpenStack Keystone
|
||||
==================
|
||||
Project moved
|
||||
=============
|
||||
|
||||
Keystone provides authentication, authorization and service discovery
|
||||
mechanisms via HTTP primarily for use by projects in the OpenStack family. It
|
||||
is most commonly deployed as an HTTP interface to existing identity systems,
|
||||
such as LDAP.
|
||||
This repository as a part of openstack-salt project was moved to join rest of
|
||||
salt-formulas ecosystem.
|
||||
|
||||
From Kilo release Keystone v3 endpoint has definition without version in url
|
||||
|
||||
.. code-block:: bash
|
||||
|
||||
+----------------------------------+-----------+--------------------------+--------------------------+---------------------------+----------------------------------+
|
||||
| id | region | publicurl | internalurl | adminurl | service_id |
|
||||
+----------------------------------+-----------+--------------------------+--------------------------+---------------------------+----------------------------------+
|
||||
| 91663a8db11c487c9253c8c456863494 | RegionOne | http://10.0.150.37:5000/ | http://10.0.150.37:5000/ | http://10.0.150.37:35357/ | 0fd2dba3153d45a1ba7f709cfc2d69c9 |
|
||||
+----------------------------------+-----------+--------------------------+--------------------------+---------------------------+----------------------------------+
|
||||
|
||||
|
||||
Sample pillars
|
||||
==============
|
||||
|
||||
.. caution::
|
||||
|
||||
When you use localhost as your database host (keystone:server:
|
||||
atabase:host), sqlalchemy will try to connect to /var/run/mysql/
|
||||
mysqld.sock, may cause issues if you located your mysql socket elsewhere
|
||||
|
||||
Full stacked keystone
|
||||
|
||||
.. code-block:: yaml
|
||||
|
||||
keystone:
|
||||
server:
|
||||
enabled: true
|
||||
version: juno
|
||||
service_token: 'service_tokeen'
|
||||
service_tenant: service
|
||||
service_password: 'servicepwd'
|
||||
admin_tenant: admin
|
||||
admin_name: admin
|
||||
admin_password: 'adminpwd'
|
||||
admin_email: stackmaster@domain.com
|
||||
roles:
|
||||
- admin
|
||||
- Member
|
||||
- image_manager
|
||||
bind:
|
||||
address: 0.0.0.0
|
||||
private_address: 127.0.0.1
|
||||
private_port: 35357
|
||||
public_address: 127.0.0.1
|
||||
public_port: 5000
|
||||
api_version: 2.0
|
||||
region: RegionOne
|
||||
database:
|
||||
engine: mysql
|
||||
host: '127.0.0.1'
|
||||
name: 'keystone'
|
||||
password: 'LfTno5mYdZmRfoPV'
|
||||
user: 'keystone'
|
||||
|
||||
Keystone public HTTPS API
|
||||
|
||||
.. code-block:: yaml
|
||||
|
||||
keystone:
|
||||
server:
|
||||
enabled: true
|
||||
version: juno
|
||||
...
|
||||
services:
|
||||
- name: nova
|
||||
type: compute
|
||||
description: OpenStack Compute Service
|
||||
user:
|
||||
name: nova
|
||||
password: password
|
||||
bind:
|
||||
public_address: cloud.domain.com
|
||||
public_protocol: https
|
||||
public_port: 8774
|
||||
internal_address: 10.0.0.20
|
||||
internal_port: 8774
|
||||
admin_address: 10.0.0.20
|
||||
admin_port: 8774
|
||||
|
||||
Keystone memcached storage for tokens
|
||||
|
||||
.. code-block:: yaml
|
||||
|
||||
keystone:
|
||||
server:
|
||||
enabled: true
|
||||
version: juno
|
||||
...
|
||||
token_store: cache
|
||||
cache:
|
||||
engine: memcached
|
||||
host: 127.0.0.1
|
||||
port: 11211
|
||||
services:
|
||||
...
|
||||
|
||||
Keystone clustered memcached storage for tokens
|
||||
|
||||
.. code-block:: yaml
|
||||
|
||||
keystone:
|
||||
server:
|
||||
enabled: true
|
||||
version: juno
|
||||
...
|
||||
token_store: cache
|
||||
cache:
|
||||
engine: memcached
|
||||
members:
|
||||
- host: 192.160.0.1
|
||||
port: 11211
|
||||
- host: 192.160.0.2
|
||||
port: 11211
|
||||
services:
|
||||
...
|
||||
|
||||
Keystone client
|
||||
|
||||
.. code-block:: yaml
|
||||
|
||||
keystone:
|
||||
client:
|
||||
enabled: true
|
||||
server:
|
||||
host: 10.0.0.2
|
||||
public_port: 5000
|
||||
private_port: 35357
|
||||
service_token: 'token'
|
||||
admin_tenant: admin
|
||||
admin_name: admin
|
||||
admin_password: 'passwd'
|
||||
|
||||
Keystone cluster
|
||||
|
||||
.. code-block:: yaml
|
||||
|
||||
keystone:
|
||||
control:
|
||||
enabled: true
|
||||
provider:
|
||||
os15_token:
|
||||
host: 10.0.0.2
|
||||
port: 35357
|
||||
token: token
|
||||
os15_tcp_core_stg:
|
||||
host: 10.0.0.5
|
||||
port: 5000
|
||||
tenant: admin
|
||||
name: admin
|
||||
password: password
|
||||
|
||||
Keystone fernet tokens for OpenStack Kilo release
|
||||
|
||||
.. code-block:: yaml
|
||||
|
||||
keystone:
|
||||
server:
|
||||
...
|
||||
tokens:
|
||||
engine: fernet
|
||||
max_active_keys: 3
|
||||
...
|
||||
|
||||
Keystone domain with LDAP backend, using SQL for role/project assignment
|
||||
|
||||
.. code-block:: yaml
|
||||
|
||||
keystone:
|
||||
server:
|
||||
domain:
|
||||
description: "Testing domain"
|
||||
backend: ldap
|
||||
assignment:
|
||||
backend: sql
|
||||
ldap:
|
||||
url: "ldaps://idm.domain.com"
|
||||
suffix: "dc=cloud,dc=domain,dc=com"
|
||||
# Will bind as uid=keystone,cn=users,cn=accounts,dc=cloud,dc=domain,dc=com
|
||||
uid: keystone
|
||||
password: password
|
||||
|
||||
Using LDAP backend for default domain
|
||||
|
||||
.. code-block:: yaml
|
||||
|
||||
keystone:
|
||||
server:
|
||||
backend: ldap
|
||||
assignment:
|
||||
backend: sql
|
||||
ldap:
|
||||
url: "ldaps://idm.domain.com"
|
||||
suffix: "dc=cloud,dc=domain,dc=com"
|
||||
# Will bind as uid=keystone,cn=users,cn=accounts,dc=cloud,dc=domain,dc=com
|
||||
uid: keystone
|
||||
password: password
|
||||
|
||||
Simple service endpoint definition (defaults to RegionOne)
|
||||
|
||||
.. code-block:: yaml
|
||||
|
||||
keystone:
|
||||
server:
|
||||
service:
|
||||
ceilometer:
|
||||
type: metering
|
||||
description: OpenStack Telemetry Service
|
||||
user:
|
||||
name: ceilometer
|
||||
password: password
|
||||
bind:
|
||||
...
|
||||
|
||||
Region-aware service endpoints definition
|
||||
|
||||
.. code-block:: yaml
|
||||
|
||||
keystone:
|
||||
server:
|
||||
service:
|
||||
ceilometer_region01:
|
||||
service: ceilometer
|
||||
type: metering
|
||||
region: region01
|
||||
description: OpenStack Telemetry Service
|
||||
user:
|
||||
name: ceilometer
|
||||
password: password
|
||||
bind:
|
||||
...
|
||||
ceilometer_region02:
|
||||
service: ceilometer
|
||||
type: metering
|
||||
region: region02
|
||||
description: OpenStack Telemetry Service
|
||||
bind:
|
||||
...
|
||||
|
||||
Enable ceilometer notifications
|
||||
|
||||
.. code-block:: yaml
|
||||
|
||||
keystone:
|
||||
server:
|
||||
notification: true
|
||||
message_queue:
|
||||
engine: rabbitmq
|
||||
host: 127.0.0.1
|
||||
port: 5672
|
||||
user: openstack
|
||||
password: password
|
||||
virtual_host: '/openstack'
|
||||
ha_queues: true
|
||||
|
||||
Client-side RabbitMQ HA setup
|
||||
|
||||
.. code-block:: yaml
|
||||
|
||||
keystone:
|
||||
server:
|
||||
....
|
||||
message_queue:
|
||||
engine: rabbitmq
|
||||
members:
|
||||
- host: 10.0.16.1
|
||||
- host: 10.0.16.2
|
||||
- host: 10.0.16.3
|
||||
user: openstack
|
||||
password: pwd
|
||||
virtual_host: '/openstack'
|
||||
....
|
||||
|
||||
Enable CADF audit notification
|
||||
|
||||
.. code-block:: yaml
|
||||
|
||||
keystone:
|
||||
server:
|
||||
notification: true
|
||||
notification_format: cadf
|
||||
|
||||
Run keystone under Apache
|
||||
|
||||
.. code-block:: yaml
|
||||
|
||||
keystone:
|
||||
server:
|
||||
service_name: apache2
|
||||
apache:
|
||||
server:
|
||||
enabled: true
|
||||
default_mpm: event
|
||||
site:
|
||||
keystone:
|
||||
enabled: true
|
||||
type: keystone
|
||||
name: wsgi
|
||||
host:
|
||||
name: ${linux:network:fqdn}
|
||||
modules:
|
||||
- wsgi
|
||||
|
||||
Enable Federated keystone
|
||||
|
||||
.. code-block:: yaml
|
||||
|
||||
keystone:
|
||||
server:
|
||||
websso:
|
||||
protocol: saml2
|
||||
remote_id_attribute: Shib-Identity-Provider
|
||||
federation_driver: keystone.contrib.federation.backends.sql.Federation
|
||||
trusted_dashboard:
|
||||
- http://${_param:proxy_vip_address_public}/horizon/auth/websso/
|
||||
apache:
|
||||
server:
|
||||
pkgs:
|
||||
- apache2
|
||||
- libapache2-mod-shib2
|
||||
modules:
|
||||
- wsgi
|
||||
- shib2
|
||||
|
||||
Keystone client
|
||||
---------------
|
||||
|
||||
Service endpoints enforcement with service token
|
||||
|
||||
.. code-block:: yaml
|
||||
|
||||
keystone:
|
||||
client:
|
||||
enabled: true
|
||||
server:
|
||||
keystone01:
|
||||
admin:
|
||||
host: 10.0.0.2
|
||||
port: 35357
|
||||
token: 'service_token'
|
||||
service:
|
||||
nova:
|
||||
type: compute
|
||||
description: OpenStack Compute Service
|
||||
endpoints:
|
||||
- region: region01
|
||||
public_address: 172.16.10.1
|
||||
public_port: 8773
|
||||
public_path: '/v2'
|
||||
internal_address: 172.16.10.1
|
||||
internal_port: 8773
|
||||
internal_path: '/v2'
|
||||
admin_address: 172.16.10.1
|
||||
admin_port: 8773
|
||||
admin_path: '/v2'
|
||||
|
||||
Project, users, roles enforcement with admin user
|
||||
|
||||
.. code-block:: yaml
|
||||
|
||||
keystone:
|
||||
client:
|
||||
enabled: true
|
||||
server:
|
||||
keystone01:
|
||||
admin:
|
||||
host: 10.0.0.2
|
||||
port: 5000
|
||||
project: 'token'
|
||||
user: admin
|
||||
password: 'passwd'
|
||||
roles:
|
||||
- admin
|
||||
- member
|
||||
project:
|
||||
tenant01:
|
||||
description: "test env"
|
||||
user:
|
||||
user01:
|
||||
email: jdoe@domain.com
|
||||
is_admin: true
|
||||
password: some
|
||||
user02:
|
||||
email: jdoe2@domain.com
|
||||
password: some
|
||||
roles:
|
||||
- custom-roles
|
||||
|
||||
Documentation and Bugs
|
||||
======================
|
||||
|
||||
To learn how to deploy OpenStack Salt, consult the documentation available
|
||||
online at:
|
||||
|
||||
https://wiki.openstack.org/wiki/OpenStackSalt
|
||||
|
||||
In the unfortunate event that bugs are discovered, they should be reported to
|
||||
the appropriate bug tracker. If you obtained the software from a 3rd party
|
||||
operating system vendor, it is often wise to use their own bug tracker for
|
||||
reporting problems. In all other cases use the master OpenStack bug tracker,
|
||||
available at:
|
||||
|
||||
http://bugs.launchpad.net/openstack-salt
|
||||
|
||||
Developers wishing to work on the OpenStack Salt project should always base
|
||||
their work on the latest formulas code, available from the master GIT
|
||||
repository at:
|
||||
|
||||
https://git.openstack.org/cgit/openstack/salt-formula-keystone
|
||||
|
||||
Developers should also join the discussion on the IRC list, at:
|
||||
|
||||
https://wiki.openstack.org/wiki/Meetings/openstack-salt
|
||||
Github: https://github.com/salt-formulas
|
||||
Launchpad https://launchpad.net/salt-formulas
|
||||
IRC: #salt-formulas @ irc.freenode.net
|
||||
|
@ -1,2 +0,0 @@
|
||||
python-yaml
|
||||
|
@ -1,73 +0,0 @@
|
||||
# -*- coding: utf-8 -*-
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
|
||||
# implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
import os
|
||||
import sys
|
||||
|
||||
sys.path.insert(0, os.path.abspath('../..'))
|
||||
# -- General configuration ----------------------------------------------------
|
||||
|
||||
# Add any Sphinx extension module names here, as strings. They can be
|
||||
# extensions coming with Sphinx (named 'sphinx.ext.*') or your custom ones.
|
||||
extensions = [
|
||||
'sphinx.ext.autodoc',
|
||||
]
|
||||
|
||||
# autodoc generation is a bit aggressive and a nuisance when doing heavy
|
||||
# text edit cycles.
|
||||
# execute "export SPHINX_DEBUG=1" in your terminal to disable
|
||||
|
||||
# The suffix of source filenames.
|
||||
source_suffix = '.rst'
|
||||
|
||||
# The master toctree document.
|
||||
master_doc = 'index'
|
||||
|
||||
# General information about the project.
|
||||
project = u'salt-formula-keystone'
|
||||
copyright = u'2015, OpenStack Foundation'
|
||||
|
||||
# If true, '()' will be appended to :func: etc. cross-reference text.
|
||||
add_function_parentheses = True
|
||||
|
||||
# If true, the current module name will be prepended to all description
|
||||
# unit titles (such as .. function::).
|
||||
add_module_names = True
|
||||
|
||||
# The name of the Pygments (syntax highlighting) style to use.
|
||||
pygments_style = 'sphinx'
|
||||
|
||||
# -- Options for HTML output --------------------------------------------------
|
||||
|
||||
# The theme to use for HTML and HTML Help pages. Major themes that come with
|
||||
# Sphinx are currently 'default' and 'sphinxdoc'.
|
||||
# html_theme_path = ["."]
|
||||
# html_theme = '_theme'
|
||||
# html_static_path = ['static']
|
||||
|
||||
# Output file base name for HTML help builder.
|
||||
htmlhelp_basename = '%sdoc' % project
|
||||
|
||||
# Grouping the document tree into LaTeX files. List of tuples
|
||||
# (source start file, target name, title, author, documentclass
|
||||
# [howto/manual]).
|
||||
latex_documents = [
|
||||
('index',
|
||||
'%s.tex' % project,
|
||||
u'%s Documentation' % project,
|
||||
u'OpenStack Foundation', 'manual'),
|
||||
]
|
||||
|
||||
# Example configuration for intersphinx: refer to the Python standard library.
|
||||
# intersphinx_mapping = {'http://docs.python.org/': None}
|
@ -1 +0,0 @@
|
||||
.. include:: ../../README.rst
|
@ -1,5 +0,0 @@
|
||||
|
||||
include:
|
||||
- keystone.client.service
|
||||
- keystone.client.project
|
||||
- keystone.client.server
|
@ -1,65 +0,0 @@
|
||||
{%- from "keystone/map.jinja" import client with context %}
|
||||
{%- if client.enabled %}
|
||||
|
||||
{%- if client.tenant is defined %}
|
||||
|
||||
keystone_salt_config:
|
||||
file.managed:
|
||||
- name: /etc/salt/minion.d/keystone.conf
|
||||
- template: jinja
|
||||
- source: salt://keystone/files/salt-minion.conf
|
||||
- mode: 600
|
||||
|
||||
keystone_client_roles:
|
||||
keystone.role_present:
|
||||
- names: {{ client.roles }}
|
||||
- connection_user: {{ client.server.user }}
|
||||
- connection_password: {{ client.server.password }}
|
||||
- connection_tenant: {{ client.server.tenant }}
|
||||
- connection_auth_url: 'http://{{ client.server.host }}:{{ client.server.public_port }}/v2.0/'
|
||||
- require:
|
||||
- file: keystone_salt_config
|
||||
|
||||
{%- for tenant_name, tenant in client.get('tenant', {}).iteritems() %}
|
||||
|
||||
keystone_tenant_{{ tenant_name }}:
|
||||
keystone.tenant_present:
|
||||
- name: {{ tenant_name }}
|
||||
- connection_user: {{ client.server.user }}
|
||||
- connection_password: {{ client.server.password }}
|
||||
- connection_tenant: {{ client.server.tenant }}
|
||||
- connection_auth_url: 'http://{{ client.server.host }}:{{ client.server.public_port }}/v2.0/'
|
||||
- require:
|
||||
- keystone: keystone_client_roles
|
||||
|
||||
{%- for user_name, user in tenant.get('user', {}).iteritems() %}
|
||||
|
||||
keystone_{{ tenant_name }}_user_{{ user_name }}:
|
||||
keystone.user_present:
|
||||
- name: {{ user_name }}
|
||||
- password: {{ user.password }}
|
||||
- email: {{ user.get('email', 'root@localhost') }}
|
||||
- tenant: {{ tenant_name }}
|
||||
- roles:
|
||||
"{{ tenant_name }}":
|
||||
{%- if user.get('is_admin', False) %}
|
||||
- admin
|
||||
{%- elif user.get('roles', False) %}
|
||||
{{ user.roles }}
|
||||
{%- else %}
|
||||
- Member
|
||||
{%- endif %}
|
||||
- connection_user: {{ client.server.user }}
|
||||
- connection_password: {{ client.server.password }}
|
||||
- connection_tenant: {{ client.server.tenant }}
|
||||
- connection_auth_url: 'http://{{ client.server.host }}:{{ client.server.public_port }}/v2.0/'
|
||||
- require:
|
||||
- keystone: keystone_tenant_{{ tenant_name }}
|
||||
|
||||
{%- endfor %}
|
||||
|
||||
{%- endfor %}
|
||||
|
||||
{%- endif %}
|
||||
|
||||
{%- endif %}
|
@ -1,144 +0,0 @@
|
||||
{%- from "keystone/map.jinja" import client with context %}
|
||||
{%- if client.enabled %}
|
||||
|
||||
{%- for server_name, server in client.get('server', {}).iteritems() %}
|
||||
|
||||
{%- if server.admin.get('api_version', '2') == '3' %}
|
||||
{%- set version = "v3" %}
|
||||
{%- else %}
|
||||
{%- set version = "v2.0" %}
|
||||
{%- endif %}
|
||||
|
||||
{%- if server.admin.get('protocol', 'http') == 'http' %}
|
||||
{%- set protocol = 'http' %}
|
||||
{%- else %}
|
||||
{%- set protocol = 'https' %}
|
||||
{%- endif %}
|
||||
|
||||
|
||||
{%- if server.admin.token is defined %}
|
||||
{%- set connection_args = {'endpoint': protocol+'://'+server.admin.host+':'+server.admin.port|string+'/'+version,
|
||||
'token': server.admin.token} %}
|
||||
{%- else %}
|
||||
{%- set connection_args = {'auth_url': protocol+'://'+server.admin.host+':'+server.admin.port|string+'/'+version,
|
||||
'tenant': server.admin.project,
|
||||
'user': server.admin.user,
|
||||
'password': server.admin.password} %}
|
||||
{%- endif %}
|
||||
|
||||
{%- if server.roles is defined %}
|
||||
|
||||
keystone_{{ server_name }}_roles:
|
||||
keystone.role_present:
|
||||
- names: {{ server.roles }}
|
||||
{%- if server.admin.token is defined %}
|
||||
- connection_token: {{ connection_args.token }}
|
||||
- connection_endpoint: {{ connection_args.endpoint }}
|
||||
{%- else %}
|
||||
- connection_user: {{ connection_args.user }}
|
||||
- connection_password: {{ connection_args.password }}
|
||||
- connection_tenant: {{ connection_args.tenant }}
|
||||
- connection_auth_url: {{ connection_args.auth_url }}
|
||||
{%- endif %}
|
||||
|
||||
{%- endif %}
|
||||
|
||||
{% for service_name, service in server.get('service', {}).iteritems() %}
|
||||
|
||||
keystone_{{ server_name }}_service_{{ service_name }}:
|
||||
keystone.service_present:
|
||||
- name: {{ service_name }}
|
||||
- service_type: {{ service.type }}
|
||||
- description: {{ service.description }}
|
||||
{%- if server.admin.token is defined %}
|
||||
- connection_token: {{ connection_args.token }}
|
||||
- connection_endpoint: {{ connection_args.endpoint }}
|
||||
{%- else %}
|
||||
- connection_user: {{ connection_args.user }}
|
||||
- connection_password: {{ connection_args.password }}
|
||||
- connection_tenant: {{ connection_args.tenant }}
|
||||
- connection_auth_url: {{ connection_args.auth_url }}
|
||||
{%- endif %}
|
||||
|
||||
{%- for endpoint in service.get('endpoints', ()) %}
|
||||
|
||||
keystone_{{ server_name }}_service_{{ service_name }}_endpoint_{{ endpoint.region }}:
|
||||
keystone.endpoint_present:
|
||||
- name: {{ service_name }}
|
||||
- publicurl: '{{ endpoint.get('public_protocol', 'http') }}://{{ endpoint.public_address }}:{{ endpoint.public_port }}{{ endpoint.public_path }}'
|
||||
- internalurl: '{{ endpoint.get('internal_protocol', 'http') }}://{{ endpoint.internal_address }}:{{ endpoint.internal_port }}{{ endpoint.internal_path }}'
|
||||
- adminurl: '{{ endpoint.get('admin_protocol', 'http') }}://{{ endpoint.admin_address }}:{{ endpoint.admin_port }}{{ endpoint.admin_path }}'
|
||||
- region: {{ endpoint.region }}
|
||||
- require:
|
||||
- keystone: keystone_{{ server_name }}_service_{{ service_name }}
|
||||
{%- if server.admin.token is defined %}
|
||||
- connection_token: {{ connection_args.token }}
|
||||
- connection_endpoint: {{ connection_args.endpoint }}
|
||||
{%- else %}
|
||||
- connection_user: {{ connection_args.user }}
|
||||
- connection_password: {{ connection_args.password }}
|
||||
- connection_tenant: {{ connection_args.tenant }}
|
||||
- connection_auth_url: {{ connection_args.auth_url }}
|
||||
{%- endif %}
|
||||
|
||||
{%- endfor %}
|
||||
|
||||
{%- endfor %}
|
||||
|
||||
{%- for tenant_name, tenant in server.get('project', {}).iteritems() %}
|
||||
|
||||
keystone_{{ server_name }}_tenant_{{ tenant_name }}:
|
||||
keystone.tenant_present:
|
||||
- name: {{ tenant_name }}
|
||||
{%- if tenant.description is defined %}
|
||||
- description: {{ tenant.description }}
|
||||
{%- endif %}
|
||||
{%- if server.admin.token is defined %}
|
||||
- connection_token: {{ connection_args.token }}
|
||||
- connection_endpoint: {{ connection_args.endpoint }}
|
||||
{%- else %}
|
||||
- connection_user: {{ connection_args.user }}
|
||||
- connection_password: {{ connection_args.password }}
|
||||
- connection_tenant: {{ connection_args.tenant }}
|
||||
- connection_auth_url: {{ connection_args.auth_url }}
|
||||
{%- endif %}
|
||||
|
||||
{%- for user_name, user in tenant.get('user', {}).iteritems() %}
|
||||
|
||||
keystone_{{ server_name }}_tenant_{{ tenant_name }}_user_{{ user_name }}:
|
||||
keystone.user_present:
|
||||
- name: {{ user_name }}
|
||||
- password: {{ user.password }}
|
||||
{%- if user.email is defined %}
|
||||
- email: {{ user.email }}
|
||||
{%- endif %}
|
||||
- tenant: {{ tenant_name }}
|
||||
- roles:
|
||||
"{{ tenant_name }}":
|
||||
{%- if user.get('is_admin', False) %}
|
||||
- admin
|
||||
{%- elif user.get('roles', False) %}
|
||||
{{ user.roles }}
|
||||
{%- else %}
|
||||
- Member
|
||||
{%- endif %}
|
||||
- require:
|
||||
- keystone: keystone_{{ server_name }}_tenant_{{ tenant_name }}
|
||||
- keystone: keystone_{{ server_name }}_roles
|
||||
{%- if server.admin.token is defined %}
|
||||
- connection_token: {{ connection_args.token }}
|
||||
- connection_endpoint: {{ connection_args.endpoint }}
|
||||
{%- else %}
|
||||
- connection_user: {{ connection_args.user }}
|
||||
- connection_password: {{ connection_args.password }}
|
||||
- connection_tenant: {{ connection_args.tenant }}
|
||||
- connection_auth_url: {{ connection_args.auth_url }}
|
||||
{%- endif %}
|
||||
|
||||
{%- endfor %}
|
||||
|
||||
{%- endfor %}
|
||||
|
||||
{%- endfor %}
|
||||
|
||||
{%- endif %}
|
@ -1,8 +0,0 @@
|
||||
{%- from "keystone/map.jinja" import client with context %}
|
||||
{%- if client.enabled %}
|
||||
|
||||
keystone_client_packages:
|
||||
pkg.installed:
|
||||
- names: {{ client.pkgs }}
|
||||
|
||||
{%- endif %}
|
@ -1,11 +0,0 @@
|
||||
{%- from "keystone/map.jinja" import control with context %}
|
||||
{%- for provider_name, provider in control.get('provider', {}).iteritems() %}
|
||||
|
||||
/root/keystonerc_{{ provider_name }}:
|
||||
file.managed:
|
||||
- source: salt://keystone/files/keystonerc_user
|
||||
- template: jinja
|
||||
- defaults:
|
||||
provider_name: "{{ provider_name }}"
|
||||
|
||||
{%- endfor %}
|
@ -1,59 +0,0 @@
|
||||
|
||||
[ldap]
|
||||
url = {{ ldap.url }}
|
||||
user = uid={{ ldap.get("uid", "keystone") }},cn=users,cn=accounts,{{ ldap.suffix }}
|
||||
password = {{ ldap.password }}
|
||||
suffix = {{ ldap.suffix }}
|
||||
|
||||
# User mapping
|
||||
user_tree_dn = cn=users,cn=accounts,{{ ldap.suffix }}
|
||||
user_objectclass = person
|
||||
user_id_attribute = uid
|
||||
user_name_attribute = uid
|
||||
user_mail_attribute = mail
|
||||
{%- if ldap.get('read_only', True) %}
|
||||
user_allow_create = false
|
||||
user_allow_update = false
|
||||
user_allow_delete = false
|
||||
{%- endif %}
|
||||
user_enabled_attribute = nsAccountLock
|
||||
user_enabled_default = False
|
||||
user_enabled_invert = true
|
||||
{%- if ldap.get('filter', {}).get('user', False) %}
|
||||
user_filter = {{ ldap.filter.user }}
|
||||
{%- endif %}
|
||||
|
||||
# Group mapping
|
||||
group_tree_dn = cn=groups,cn=accounts,{{ ldap.suffix }}
|
||||
group_objectclass = groupOfNames
|
||||
group_id_attribute = cn
|
||||
group_name_attribute = cn
|
||||
group_member_attribute = member
|
||||
group_desc_attribute = description
|
||||
{%- if ldap.get('read_only', True) %}
|
||||
group_allow_create = false
|
||||
group_allow_update = false
|
||||
group_allow_delete = false
|
||||
{%- endif %}
|
||||
|
||||
{%- if ldap.tls is defined %}
|
||||
|
||||
{%- if ldap.tls.get("enabled", False) %}
|
||||
use_tls = true
|
||||
{%- endif %}
|
||||
|
||||
{%- if ldap.tls.cacertdir is defined %}
|
||||
tls_cacertdir = {{ ldap.tls.cacertdir }}
|
||||
{%- endif %}
|
||||
|
||||
{%- if ldap.tls.cacert is defined %}
|
||||
tls_cacertfile = /etc/keystone/domains/{{ domain_name }}.pem
|
||||
{%- elif ldap.tls.cacertfile is defined %}
|
||||
tls_cacertfile = {{ ldap.tls.cacertfile }}
|
||||
{%- endif %}
|
||||
|
||||
{%- if ldap.tls.req_cert is defined %}
|
||||
tls_req_cert = {{ ldap.tls.req_cert }}
|
||||
{%- endif %}
|
||||
|
||||
{%- endif %}
|
@ -1,2 +0,0 @@
|
||||
{%- from "keystone/map.jinja" import server with context %}
|
||||
{%- include "keystone/files/"+server.version+"/wsgi-keystone.conf" %}
|
@ -1,10 +0,0 @@
|
||||
Import "check_openstack_api"
|
||||
|
||||
<Module "check_openstack_api">
|
||||
KeystoneUrl "{{ plugin.url }}"
|
||||
Username "{{ plugin.username }}"
|
||||
Password "{{ plugin.password }}"
|
||||
Tenant "{{ plugin.tenant }}"
|
||||
MaxRetries "2"
|
||||
Timeout "20"
|
||||
</Module>
|
@ -1,10 +0,0 @@
|
||||
Import "openstack_keystone"
|
||||
|
||||
<Module "openstack_keystone">
|
||||
KeystoneUrl "{{ plugin.url }}"
|
||||
Username "{{ plugin.username }}"
|
||||
Password "{{ plugin.password }}"
|
||||
Tenant "{{ plugin.tenant }}"
|
||||
MaxRetries "2"
|
||||
Timeout "20"
|
||||
</Module>
|
@ -1,14 +0,0 @@
|
||||
{%- from "keystone/map.jinja" import server with context -%}
|
||||
#!/bin/bash -e
|
||||
|
||||
cat /srv/salt/pillar/keystone-server.sls | envsubst > /tmp/keystone-server.sls
|
||||
mv /tmp/keystone-server.sls /srv/salt/pillar/keystone-server.sls
|
||||
|
||||
salt-call --local --retcode-passthrough state.highstate
|
||||
service {{ server.service_name }} stop || true
|
||||
|
||||
su keystone --shell=/bin/sh -c '/usr/bin/keystone-all --config-file=/etc/keystone/keystone.conf'
|
||||
|
||||
{#-
|
||||
vim: syntax=jinja
|
||||
-#}
|
File diff suppressed because it is too large
Load Diff
@ -1,13 +0,0 @@
|
||||
[logstreamer_keystone]
|
||||
type = "LogstreamerInput"
|
||||
log_directory = "/var/log/keystone"
|
||||
file_match = '(?P<Service>.+)\.log\.?(?P<Index>\d*)?(.gz)?'
|
||||
differentiator = ['keystone','_','Service']
|
||||
priority = ["^Index"]
|
||||
decoder = "openstack"
|
||||
oldest_duration = "168h"
|
||||
|
||||
[openstack]
|
||||
type = "SandboxDecoder"
|
||||
filename = "lua_modules/decoders/openstack.lua"
|
||||
module_directory = "/usr/share/heka/lua_modules;/usr/share/heka/lua_modules/common"
|
@ -1,121 +0,0 @@
|
||||
# Keystone PasteDeploy configuration file.
|
||||
|
||||
[filter:debug]
|
||||
paste.filter_factory = keystone.common.wsgi:Debug.factory
|
||||
|
||||
[filter:build_auth_context]
|
||||
paste.filter_factory = keystone.middleware:AuthContextMiddleware.factory
|
||||
|
||||
[filter:token_auth]
|
||||
paste.filter_factory = keystone.middleware:TokenAuthMiddleware.factory
|
||||
|
||||
[filter:admin_token_auth]
|
||||
paste.filter_factory = keystone.middleware:AdminTokenAuthMiddleware.factory
|
||||
|
||||
[filter:xml_body]
|
||||
paste.filter_factory = keystone.middleware:XmlBodyMiddleware.factory
|
||||
|
||||
[filter:xml_body_v2]
|
||||
paste.filter_factory = keystone.middleware:XmlBodyMiddlewareV2.factory
|
||||
|
||||
[filter:xml_body_v3]
|
||||
paste.filter_factory = keystone.middleware:XmlBodyMiddlewareV3.factory
|
||||
|
||||
[filter:json_body]
|
||||
paste.filter_factory = keystone.middleware:JsonBodyMiddleware.factory
|
||||
|
||||
[filter:user_crud_extension]
|
||||
paste.filter_factory = keystone.contrib.user_crud:CrudExtension.factory
|
||||
|
||||
[filter:crud_extension]
|
||||
paste.filter_factory = keystone.contrib.admin_crud:CrudExtension.factory
|
||||
|
||||
[filter:ec2_extension]
|
||||
paste.filter_factory = keystone.contrib.ec2:Ec2Extension.factory
|
||||
|
||||
[filter:ec2_extension_v3]
|
||||
paste.filter_factory = keystone.contrib.ec2:Ec2ExtensionV3.factory
|
||||
|
||||
[filter:federation_extension]
|
||||
paste.filter_factory = keystone.contrib.federation.routers:FederationExtension.factory
|
||||
|
||||
[filter:oauth1_extension]
|
||||
paste.filter_factory = keystone.contrib.oauth1.routers:OAuth1Extension.factory
|
||||
|
||||
[filter:s3_extension]
|
||||
paste.filter_factory = keystone.contrib.s3:S3Extension.factory
|
||||
|
||||
[filter:endpoint_filter_extension]
|
||||
paste.filter_factory = keystone.contrib.endpoint_filter.routers:EndpointFilterExtension.factory
|
||||
|
||||
[filter:endpoint_policy_extension]
|
||||
paste.filter_factory = keystone.contrib.endpoint_policy.routers:EndpointPolicyExtension.factory
|
||||
|
||||
[filter:simple_cert_extension]
|
||||
paste.filter_factory = keystone.contrib.simple_cert:SimpleCertExtension.factory
|
||||
|
||||
[filter:revoke_extension]
|
||||
paste.filter_factory = keystone.contrib.revoke.routers:RevokeExtension.factory
|
||||
|
||||
[filter:url_normalize]
|
||||
paste.filter_factory = keystone.middleware:NormalizingFilter.factory
|
||||
|
||||
[filter:sizelimit]
|
||||
paste.filter_factory = keystone.middleware:RequestBodySizeLimiter.factory
|
||||
|
||||
[filter:stats_monitoring]
|
||||
paste.filter_factory = keystone.contrib.stats:StatsMiddleware.factory
|
||||
|
||||
[filter:stats_reporting]
|
||||
paste.filter_factory = keystone.contrib.stats:StatsExtension.factory
|
||||
|
||||
[filter:access_log]
|
||||
paste.filter_factory = keystone.contrib.access:AccessLogMiddleware.factory
|
||||
|
||||
[app:public_service]
|
||||
paste.app_factory = keystone.service:public_app_factory
|
||||
|
||||
[app:service_v3]
|
||||
paste.app_factory = keystone.service:v3_app_factory
|
||||
|
||||
[app:admin_service]
|
||||
paste.app_factory = keystone.service:admin_app_factory
|
||||
|
||||
[pipeline:public_api]
|
||||
# The last item in this pipeline must be public_service or an equivalent
|
||||
# application. It cannot be a filter.
|
||||
pipeline = sizelimit url_normalize build_auth_context token_auth admin_token_auth xml_body_v2 json_body ec2_extension user_crud_extension public_service
|
||||
|
||||
[pipeline:admin_api]
|
||||
# The last item in this pipeline must be admin_service or an equivalent
|
||||
# application. It cannot be a filter.
|
||||
pipeline = sizelimit url_normalize build_auth_context token_auth admin_token_auth xml_body_v2 json_body ec2_extension s3_extension crud_extension admin_service
|
||||
|
||||
[pipeline:api_v3]
|
||||
# The last item in this pipeline must be service_v3 or an equivalent
|
||||
# application. It cannot be a filter.
|
||||
pipeline = sizelimit url_normalize build_auth_context token_auth admin_token_auth xml_body_v3 json_body ec2_extension_v3 s3_extension simple_cert_extension revoke_extension service_v3
|
||||
|
||||
[app:public_version_service]
|
||||
paste.app_factory = keystone.service:public_version_app_factory
|
||||
|
||||
[app:admin_version_service]
|
||||
paste.app_factory = keystone.service:admin_version_app_factory
|
||||
|
||||
[pipeline:public_version_api]
|
||||
pipeline = sizelimit url_normalize xml_body public_version_service
|
||||
|
||||
[pipeline:admin_version_api]
|
||||
pipeline = sizelimit url_normalize xml_body admin_version_service
|
||||
|
||||
[composite:main]
|
||||
use = egg:Paste#urlmap
|
||||
/v2.0 = public_api
|
||||
/v3 = api_v3
|
||||
/ = public_version_api
|
||||
|
||||
[composite:admin]
|
||||
use = egg:Paste#urlmap
|
||||
/v2.0 = admin_api
|
||||
/v3 = api_v3
|
||||
/ = admin_version_api
|
@ -1 +0,0 @@
|
||||
keystone-paste.ini.Debian
|
File diff suppressed because it is too large
Load Diff
@ -1 +0,0 @@
|
||||
keystone.conf.Debian
|
@ -1,171 +0,0 @@
|
||||
{
|
||||
"admin_required": "role:admin or is_admin:1",
|
||||
"service_role": "role:service",
|
||||
"service_or_admin": "rule:admin_required or rule:service_role",
|
||||
"owner" : "user_id:%(user_id)s",
|
||||
"admin_or_owner": "rule:admin_required or rule:owner",
|
||||
|
||||
"default": "rule:admin_required",
|
||||
|
||||
"identity:get_region": "",
|
||||
"identity:list_regions": "",
|
||||
"identity:create_region": "rule:admin_required",
|
||||
"identity:update_region": "rule:admin_required",
|
||||
"identity:delete_region": "rule:admin_required",
|
||||
|
||||
"identity:get_service": "rule:admin_required",
|
||||
"identity:list_services": "rule:admin_required",
|
||||
"identity:create_service": "rule:admin_required",
|
||||
"identity:update_service": "rule:admin_required",
|
||||
"identity:delete_service": "rule:admin_required",
|
||||
|
||||
"identity:get_endpoint": "rule:admin_required",
|
||||
"identity:list_endpoints": "rule:admin_required",
|
||||
"identity:create_endpoint": "rule:admin_required",
|
||||
"identity:update_endpoint": "rule:admin_required",
|
||||
"identity:delete_endpoint": "rule:admin_required",
|
||||
|
||||
"identity:get_domain": "rule:admin_required",
|
||||
"identity:list_domains": "rule:admin_required",
|
||||
"identity:create_domain": "rule:admin_required",
|
||||
"identity:update_domain": "rule:admin_required",
|
||||
"identity:delete_domain": "rule:admin_required",
|
||||
|
||||
"identity:get_project": "rule:admin_required",
|
||||
"identity:list_projects": "rule:admin_required",
|
||||
"identity:list_user_projects": "rule:admin_or_owner",
|
||||
"identity:create_project": "rule:admin_required",
|
||||
"identity:update_project": "rule:admin_required",
|
||||
"identity:delete_project": "rule:admin_required",
|
||||
|
||||
"identity:get_user": "rule:admin_required",
|
||||
"identity:list_users": "rule:admin_required",
|
||||
"identity:create_user": "rule:admin_required",
|
||||
"identity:update_user": "rule:admin_required",
|
||||
"identity:delete_user": "rule:admin_required",
|
||||
"identity:change_password": "rule:admin_or_owner",
|
||||
|
||||
"identity:get_group": "rule:admin_required",
|
||||
"identity:list_groups": "rule:admin_required",
|
||||
"identity:list_groups_for_user": "rule:admin_or_owner",
|
||||
"identity:create_group": "rule:admin_required",
|
||||
"identity:update_group": "rule:admin_required",
|
||||
"identity:delete_group": "rule:admin_required",
|
||||
"identity:list_users_in_group": "rule:admin_required",
|
||||
"identity:remove_user_from_group": "rule:admin_required",
|
||||
"identity:check_user_in_group": "rule:admin_required",
|
||||
"identity:add_user_to_group": "rule:admin_required",
|
||||
|
||||
"identity:get_credential": "rule:admin_required",
|
||||
"identity:list_credentials": "rule:admin_required",
|
||||
"identity:create_credential": "rule:admin_required",
|
||||
"identity:update_credential": "rule:admin_required",
|
||||
"identity:delete_credential": "rule:admin_required",
|
||||
|
||||
"identity:ec2_get_credential": "rule:admin_or_owner",
|
||||
"identity:ec2_list_credentials": "rule:admin_or_owner",
|
||||
"identity:ec2_create_credential": "rule:admin_or_owner",
|
||||
"identity:ec2_delete_credential": "rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)",
|
||||
|
||||
"identity:get_role": "rule:admin_required",
|
||||
"identity:list_roles": "rule:admin_required",
|
||||
"identity:create_role": "rule:admin_required",
|
||||
"identity:update_role": "rule:admin_required",
|
||||
"identity:delete_role": "rule:admin_required",
|
||||
|
||||
"identity:check_grant": "rule:admin_required",
|
||||
"identity:list_grants": "rule:admin_required",
|
||||
"identity:create_grant": "rule:admin_required",
|
||||
"identity:revoke_grant": "rule:admin_required",
|
||||
|
||||
"identity:list_role_assignments": "rule:admin_required",
|
||||
|
||||
"identity:get_policy": "rule:admin_required",
|
||||
"identity:list_policies": "rule:admin_required",
|
||||
"identity:create_policy": "rule:admin_required",
|
||||
"identity:update_policy": "rule:admin_required",
|
||||
"identity:delete_policy": "rule:admin_required",
|
||||
|
||||
"identity:check_token": "rule:admin_required",
|
||||
"identity:validate_token": "rule:service_or_admin",
|
||||
"identity:validate_token_head": "rule:service_or_admin",
|
||||
"identity:revocation_list": "rule:service_or_admin",
|
||||
"identity:revoke_token": "rule:admin_or_owner",
|
||||
|
||||
"identity:create_trust": "user_id:%(trust.trustor_user_id)s",
|
||||
"identity:get_trust": "rule:admin_or_owner",
|
||||
"identity:list_trusts": "",
|
||||
"identity:list_roles_for_trust": "",
|
||||
"identity:check_role_for_trust": "",
|
||||
"identity:get_role_for_trust": "",
|
||||
"identity:delete_trust": "",
|
||||
|
||||
"identity:create_consumer": "rule:admin_required",
|
||||
"identity:get_consumer": "rule:admin_required",
|
||||
"identity:list_consumers": "rule:admin_required",
|
||||
"identity:delete_consumer": "rule:admin_required",
|
||||
"identity:update_consumer": "rule:admin_required",
|
||||
|
||||
"identity:authorize_request_token": "rule:admin_required",
|
||||
"identity:list_access_token_roles": "rule:admin_required",
|
||||
"identity:get_access_token_role": "rule:admin_required",
|
||||
"identity:list_access_tokens": "rule:admin_required",
|
||||
"identity:get_access_token": "rule:admin_required",
|
||||
"identity:delete_access_token": "rule:admin_required",
|
||||
|
||||
"identity:list_projects_for_endpoint": "rule:admin_required",
|
||||
"identity:add_endpoint_to_project": "rule:admin_required",
|
||||
"identity:check_endpoint_in_project": "rule:admin_required",
|
||||
"identity:list_endpoints_for_project": "rule:admin_required",
|
||||
"identity:remove_endpoint_from_project": "rule:admin_required",
|
||||
|
||||
"identity:create_endpoint_group": "rule:admin_required",
|
||||
"identity:list_endpoint_groups": "rule:admin_required",
|
||||
"identity:get_endpoint_group": "rule:admin_required",
|
||||
"identity:update_endpoint_group": "rule:admin_required",
|
||||
"identity:delete_endpoint_group": "rule:admin_required",
|
||||
"identity:list_projects_associated_with_endpoint_group": "rule:admin_required",
|
||||
"identity:list_endpoints_associated_with_endpoint_group": "rule:admin_required",
|
||||
"identity:list_endpoint_groups_for_project": "rule:admin_required",
|
||||
"identity:add_endpoint_group_to_project": "rule:admin_required",
|
||||
"identity:remove_endpoint_group_from_project": "rule:admin_required",
|
||||
|
||||
"identity:create_identity_provider": "rule:admin_required",
|
||||
"identity:list_identity_providers": "rule:admin_required",
|
||||
"identity:get_identity_providers": "rule:admin_required",
|
||||
"identity:update_identity_provider": "rule:admin_required",
|
||||
"identity:delete_identity_provider": "rule:admin_required",
|
||||
|
||||
"identity:create_protocol": "rule:admin_required",
|
||||
"identity:update_protocol": "rule:admin_required",
|
||||
"identity:get_protocol": "rule:admin_required",
|
||||
"identity:list_protocols": "rule:admin_required",
|
||||
"identity:delete_protocol": "rule:admin_required",
|
||||
|
||||
"identity:create_mapping": "rule:admin_required",
|
||||
"identity:get_mapping": "rule:admin_required",
|
||||
"identity:list_mappings": "rule:admin_required",
|
||||
"identity:delete_mapping": "rule:admin_required",
|
||||
"identity:update_mapping": "rule:admin_required",
|
||||
|
||||
"identity:get_auth_catalog": "",
|
||||
"identity:get_auth_projects": "",
|
||||
"identity:get_auth_domains": "",
|
||||
|
||||
"identity:list_projects_for_groups": "",
|
||||
"identity:list_domains_for_groups": "",
|
||||
|
||||
"identity:list_revoke_events": "",
|
||||
|
||||
"identity:create_policy_association_for_endpoint": "rule:admin_required",
|
||||
"identity:check_policy_association_for_endpoint": "rule:admin_required",
|
||||
"identity:delete_policy_association_for_endpoint": "rule:admin_required",
|
||||
"identity:create_policy_association_for_service": "rule:admin_required",
|
||||
"identity:check_policy_association_for_service": "rule:admin_required",
|
||||
"identity:delete_policy_association_for_service": "rule:admin_required",
|
||||
"identity:create_policy_association_for_region_and_service": "rule:admin_required",
|
||||
"identity:check_policy_association_for_region_and_service": "rule:admin_required",
|
||||
"identity:delete_policy_association_for_region_and_service": "rule:admin_required",
|
||||
"identity:get_policy_for_endpoint": "rule:admin_required",
|
||||
"identity:list_endpoints_for_policy": "rule:admin_required"
|
||||
}
|
@ -1,8 +0,0 @@
|
||||
WSGIScriptAlias /keystone/main /var/www/cgi-bin/keystone/main
|
||||
WSGIScriptAlias /keystone/admin /var/www/cgi-bin/keystone/admin
|
||||
|
||||
<Location "/keystone">
|
||||
NSSRequireSSL
|
||||
Authtype none
|
||||
</Location>
|
||||
|
@ -1,21 +0,0 @@
|
||||
{% from "keystone/map.jinja" import server with context %}
|
||||
{%- set domain = server.domain.get(domain_name) %}
|
||||
|
||||
{%- if domain.get("backend", "sql") == "ldap" %}
|
||||
{%- set ldap = domain.ldap %}
|
||||
{% include "keystone/files/_ldap.conf" %}
|
||||
{%- endif %}
|
||||
|
||||
[identity]
|
||||
{%- if domain.get("backend", "sql") == "ldap" %}
|
||||
driver = keystone.identity.backends.ldap.Identity
|
||||
{%- else %}
|
||||
driver = keystone.identity.backends.sql.Identity
|
||||
{%- endif %}
|
||||
|
||||
[assignment]
|
||||
{%- if domain.get("assignment", {}).get("backend", "sql") == "ldap" %}
|
||||
driver = keystone.assignment.backends.ldap.Assignment
|
||||
{%- else %}
|
||||
driver = keystone.assignment.backends.sql.Assignment
|
||||
{%- endif %}
|
@ -1,8 +0,0 @@
|
||||
{%- set server = pillar.keystone.server %}
|
||||
export OS_USERNAME={{ server.admin_name }}
|
||||
export OS_PASSWORD={{ server.admin_password }}
|
||||
export OS_TENANT_NAME={{ server.admin_tenant }}
|
||||
export OS_AUTH_URL=http://{{ server.bind.private_address }}:{{ server.bind.private_port }}/v2.0
|
||||
export OS_REGION_NAME={{ server.region }}
|
||||
export OS_SERVICE_TOKEN={{ server.service_token }}
|
||||
export OS_SERVICE_ENDPOINT="http://{{ server.bind.private_address }}:{{ server.bind.private_port }}/v2.0/"
|
@ -1,13 +0,0 @@
|
||||
{%- set cluster = pillar.keystone.cluster %}
|
||||
{%- set provider = salt['pillar.get']('keystone:control:provider:'+provider_name) %}
|
||||
{%- if provider.user is defined %}
|
||||
export OS_USERNAME={{ provider.user }}
|
||||
export OS_PASSWORD={{ provider.password }}
|
||||
export OS_TENANT_NAME={{ provider.tenant }}
|
||||
export OS_AUTH_URL=http://{{ provider.host }}:{{ provider.port }}/{{ provider.get('version', 'v2.0') }}
|
||||
{%- endif %}
|
||||
{%- if provider.token is defined %}
|
||||
export OS_SERVICE_TOKEN={{ provider.token }}
|
||||
export OS_SERVICE_ENDPOINT="http://{{ provider.host }}:{{ provider.port }}/{{ provider.get('version', 'v2.0') }}/"
|
||||
{%- endif %}
|
||||
export OS_AUTH_STRATEGY=keystone
|
@ -1,10 +0,0 @@
|
||||
{%- set server = pillar.keystone.server %}
|
||||
export OS_IDENTITY_API_VERSION=3
|
||||
export OS_AUTH_URL=http://{{ server.bind.private_address }}:{{ server.bind.private_port }}/v3
|
||||
export OS_PROJECT_DOMAIN_NAME=default
|
||||
export OS_USER_DOMAIN_NAME=default
|
||||
export OS_PROJECT_NAME={{ server.admin_tenant }}
|
||||
export OS_TENANT_NAME={{ server.admin_tenant }}
|
||||
export OS_USERNAME={{ server.admin_name }}
|
||||
export OS_PASSWORD={{ server.admin_password }}
|
||||
export OS_REGION_NAME={{ server.region }}
|
@ -1,106 +0,0 @@
|
||||
# Keystone PasteDeploy configuration file.
|
||||
|
||||
[filter:debug]
|
||||
paste.filter_factory = keystone.common.wsgi:Debug.factory
|
||||
|
||||
[filter:request_id]
|
||||
paste.filter_factory = oslo_middleware:RequestId.factory
|
||||
|
||||
[filter:build_auth_context]
|
||||
paste.filter_factory = keystone.middleware:AuthContextMiddleware.factory
|
||||
|
||||
[filter:token_auth]
|
||||
paste.filter_factory = keystone.middleware:TokenAuthMiddleware.factory
|
||||
|
||||
[filter:admin_token_auth]
|
||||
paste.filter_factory = keystone.middleware:AdminTokenAuthMiddleware.factory
|
||||
|
||||
[filter:json_body]
|
||||
paste.filter_factory = keystone.middleware:JsonBodyMiddleware.factory
|
||||
|
||||
[filter:user_crud_extension]
|
||||
paste.filter_factory = keystone.contrib.user_crud:CrudExtension.factory
|
||||
|
||||
[filter:crud_extension]
|
||||
paste.filter_factory = keystone.contrib.admin_crud:CrudExtension.factory
|
||||
|
||||
[filter:ec2_extension]
|
||||
paste.filter_factory = keystone.contrib.ec2:Ec2Extension.factory
|
||||
|
||||
[filter:ec2_extension_v3]
|
||||
paste.filter_factory = keystone.contrib.ec2:Ec2ExtensionV3.factory
|
||||
|
||||
[filter:federation_extension]
|
||||
paste.filter_factory = keystone.contrib.federation.routers:FederationExtension.factory
|
||||
|
||||
[filter:oauth1_extension]
|
||||
paste.filter_factory = keystone.contrib.oauth1.routers:OAuth1Extension.factory
|
||||
|
||||
[filter:s3_extension]
|
||||
paste.filter_factory = keystone.contrib.s3:S3Extension.factory
|
||||
|
||||
[filter:endpoint_filter_extension]
|
||||
paste.filter_factory = keystone.contrib.endpoint_filter.routers:EndpointFilterExtension.factory
|
||||
|
||||
[filter:endpoint_policy_extension]
|
||||
paste.filter_factory = keystone.contrib.endpoint_policy.routers:EndpointPolicyExtension.factory
|
||||
|
||||
[filter:simple_cert_extension]
|
||||
paste.filter_factory = keystone.contrib.simple_cert:SimpleCertExtension.factory
|
||||
|
||||
[filter:revoke_extension]
|
||||
paste.filter_factory = keystone.contrib.revoke.routers:RevokeExtension.factory
|
||||
|
||||
[filter:url_normalize]
|
||||
paste.filter_factory = keystone.middleware:NormalizingFilter.factory
|
||||
|
||||
[filter:sizelimit]
|
||||
paste.filter_factory = oslo_middleware.sizelimit:RequestBodySizeLimiter.factory
|
||||
|
||||
[app:public_service]
|
||||
paste.app_factory = keystone.service:public_app_factory
|
||||
|
||||
[app:service_v3]
|
||||
paste.app_factory = keystone.service:v3_app_factory
|
||||
|
||||
[app:admin_service]
|
||||
paste.app_factory = keystone.service:admin_app_factory
|
||||
|
||||
[pipeline:public_api]
|
||||
# The last item in this pipeline must be public_service or an equivalent
|
||||
# application. It cannot be a filter.
|
||||
pipeline = sizelimit url_normalize request_id build_auth_context token_auth admin_token_auth json_body ec2_extension user_crud_extension public_service
|
||||
|
||||
[pipeline:admin_api]
|
||||
# The last item in this pipeline must be admin_service or an equivalent
|
||||
# application. It cannot be a filter.
|
||||
pipeline = sizelimit url_normalize request_id build_auth_context token_auth admin_token_auth json_body ec2_extension s3_extension crud_extension admin_service
|
||||
|
||||
[pipeline:api_v3]
|
||||
# The last item in this pipeline must be service_v3 or an equivalent
|
||||
# application. It cannot be a filter.
|
||||
pipeline = sizelimit url_normalize request_id build_auth_context token_auth admin_token_auth json_body ec2_extension_v3 s3_extension simple_cert_extension revoke_extension federation_extension oauth1_extension endpoint_filter_extension endpoint_policy_extension service_v3
|
||||
|
||||
[app:public_version_service]
|
||||
paste.app_factory = keystone.service:public_version_app_factory
|
||||
|
||||
[app:admin_version_service]
|
||||
paste.app_factory = keystone.service:admin_version_app_factory
|
||||
|
||||
[pipeline:public_version_api]
|
||||
pipeline = sizelimit url_normalize public_version_service
|
||||
|
||||
[pipeline:admin_version_api]
|
||||
pipeline = sizelimit url_normalize admin_version_service
|
||||
|
||||
[composite:main]
|
||||
use = egg:Paste#urlmap
|
||||
/v2.0 = public_api
|
||||
/v3 = api_v3
|
||||
/ = public_version_api
|
||||
|
||||
[composite:admin]
|
||||
use = egg:Paste#urlmap
|
||||
/v2.0 = admin_api
|
||||
/v3 = api_v3
|
||||
/ = admin_version_api
|
@ -1 +0,0 @@
|
||||
keystone-paste.ini.Debian
|
File diff suppressed because it is too large
Load Diff
@ -1 +0,0 @@
|
||||
keystone.conf.Debian
|
@ -1,184 +0,0 @@
|
||||
{
|
||||
"admin_required": "role:admin or is_admin:1",
|
||||
"service_role": "role:service",
|
||||
"service_or_admin": "rule:admin_required or rule:service_role",
|
||||
"owner" : "user_id:%(user_id)s",
|
||||
"admin_or_owner": "rule:admin_required or rule:owner",
|
||||
"token_subject": "user_id:%(target.token.user_id)s",
|
||||
"admin_or_token_subject": "rule:admin_required or rule:token_subject",
|
||||
"service_admin_or_token_subject": "rule:service_or_admin or rule:token_subject",
|
||||
|
||||
"default": "rule:admin_required",
|
||||
|
||||
"identity:get_region": "",
|
||||
"identity:list_regions": "",
|
||||
"identity:create_region": "rule:admin_required",
|
||||
"identity:update_region": "rule:admin_required",
|
||||
"identity:delete_region": "rule:admin_required",
|
||||
|
||||
"identity:get_service": "rule:admin_required",
|
||||
"identity:list_services": "rule:admin_required",
|
||||
"identity:create_service": "rule:admin_required",
|
||||
"identity:update_service": "rule:admin_required",
|
||||
"identity:delete_service": "rule:admin_required",
|
||||
|
||||
"identity:get_endpoint": "rule:admin_required",
|
||||
"identity:list_endpoints": "rule:admin_required",
|
||||
"identity:create_endpoint": "rule:admin_required",
|
||||
"identity:update_endpoint": "rule:admin_required",
|
||||
"identity:delete_endpoint": "rule:admin_required",
|
||||
|
||||
"identity:get_domain": "rule:admin_required",
|
||||
"identity:list_domains": "rule:admin_required",
|
||||
"identity:create_domain": "rule:admin_required",
|
||||
"identity:update_domain": "rule:admin_required",
|
||||
"identity:delete_domain": "rule:admin_required",
|
||||
|
||||
"identity:get_project": "rule:admin_required",
|
||||
"identity:list_projects": "rule:admin_required",
|
||||
"identity:list_user_projects": "rule:admin_or_owner",
|
||||
"identity:create_project": "rule:admin_required",
|
||||
"identity:update_project": "rule:admin_required",
|
||||
"identity:delete_project": "rule:admin_required",
|
||||
|
||||
"identity:get_user": "rule:admin_required",
|
||||
"identity:list_users": "rule:admin_required",
|
||||
"identity:create_user": "rule:admin_required",
|
||||
"identity:update_user": "rule:admin_required",
|
||||
"identity:delete_user": "rule:admin_required",
|
||||
"identity:change_password": "rule:admin_or_owner",
|
||||
|
||||
"identity:get_group": "rule:admin_required",
|
||||
"identity:list_groups": "rule:admin_required",
|
||||
"identity:list_groups_for_user": "rule:admin_or_owner",
|
||||
"identity:create_group": "rule:admin_required",
|
||||
"identity:update_group": "rule:admin_required",
|
||||
"identity:delete_group": "rule:admin_required",
|
||||
"identity:list_users_in_group": "rule:admin_required",
|
||||
"identity:remove_user_from_group": "rule:admin_required",
|
||||
"identity:check_user_in_group": "rule:admin_required",
|
||||
"identity:add_user_to_group": "rule:admin_required",
|
||||
|
||||
"identity:get_credential": "rule:admin_required",
|
||||
"identity:list_credentials": "rule:admin_required",
|
||||
"identity:create_credential": "rule:admin_required",
|
||||
"identity:update_credential": "rule:admin_required",
|
||||
"identity:delete_credential": "rule:admin_required",
|
||||
|
||||
"identity:ec2_get_credential": "rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)",
|
||||
"identity:ec2_list_credentials": "rule:admin_or_owner",
|
||||
"identity:ec2_create_credential": "rule:admin_or_owner",
|
||||
"identity:ec2_delete_credential": "rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)",
|
||||
|
||||
"identity:get_role": "rule:admin_required",
|
||||
"identity:list_roles": "rule:admin_required",
|
||||
"identity:create_role": "rule:admin_required",
|
||||
"identity:update_role": "rule:admin_required",
|
||||
"identity:delete_role": "rule:admin_required",
|
||||
|
||||
"identity:check_grant": "rule:admin_required",
|
||||
"identity:list_grants": "rule:admin_required",
|
||||
"identity:create_grant": "rule:admin_required",
|
||||
"identity:revoke_grant": "rule:admin_required",
|
||||
|
||||
"identity:list_role_assignments": "rule:admin_required",
|
||||
|
||||
"identity:get_policy": "rule:admin_required",
|
||||
"identity:list_policies": "rule:admin_required",
|
||||
"identity:create_policy": "rule:admin_required",
|
||||
"identity:update_policy": "rule:admin_required",
|
||||
"identity:delete_policy": "rule:admin_required",
|
||||
|
||||
"identity:check_token": "rule:admin_or_token_subject",
|
||||
"identity:validate_token": "rule:service_admin_or_token_subject",
|
||||
"identity:validate_token_head": "rule:service_or_admin",
|
||||
"identity:revocation_list": "rule:service_or_admin",
|
||||
"identity:revoke_token": "rule:admin_or_token_subject",
|
||||
|
||||
"identity:create_trust": "user_id:%(trust.trustor_user_id)s",
|
||||
"identity:list_trusts": "",
|
||||
"identity:list_roles_for_trust": "",
|
||||
"identity:get_role_for_trust": "",
|
||||
"identity:delete_trust": "",
|
||||
|
||||
"identity:create_consumer": "rule:admin_required",
|
||||
"identity:get_consumer": "rule:admin_required",
|
||||
"identity:list_consumers": "rule:admin_required",
|
||||
"identity:delete_consumer": "rule:admin_required",
|
||||
"identity:update_consumer": "rule:admin_required",
|
||||
|
||||
"identity:authorize_request_token": "rule:admin_required",
|
||||
"identity:list_access_token_roles": "rule:admin_required",
|
||||
"identity:get_access_token_role": "rule:admin_required",
|
||||
"identity:list_access_tokens": "rule:admin_required",
|
||||
"identity:get_access_token": "rule:admin_required",
|
||||
"identity:delete_access_token": "rule:admin_required",
|
||||
|
||||
"identity:list_projects_for_endpoint": "rule:admin_required",
|
||||
"identity:add_endpoint_to_project": "rule:admin_required",
|
||||
"identity:check_endpoint_in_project": "rule:admin_required",
|
||||
"identity:list_endpoints_for_project": "rule:admin_required",
|
||||
"identity:remove_endpoint_from_project": "rule:admin_required",
|
||||
|
||||
"identity:create_endpoint_group": "rule:admin_required",
|
||||
"identity:list_endpoint_groups": "rule:admin_required",
|
||||
"identity:get_endpoint_group": "rule:admin_required",
|
||||
"identity:update_endpoint_group": "rule:admin_required",
|
||||
"identity:delete_endpoint_group": "rule:admin_required",
|
||||
"identity:list_projects_associated_with_endpoint_group": "rule:admin_required",
|
||||
"identity:list_endpoints_associated_with_endpoint_group": "rule:admin_required",
|
||||
"identity:get_endpoint_group_in_project": "rule:admin_required",
|
||||
"identity:list_endpoint_groups_for_project": "rule:admin_required",
|
||||
"identity:add_endpoint_group_to_project": "rule:admin_required",
|
||||
"identity:remove_endpoint_group_from_project": "rule:admin_required",
|
||||
|
||||
"identity:create_identity_provider": "rule:admin_required",
|
||||
"identity:list_identity_providers": "rule:admin_required",
|
||||
"identity:get_identity_providers": "rule:admin_required",
|
||||
"identity:update_identity_provider": "rule:admin_required",
|
||||
"identity:delete_identity_provider": "rule:admin_required",
|
||||
|
||||
"identity:create_protocol": "rule:admin_required",
|
||||
"identity:update_protocol": "rule:admin_required",
|
||||
"identity:get_protocol": "rule:admin_required",
|
||||
"identity:list_protocols": "rule:admin_required",
|
||||
"identity:delete_protocol": "rule:admin_required",
|
||||
|
||||
"identity:create_mapping": "rule:admin_required",
|
||||
"identity:get_mapping": "rule:admin_required",
|
||||
"identity:list_mappings": "rule:admin_required",
|
||||
"identity:delete_mapping": "rule:admin_required",
|
||||
"identity:update_mapping": "rule:admin_required",
|
||||
|
||||
"identity:create_service_provider": "rule:admin_required",
|
||||
"identity:list_service_providers": "rule:admin_required",
|
||||
"identity:get_service_provider": "rule:admin_required",
|
||||
"identity:update_service_provider": "rule:admin_required",
|
||||
"identity:delete_service_provider": "rule:admin_required",
|
||||
|
||||
"identity:get_auth_catalog": "",
|
||||
"identity:get_auth_projects": "",
|
||||
"identity:get_auth_domains": "",
|
||||
|
||||
"identity:list_projects_for_groups": "",
|
||||
"identity:list_domains_for_groups": "",
|
||||
|
||||
"identity:list_revoke_events": "",
|
||||
|
||||
"identity:create_policy_association_for_endpoint": "rule:admin_required",
|
||||
"identity:check_policy_association_for_endpoint": "rule:admin_required",
|
||||
"identity:delete_policy_association_for_endpoint": "rule:admin_required",
|
||||
"identity:create_policy_association_for_service": "rule:admin_required",
|
||||
"identity:check_policy_association_for_service": "rule:admin_required",
|
||||
"identity:delete_policy_association_for_service": "rule:admin_required",
|
||||
"identity:create_policy_association_for_region_and_service": "rule:admin_required",
|
||||
"identity:check_policy_association_for_region_and_service": "rule:admin_required",
|
||||
"identity:delete_policy_association_for_region_and_service": "rule:admin_required",
|
||||
"identity:get_policy_for_endpoint": "rule:admin_required",
|
||||
"identity:list_endpoints_for_policy": "rule:admin_required",
|
||||
|
||||
"identity:create_domain_config": "rule:admin_required",
|
||||
"identity:get_domain_config": "rule:admin_required",
|
||||
"identity:update_domain_config": "rule:admin_required",
|
||||
"identity:delete_domain_config": "rule:admin_required"
|
||||
}
|
@ -1,195 +0,0 @@
|
||||
{
|
||||
"admin_required": "role:admin",
|
||||
"cloud_admin": "rule:admin_required and domain_id:default",
|
||||
"service_role": "role:service",
|
||||
"service_or_admin": "rule:admin_required or rule:service_role",
|
||||
"owner" : "user_id:%(user_id)s or user_id:%(target.token.user_id)s",
|
||||
"admin_or_owner": "(rule:admin_required and domain_id:%(target.token.user.domain.id)s) or rule:owner",
|
||||
"admin_or_cloud_admin": "rule:admin_required or rule:cloud_admin",
|
||||
"admin_and_matching_domain_id": "rule:admin_required and domain_id:%(domain_id)s",
|
||||
"service_admin_or_owner": "rule:service_or_admin or rule:owner",
|
||||
|
||||
"default": "rule:admin_required",
|
||||
|
||||
"identity:get_region": "",
|
||||
"identity:list_regions": "",
|
||||
"identity:create_region": "rule:cloud_admin",
|
||||
"identity:update_region": "rule:cloud_admin",
|
||||
"identity:delete_region": "rule:cloud_admin",
|
||||
|
||||
"identity:get_service": "rule:admin_or_cloud_admin",
|
||||
"identity:list_services": "rule:admin_or_cloud_admin",
|
||||
"identity:create_service": "rule:cloud_admin",
|
||||
"identity:update_service": "rule:cloud_admin",
|
||||
"identity:delete_service": "rule:cloud_admin",
|
||||
|
||||
"identity:get_endpoint": "rule:admin_or_cloud_admin",
|
||||
"identity:list_endpoints": "rule:admin_or_cloud_admin",
|
||||
"identity:create_endpoint": "rule:cloud_admin",
|
||||
"identity:update_endpoint": "rule:cloud_admin",
|
||||
"identity:delete_endpoint": "rule:cloud_admin",
|
||||
|
||||
"identity:get_domain": "rule:cloud_admin or rule:admin_and_matching_domain_id",
|
||||
"identity:list_domains": "rule:cloud_admin",
|
||||
"identity:create_domain": "rule:cloud_admin",
|
||||
"identity:update_domain": "rule:cloud_admin",
|
||||
"identity:delete_domain": "rule:cloud_admin",
|
||||
|
||||
"admin_and_matching_target_project_domain_id": "rule:admin_required and domain_id:%(target.project.domain_id)s",
|
||||
"admin_and_matching_project_domain_id": "rule:admin_required and domain_id:%(project.domain_id)s",
|
||||
"identity:get_project": "rule:cloud_admin or rule:admin_and_matching_target_project_domain_id",
|
||||
"identity:list_projects": "rule:cloud_admin or rule:admin_and_matching_domain_id",
|
||||
"identity:list_user_projects": "rule:owner or rule:admin_and_matching_domain_id",
|
||||
"identity:create_project": "rule:cloud_admin or rule:admin_and_matching_project_domain_id",
|
||||
"identity:update_project": "rule:cloud_admin or rule:admin_and_matching_target_project_domain_id",
|
||||
"identity:delete_project": "rule:cloud_admin or rule:admin_and_matching_target_project_domain_id",
|
||||
|
||||
"admin_and_matching_target_user_domain_id": "rule:admin_required and domain_id:%(target.user.domain_id)s",
|
||||
"admin_and_matching_user_domain_id": "rule:admin_required and domain_id:%(user.domain_id)s",
|
||||
"identity:get_user": "rule:cloud_admin or rule:admin_and_matching_target_user_domain_id",
|
||||
"identity:list_users": "rule:cloud_admin or rule:admin_and_matching_domain_id",
|
||||
"identity:create_user": "rule:cloud_admin or rule:admin_and_matching_user_domain_id",
|
||||
"identity:update_user": "rule:cloud_admin or rule:admin_and_matching_target_user_domain_id",
|
||||
"identity:delete_user": "rule:cloud_admin or rule:admin_and_matching_target_user_domain_id",
|
||||
|
||||
"admin_and_matching_target_group_domain_id": "rule:admin_required and domain_id:%(target.group.domain_id)s",
|
||||
"admin_and_matching_group_domain_id": "rule:admin_required and domain_id:%(group.domain_id)s",
|
||||
"identity:get_group": "rule:cloud_admin or rule:admin_and_matching_target_group_domain_id",
|
||||
"identity:list_groups": "rule:cloud_admin or rule:admin_and_matching_domain_id",
|
||||
"identity:list_groups_for_user": "rule:owner or rule:admin_and_matching_domain_id",
|
||||
"identity:create_group": "rule:cloud_admin or rule:admin_and_matching_group_domain_id",
|
||||
"identity:update_group": "rule:cloud_admin or rule:admin_and_matching_target_group_domain_id",
|
||||
"identity:delete_group": "rule:cloud_admin or rule:admin_and_matching_target_group_domain_id",
|
||||
"identity:list_users_in_group": "rule:cloud_admin or rule:admin_and_matching_target_group_domain_id",
|
||||
"identity:remove_user_from_group": "rule:cloud_admin or rule:admin_and_matching_target_group_domain_id",
|
||||
"identity:check_user_in_group": "rule:cloud_admin or rule:admin_and_matching_target_group_domain_id",
|
||||
"identity:add_user_to_group": "rule:cloud_admin or rule:admin_and_matching_target_group_domain_id",
|
||||
|
||||
"identity:get_credential": "rule:admin_required",
|
||||
"identity:list_credentials": "rule:admin_required or user_id:%(user_id)s",
|
||||
"identity:create_credential": "rule:admin_required",
|
||||
"identity:update_credential": "rule:admin_required",
|
||||
"identity:delete_credential": "rule:admin_required",
|
||||
|
||||
"identity:ec2_get_credential": "rule:admin_or_cloud_admin or (rule:owner and user_id:%(target.credential.user_id)s)",
|
||||
"identity:ec2_list_credentials": "rule:admin_or_cloud_admin or rule:owner",
|
||||
"identity:ec2_create_credential": "rule:admin_or_cloud_admin or rule:owner",
|
||||
"identity:ec2_delete_credential": "rule:admin_or_cloud_admin or (rule:owner and user_id:%(target.credential.user_id)s)",
|
||||
|
||||
"identity:get_role": "rule:admin_or_cloud_admin",
|
||||
"identity:list_roles": "rule:admin_or_cloud_admin",
|
||||
"identity:create_role": "rule:cloud_admin",
|
||||
"identity:update_role": "rule:cloud_admin",
|
||||
"identity:delete_role": "rule:cloud_admin",
|
||||
|
||||
"domain_admin_for_grants": "rule:admin_required and (domain_id:%(domain_id)s or domain_id:%(target.project.domain_id)s)",
|
||||
"project_admin_for_grants": "rule:admin_required and project_id:%(project_id)s",
|
||||
"identity:check_grant": "rule:cloud_admin or rule:domain_admin_for_grants or rule:project_admin_for_grants",
|
||||
"identity:list_grants": "rule:cloud_admin or rule:domain_admin_for_grants or rule:project_admin_for_grants",
|
||||
"identity:create_grant": "rule:cloud_admin or rule:domain_admin_for_grants or rule:project_admin_for_grants",
|
||||
"identity:revoke_grant": "rule:cloud_admin or rule:domain_admin_for_grants or rule:project_admin_for_grants",
|
||||
|
||||
"admin_on_domain_filter" : "rule:admin_required and domain_id:%(scope.domain.id)s",
|
||||
"admin_on_project_filter" : "rule:admin_required and project_id:%(scope.project.id)s",
|
||||
"identity:list_role_assignments": "rule:cloud_admin or rule:admin_on_domain_filter or rule:admin_on_project_filter",
|
||||
|
||||
"identity:get_policy": "rule:cloud_admin",
|
||||
"identity:list_policies": "rule:cloud_admin",
|
||||
"identity:create_policy": "rule:cloud_admin",
|
||||
"identity:update_policy": "rule:cloud_admin",
|
||||
"identity:delete_policy": "rule:cloud_admin",
|
||||
|
||||
"identity:change_password": "rule:owner",
|
||||
"identity:check_token": "rule:admin_or_owner",
|
||||
"identity:validate_token": "rule:service_admin_or_owner",
|
||||
"identity:validate_token_head": "rule:service_or_admin",
|
||||
"identity:revocation_list": "rule:service_or_admin",
|
||||
"identity:revoke_token": "rule:admin_or_owner",
|
||||
|
||||
"identity:create_trust": "user_id:%(trust.trustor_user_id)s",
|
||||
"identity:list_trusts": "",
|
||||
"identity:list_roles_for_trust": "",
|
||||
"identity:get_role_for_trust": "",
|
||||
"identity:delete_trust": "",
|
||||
|
||||
"identity:create_consumer": "rule:admin_required",
|
||||
"identity:get_consumer": "rule:admin_required",
|
||||
"identity:list_consumers": "rule:admin_required",
|
||||
"identity:delete_consumer": "rule:admin_required",
|
||||
"identity:update_consumer": "rule:admin_required",
|
||||
|
||||
"identity:authorize_request_token": "rule:admin_required",
|
||||
"identity:list_access_token_roles": "rule:admin_required",
|
||||
"identity:get_access_token_role": "rule:admin_required",
|
||||
"identity:list_access_tokens": "rule:admin_required",
|
||||
"identity:get_access_token": "rule:admin_required",
|
||||
"identity:delete_access_token": "rule:admin_required",
|
||||
|
||||
"identity:list_projects_for_endpoint": "rule:admin_required",
|
||||
"identity:add_endpoint_to_project": "rule:admin_required",
|
||||
"identity:check_endpoint_in_project": "rule:admin_required",
|
||||
"identity:list_endpoints_for_project": "rule:admin_required",
|
||||
"identity:remove_endpoint_from_project": "rule:admin_required",
|
||||
|
||||
"identity:create_endpoint_group": "rule:admin_required",
|
||||
"identity:list_endpoint_groups": "rule:admin_required",
|
||||
"identity:get_endpoint_group": "rule:admin_required",
|
||||
"identity:update_endpoint_group": "rule:admin_required",
|
||||
"identity:delete_endpoint_group": "rule:admin_required",
|
||||
"identity:list_projects_associated_with_endpoint_group": "rule:admin_required",
|
||||
"identity:list_endpoints_associated_with_endpoint_group": "rule:admin_required",
|
||||
"identity:get_endpoint_group_in_project": "rule:admin_required",
|
||||
"identity:list_endpoint_groups_for_project": "rule:admin_required",
|
||||
"identity:add_endpoint_group_to_project": "rule:admin_required",
|
||||
"identity:remove_endpoint_group_from_project": "rule:admin_required",
|
||||
|
||||
"identity:create_identity_provider": "rule:cloud_admin",
|
||||
"identity:list_identity_providers": "rule:cloud_admin",
|
||||
"identity:get_identity_providers": "rule:cloud_admin",
|
||||
"identity:update_identity_provider": "rule:cloud_admin",
|
||||
"identity:delete_identity_provider": "rule:cloud_admin",
|
||||
|
||||
"identity:create_protocol": "rule:cloud_admin",
|
||||
"identity:update_protocol": "rule:cloud_admin",
|
||||
"identity:get_protocol": "rule:cloud_admin",
|
||||
"identity:list_protocols": "rule:cloud_admin",
|
||||
"identity:delete_protocol": "rule:cloud_admin",
|
||||
|
||||
"identity:create_mapping": "rule:cloud_admin",
|
||||
"identity:get_mapping": "rule:cloud_admin",
|
||||
"identity:list_mappings": "rule:cloud_admin",
|
||||
"identity:delete_mapping": "rule:cloud_admin",
|
||||
"identity:update_mapping": "rule:cloud_admin",
|
||||
|
||||
"identity:create_service_provider": "rule:cloud_admin",
|
||||
"identity:list_service_providers": "rule:cloud_admin",
|
||||
"identity:get_service_provider": "rule:cloud_admin",
|
||||
"identity:update_service_provider": "rule:cloud_admin",
|
||||
"identity:delete_service_provider": "rule:cloud_admin",
|
||||
|
||||
"identity:get_auth_catalog": "",
|
||||
"identity:get_auth_projects": "",
|
||||
"identity:get_auth_domains": "",
|
||||
|
||||
"identity:list_projects_for_groups": "",
|
||||
"identity:list_domains_for_groups": "",
|
||||
|
||||
"identity:list_revoke_events": "",
|
||||
|
||||
"identity:create_policy_association_for_endpoint": "rule:cloud_admin",
|
||||
"identity:check_policy_association_for_endpoint": "rule:cloud_admin",
|
||||
"identity:delete_policy_association_for_endpoint": "rule:cloud_admin",
|
||||
"identity:create_policy_association_for_service": "rule:cloud_admin",
|
||||
"identity:check_policy_association_for_service": "rule:cloud_admin",
|
||||
"identity:delete_policy_association_for_service": "rule:cloud_admin",
|
||||
"identity:create_policy_association_for_region_and_service": "rule:cloud_admin",
|
||||
"identity:check_policy_association_for_region_and_service": "rule:cloud_admin",
|
||||
"identity:delete_policy_association_for_region_and_service": "rule:cloud_admin",
|
||||
"identity:get_policy_for_endpoint": "rule:cloud_admin",
|
||||
"identity:list_endpoints_for_policy": "rule:cloud_admin",
|
||||
|
||||
"identity:create_domain_config": "rule:cloud_admin",
|
||||
"identity:get_domain_config": "rule:cloud_admin",
|
||||
"identity:update_domain_config": "rule:cloud_admin",
|
||||
"identity:delete_domain_config": "rule:cloud_admin"
|
||||
}
|
@ -1,38 +0,0 @@
|
||||
{%- from "keystone/map.jinja" import server with context %}
|
||||
{%- set site = salt['pillar.get']('apache:server:site:'+site_name) %}
|
||||
Listen {% if server.bind.address is defined %}{{ server.bind.address }}{% else %}{{ server.bind.public_address }}{% endif %}:5000
|
||||
Listen {% if server.bind.address is defined %}{{ server.bind.address }}{% else %}{{ server.bind.public_address }}{% endif %}:35357
|
||||
|
||||
<VirtualHost {% if server.bind.address is defined %}{{ server.bind.address }}{% else %}{{ server.bind.public_address }}{% endif %}:5000>
|
||||
{%- include "apache/files/_name.conf" %}
|
||||
{%- include "apache/files/_ssl.conf" %}
|
||||
{%- include "apache/files/_locations.conf" %}
|
||||
|
||||
WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone display-name=%{GROUP}
|
||||
WSGIProcessGroup keystone-public
|
||||
WSGIScriptAlias / /var/www/cgi-bin/keystone/main
|
||||
WSGIApplicationGroup %{GLOBAL}
|
||||
WSGIPassAuthorization On
|
||||
<IfVersion >= 2.4>
|
||||
ErrorLogFormat "%{cu}t %M"
|
||||
</IfVersion>
|
||||
{%- include "apache/files/_log.conf" %}
|
||||
</VirtualHost>
|
||||
|
||||
<VirtualHost {% if server.bind.address is defined %}{{ server.bind.address }}{% else %}{{ server.bind.public_address }}{% endif %}:35357>
|
||||
{%- include "apache/files/_name.conf" %}
|
||||
{%- include "apache/files/_ssl.conf" %}
|
||||
{%- include "apache/files/_locations.conf" %}
|
||||
|
||||
WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone display-name=%{GROUP}
|
||||
WSGIProcessGroup keystone-admin
|
||||
WSGIScriptAlias / /var/www/cgi-bin/keystone/admin
|
||||
WSGIApplicationGroup %{GLOBAL}
|
||||
WSGIPassAuthorization On
|
||||
<IfVersion >= 2.4>
|
||||
ErrorLogFormat "%{cu}t %M"
|
||||
</IfVersion>
|
||||
ErrorLog /var/log/apache2/keystone.log
|
||||
CustomLog /var/log/apache2/keystone_access.log combined
|
||||
{%- include "apache/files/_log.conf" %}
|
||||
</VirtualHost>
|
@ -1,103 +0,0 @@
|
||||
# Keystone PasteDeploy configuration file.
|
||||
|
||||
[filter:debug]
|
||||
use = egg:keystone#debug
|
||||
|
||||
[filter:request_id]
|
||||
use = egg:keystone#request_id
|
||||
|
||||
[filter:build_auth_context]
|
||||
use = egg:keystone#build_auth_context
|
||||
|
||||
[filter:token_auth]
|
||||
use = egg:keystone#token_auth
|
||||
|
||||
[filter:admin_token_auth]
|
||||
use = egg:keystone#admin_token_auth
|
||||
|
||||
[filter:json_body]
|
||||
use = egg:keystone#json_body
|
||||
|
||||
[filter:user_crud_extension]
|
||||
use = egg:keystone#user_crud_extension
|
||||
|
||||
[filter:crud_extension]
|
||||
use = egg:keystone#crud_extension
|
||||
|
||||
[filter:ec2_extension]
|
||||
use = egg:keystone#ec2_extension
|
||||
|
||||
[filter:ec2_extension_v3]
|
||||
use = egg:keystone#ec2_extension_v3
|
||||
|
||||
[filter:federation_extension]
|
||||
use = egg:keystone#federation_extension
|
||||
|
||||
[filter:oauth1_extension]
|
||||
use = egg:keystone#oauth1_extension
|
||||
|
||||
[filter:s3_extension]
|
||||
use = egg:keystone#s3_extension
|
||||
|
||||
[filter:endpoint_filter_extension]
|
||||
use = egg:keystone#endpoint_filter_extension
|
||||
|
||||
[filter:simple_cert_extension]
|
||||
use = egg:keystone#simple_cert_extension
|
||||
|
||||
[filter:revoke_extension]
|
||||
use = egg:keystone#revoke_extension
|
||||
|
||||
[filter:url_normalize]
|
||||
use = egg:keystone#url_normalize
|
||||
|
||||
[filter:sizelimit]
|
||||
use = egg:keystone#sizelimit
|
||||
|
||||
[app:public_service]
|
||||
use = egg:keystone#public_service
|
||||
|
||||
[app:service_v3]
|
||||
use = egg:keystone#service_v3
|
||||
|
||||
[app:admin_service]
|
||||
use = egg:keystone#admin_service
|
||||
|
||||
[pipeline:public_api]
|
||||
# The last item in this pipeline must be public_service or an equivalent
|
||||
# application. It cannot be a filter.
|
||||
pipeline = sizelimit url_normalize request_id build_auth_context token_auth admin_token_auth json_body ec2_extension user_crud_extension public_service
|
||||
|
||||
[pipeline:admin_api]
|
||||
# The last item in this pipeline must be admin_service or an equivalent
|
||||
# application. It cannot be a filter.
|
||||
pipeline = sizelimit url_normalize request_id build_auth_context token_auth admin_token_auth json_body ec2_extension s3_extension crud_extension admin_service
|
||||
|
||||
[pipeline:api_v3]
|
||||
# The last item in this pipeline must be service_v3 or an equivalent
|
||||
# application. It cannot be a filter.
|
||||
pipeline = sizelimit url_normalize request_id build_auth_context token_auth admin_token_auth json_body ec2_extension_v3 s3_extension simple_cert_extension revoke_extension federation_extension oauth1_extension endpoint_filter_extension service_v3
|
||||
|
||||
[app:public_version_service]
|
||||
use = egg:keystone#public_version_service
|
||||
|
||||
[app:admin_version_service]
|
||||
use = egg:keystone#admin_version_service
|
||||
|
||||
[pipeline:public_version_api]
|
||||
pipeline = sizelimit url_normalize public_version_service
|
||||
|
||||
[pipeline:admin_version_api]
|
||||
pipeline = sizelimit url_normalize admin_version_service
|
||||
|
||||
[composite:main]
|
||||
use = egg:Paste#urlmap
|
||||
/v2.0 = public_api
|
||||
/v3 = api_v3
|
||||
/ = public_version_api
|
||||
|
||||
[composite:admin]
|
||||
use = egg:Paste#urlmap
|
||||
/v2.0 = admin_api
|
||||
/v3 = api_v3
|
||||
/ = admin_version_api
|
@ -1 +0,0 @@
|
||||
keystone-paste.ini.Debian
|
File diff suppressed because it is too large
Load Diff
@ -1 +0,0 @@
|
||||
keystone.conf.Debian
|
@ -1,184 +0,0 @@
|
||||
{
|
||||
"admin_required": "role:admin or is_admin:1",
|
||||
"service_role": "role:service",
|
||||
"service_or_admin": "rule:admin_required or rule:service_role",
|
||||
"owner" : "user_id:%(user_id)s",
|
||||
"admin_or_owner": "rule:admin_required or rule:owner",
|
||||
"token_subject": "user_id:%(target.token.user_id)s",
|
||||
"admin_or_token_subject": "rule:admin_required or rule:token_subject",
|
||||
"service_admin_or_token_subject": "rule:service_or_admin or rule:token_subject",
|
||||
|
||||
"default": "rule:admin_required",
|
||||
|
||||
"identity:get_region": "",
|
||||
"identity:list_regions": "",
|
||||
"identity:create_region": "rule:admin_required",
|
||||
"identity:update_region": "rule:admin_required",
|
||||
"identity:delete_region": "rule:admin_required",
|
||||
|
||||
"identity:get_service": "rule:admin_required",
|
||||
"identity:list_services": "rule:admin_required",
|
||||
"identity:create_service": "rule:admin_required",
|
||||
"identity:update_service": "rule:admin_required",
|
||||
"identity:delete_service": "rule:admin_required",
|
||||
|
||||
"identity:get_endpoint": "rule:admin_required",
|
||||
"identity:list_endpoints": "rule:admin_required",
|
||||
"identity:create_endpoint": "rule:admin_required",
|
||||
"identity:update_endpoint": "rule:admin_required",
|
||||
"identity:delete_endpoint": "rule:admin_required",
|
||||
|
||||
"identity:get_domain": "rule:admin_required",
|
||||
"identity:list_domains": "rule:admin_required",
|
||||
"identity:create_domain": "rule:admin_required",
|
||||
"identity:update_domain": "rule:admin_required",
|
||||
"identity:delete_domain": "rule:admin_required",
|
||||
|
||||
"identity:get_project": "rule:admin_required",
|
||||
"identity:list_projects": "rule:admin_required",
|
||||
"identity:list_user_projects": "rule:admin_or_owner",
|
||||
"identity:create_project": "rule:admin_required",
|
||||
"identity:update_project": "rule:admin_required",
|
||||
"identity:delete_project": "rule:admin_required",
|
||||
|
||||
"identity:get_user": "rule:admin_required",
|
||||
"identity:list_users": "rule:admin_required",
|
||||
"identity:create_user": "rule:admin_required",
|
||||
"identity:update_user": "rule:admin_required",
|
||||
"identity:delete_user": "rule:admin_required",
|
||||
"identity:change_password": "rule:admin_or_owner",
|
||||
|
||||
"identity:get_group": "rule:admin_required",
|
||||
"identity:list_groups": "rule:admin_required",
|
||||
"identity:list_groups_for_user": "rule:admin_or_owner",
|
||||
"identity:create_group": "rule:admin_required",
|
||||
"identity:update_group": "rule:admin_required",
|
||||
"identity:delete_group": "rule:admin_required",
|
||||
"identity:list_users_in_group": "rule:admin_required",
|
||||
"identity:remove_user_from_group": "rule:admin_required",
|
||||
"identity:check_user_in_group": "rule:admin_required",
|
||||
"identity:add_user_to_group": "rule:admin_required",
|
||||
|
||||
"identity:get_credential": "rule:admin_required",
|
||||
"identity:list_credentials": "rule:admin_required",
|
||||
"identity:create_credential": "rule:admin_required",
|
||||
"identity:update_credential": "rule:admin_required",
|
||||
"identity:delete_credential": "rule:admin_required",
|
||||
|
||||
"identity:ec2_get_credential": "rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)",
|
||||
"identity:ec2_list_credentials": "rule:admin_or_owner",
|
||||
"identity:ec2_create_credential": "rule:admin_or_owner",
|
||||
"identity:ec2_delete_credential": "rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)",
|
||||
|
||||
"identity:get_role": "rule:admin_required",
|
||||
"identity:list_roles": "rule:admin_required",
|
||||
"identity:create_role": "rule:admin_required",
|
||||
"identity:update_role": "rule:admin_required",
|
||||
"identity:delete_role": "rule:admin_required",
|
||||
|
||||
"identity:check_grant": "rule:admin_required",
|
||||
"identity:list_grants": "rule:admin_required",
|
||||
"identity:create_grant": "rule:admin_required",
|
||||
"identity:revoke_grant": "rule:admin_required",
|
||||
|
||||
"identity:list_role_assignments": "rule:admin_required",
|
||||
|
||||
"identity:get_policy": "rule:admin_required",
|
||||
"identity:list_policies": "rule:admin_required",
|
||||
"identity:create_policy": "rule:admin_required",
|
||||
"identity:update_policy": "rule:admin_required",
|
||||
"identity:delete_policy": "rule:admin_required",
|
||||
|
||||
"identity:check_token": "rule:admin_or_token_subject",
|
||||
"identity:validate_token": "rule:service_admin_or_token_subject",
|
||||
"identity:validate_token_head": "rule:service_or_admin",
|
||||
"identity:revocation_list": "rule:service_or_admin",
|
||||
"identity:revoke_token": "rule:admin_or_token_subject",
|
||||
|
||||
"identity:create_trust": "user_id:%(trust.trustor_user_id)s",
|
||||
"identity:list_trusts": "",
|
||||
"identity:list_roles_for_trust": "",
|
||||
"identity:get_role_for_trust": "",
|
||||
"identity:delete_trust": "",
|
||||
|
||||
"identity:create_consumer": "rule:admin_required",
|
||||
"identity:get_consumer": "rule:admin_required",
|
||||
"identity:list_consumers": "rule:admin_required",
|
||||
"identity:delete_consumer": "rule:admin_required",
|
||||
"identity:update_consumer": "rule:admin_required",
|
||||
|
||||
"identity:authorize_request_token": "rule:admin_required",
|
||||
"identity:list_access_token_roles": "rule:admin_required",
|
||||
"identity:get_access_token_role": "rule:admin_required",
|
||||
"identity:list_access_tokens": "rule:admin_required",
|
||||
"identity:get_access_token": "rule:admin_required",
|
||||
"identity:delete_access_token": "rule:admin_required",
|
||||
|
||||
"identity:list_projects_for_endpoint": "rule:admin_required",
|
||||
"identity:add_endpoint_to_project": "rule:admin_required",
|
||||
"identity:check_endpoint_in_project": "rule:admin_required",
|
||||
"identity:list_endpoints_for_project": "rule:admin_required",
|
||||
"identity:remove_endpoint_from_project": "rule:admin_required",
|
||||
|
||||
"identity:create_endpoint_group": "rule:admin_required",
|
||||
"identity:list_endpoint_groups": "rule:admin_required",
|
||||
"identity:get_endpoint_group": "rule:admin_required",
|
||||
"identity:update_endpoint_group": "rule:admin_required",
|
||||
"identity:delete_endpoint_group": "rule:admin_required",
|
||||
"identity:list_projects_associated_with_endpoint_group": "rule:admin_required",
|
||||
"identity:list_endpoints_associated_with_endpoint_group": "rule:admin_required",
|
||||
"identity:get_endpoint_group_in_project": "rule:admin_required",
|
||||
"identity:list_endpoint_groups_for_project": "rule:admin_required",
|
||||
"identity:add_endpoint_group_to_project": "rule:admin_required",
|
||||
"identity:remove_endpoint_group_from_project": "rule:admin_required",
|
||||
|
||||
"identity:create_identity_provider": "rule:admin_required",
|
||||
"identity:list_identity_providers": "rule:admin_required",
|
||||
"identity:get_identity_providers": "rule:admin_required",
|
||||
"identity:update_identity_provider": "rule:admin_required",
|
||||
"identity:delete_identity_provider": "rule:admin_required",
|
||||
|
||||
"identity:create_protocol": "rule:admin_required",
|
||||
"identity:update_protocol": "rule:admin_required",
|
||||
"identity:get_protocol": "rule:admin_required",
|
||||
"identity:list_protocols": "rule:admin_required",
|
||||
"identity:delete_protocol": "rule:admin_required",
|
||||
|
||||
"identity:create_mapping": "rule:admin_required",
|
||||
"identity:get_mapping": "rule:admin_required",
|
||||
"identity:list_mappings": "rule:admin_required",
|
||||
"identity:delete_mapping": "rule:admin_required",
|
||||
"identity:update_mapping": "rule:admin_required",
|
||||
|
||||
"identity:create_service_provider": "rule:admin_required",
|
||||
"identity:list_service_providers": "rule:admin_required",
|
||||
"identity:get_service_provider": "rule:admin_required",
|
||||
"identity:update_service_provider": "rule:admin_required",
|
||||
"identity:delete_service_provider": "rule:admin_required",
|
||||
|
||||
"identity:get_auth_catalog": "",
|
||||
"identity:get_auth_projects": "",
|
||||
"identity:get_auth_domains": "",
|
||||
|
||||
"identity:list_projects_for_groups": "",
|
||||
"identity:list_domains_for_groups": "",
|
||||
|
||||
"identity:list_revoke_events": "",
|
||||
|
||||
"identity:create_policy_association_for_endpoint": "rule:admin_required",
|
||||
"identity:check_policy_association_for_endpoint": "rule:admin_required",
|
||||
"identity:delete_policy_association_for_endpoint": "rule:admin_required",
|
||||
"identity:create_policy_association_for_service": "rule:admin_required",
|
||||
"identity:check_policy_association_for_service": "rule:admin_required",
|
||||
"identity:delete_policy_association_for_service": "rule:admin_required",
|
||||
"identity:create_policy_association_for_region_and_service": "rule:admin_required",
|
||||
"identity:check_policy_association_for_region_and_service": "rule:admin_required",
|
||||
"identity:delete_policy_association_for_region_and_service": "rule:admin_required",
|
||||
"identity:get_policy_for_endpoint": "rule:admin_required",
|
||||
"identity:list_endpoints_for_policy": "rule:admin_required",
|
||||
|
||||
"identity:create_domain_config": "rule:admin_required",
|
||||
"identity:get_domain_config": "rule:admin_required",
|
||||
"identity:update_domain_config": "rule:admin_required",
|
||||
"identity:delete_domain_config": "rule:admin_required"
|
||||
}
|
@ -1,92 +0,0 @@
|
||||
{%- from "keystone/map.jinja" import server with context %}
|
||||
{%- set site = salt['pillar.get']('apache:server:site:'+site_name) %}
|
||||
Listen {% if server.bind.address is defined %}{{ server.bind.address }}{% else %}{{ server.bind.public_address }}{% endif %}:5000
|
||||
Listen {% if server.bind.address is defined %}{{ server.bind.address }}{% else %}{{ server.bind.public_address }}{% endif %}:35357
|
||||
|
||||
<VirtualHost {% if server.bind.address is defined %}{{ server.bind.address }}{% else %}{{ server.bind.public_address }}{% endif %}:5000>
|
||||
{%- include "apache/files/_name.conf" %}
|
||||
{%- include "apache/files/_ssl.conf" %}
|
||||
{%- include "apache/files/_locations.conf" %}
|
||||
|
||||
WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
|
||||
WSGIProcessGroup keystone-public
|
||||
WSGIScriptAlias / /usr/bin/keystone-wsgi-public
|
||||
WSGIApplicationGroup %{GLOBAL}
|
||||
WSGIPassAuthorization On
|
||||
ErrorLogFormat "%{cu}t %M"
|
||||
{%- include "apache/files/_log.conf" %}
|
||||
|
||||
<Directory /usr/bin>
|
||||
Require all granted
|
||||
</Directory>
|
||||
|
||||
{% if server.websso is defined %}
|
||||
WSGIScriptAliasMatch ^(/v3/OS-FEDERATION/identity_providers/.*?/protocols/.*?/auth)$ /usr/bin/keystone-wsgi-public/$1
|
||||
<Location /Shibboleth.sso>
|
||||
SetHandler shib
|
||||
</Location>
|
||||
<LocationMatch /v3/auth/OS-FEDERATION/identity_providers/.*?/protocols/saml2/websso>
|
||||
ShibRequestSetting requireSession 1
|
||||
AuthType shibboleth
|
||||
ShibExportAssertion Off
|
||||
Require valid-user
|
||||
</LocationMatch>
|
||||
<LocationMatch /v3/auth/OS-FEDERATION/websso/saml2>
|
||||
ShibRequestSetting requireSession 1
|
||||
AuthType shibboleth
|
||||
ShibExportAssertion Off
|
||||
Require valid-user
|
||||
</LocationMatch>
|
||||
<LocationMatch /v3/OS-FEDERATION/identity_providers/.*?/protocols/saml2/auth>
|
||||
ShibRequestSetting requireSession 1
|
||||
AuthType shibboleth
|
||||
ShibExportAssertion Off
|
||||
Require valid-user
|
||||
</LocationMatch>
|
||||
{%- endif %}
|
||||
|
||||
</VirtualHost>
|
||||
|
||||
<VirtualHost {% if server.bind.address is defined %}{{ server.bind.address }}{% else %}{{ server.bind.public_address }}{% endif %}:35357>
|
||||
{%- include "apache/files/_name.conf" %}
|
||||
{%- include "apache/files/_ssl.conf" %}
|
||||
{%- include "apache/files/_locations.conf" %}
|
||||
|
||||
WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
|
||||
WSGIProcessGroup keystone-admin
|
||||
WSGIScriptAlias / /usr/bin/keystone-wsgi-admin
|
||||
WSGIApplicationGroup %{GLOBAL}
|
||||
WSGIPassAuthorization On
|
||||
ErrorLogFormat "%{cu}t %M"
|
||||
{%- include "apache/files/_log.conf" %}
|
||||
|
||||
<Directory /usr/bin>
|
||||
Require all granted
|
||||
</Directory>
|
||||
|
||||
{% if server.websso is defined %}
|
||||
WSGIScriptAliasMatch ^(/v3/OS-FEDERATION/identity_providers/.*?/protocols/.*?/auth)$ /usr/bin/keystone-wsgi-admin/$1
|
||||
<Location /Shibboleth.sso>
|
||||
SetHandler shib
|
||||
</Location>
|
||||
<LocationMatch /v3/auth/OS-FEDERATION/identity_providers/.*?/protocols/saml2/websso>
|
||||
ShibRequestSetting requireSession 1
|
||||
AuthType shibboleth
|
||||
ShibExportAssertion Off
|
||||
Require valid-user
|
||||
</LocationMatch>
|
||||
<LocationMatch /v3/auth/OS-FEDERATION/websso/saml2>
|
||||
ShibRequestSetting requireSession 1
|
||||
AuthType shibboleth
|
||||
ShibExportAssertion Off
|
||||
Require valid-user
|
||||
</LocationMatch>
|
||||
<LocationMatch /v3/OS-FEDERATION/identity_providers/.*?/protocols/saml2/auth>
|
||||
ShibRequestSetting requireSession 1
|
||||
AuthType shibboleth
|
||||
ShibExportAssertion Off
|
||||
Require valid-user
|
||||
</LocationMatch>
|
||||
{%- endif %}
|
||||
|
||||
</VirtualHost>
|
@ -1,88 +0,0 @@
|
||||
# Keystone PasteDeploy configuration file.
|
||||
|
||||
[filter:debug]
|
||||
use = egg:oslo.middleware#debug
|
||||
|
||||
[filter:request_id]
|
||||
use = egg:oslo.middleware#request_id
|
||||
|
||||
[filter:build_auth_context]
|
||||
use = egg:keystone#build_auth_context
|
||||
|
||||
[filter:token_auth]
|
||||
use = egg:keystone#token_auth
|
||||
|
||||
[filter:admin_token_auth]
|
||||
# This is deprecated in the M release and will be removed in the O release.
|
||||
# Use `keystone-manage bootstrap` and remove this from the pipelines below.
|
||||
use = egg:keystone#admin_token_auth
|
||||
|
||||
[filter:json_body]
|
||||
use = egg:keystone#json_body
|
||||
|
||||
[filter:cors]
|
||||
use = egg:oslo.middleware#cors
|
||||
oslo_config_project = keystone
|
||||
|
||||
[filter:ec2_extension]
|
||||
use = egg:keystone#ec2_extension
|
||||
|
||||
[filter:ec2_extension_v3]
|
||||
use = egg:keystone#ec2_extension_v3
|
||||
|
||||
[filter:s3_extension]
|
||||
use = egg:keystone#s3_extension
|
||||
|
||||
[filter:url_normalize]
|
||||
use = egg:keystone#url_normalize
|
||||
|
||||
[filter:sizelimit]
|
||||
use = egg:oslo.middleware#sizelimit
|
||||
|
||||
[app:public_service]
|
||||
use = egg:keystone#public_service
|
||||
|
||||
[app:service_v3]
|
||||
use = egg:keystone#service_v3
|
||||
|
||||
[app:admin_service]
|
||||
use = egg:keystone#admin_service
|
||||
|
||||
[pipeline:public_api]
|
||||
# The last item in this pipeline must be public_service or an equivalent
|
||||
# application. It cannot be a filter.
|
||||
pipeline = cors sizelimit url_normalize request_id admin_token_auth build_auth_context token_auth json_body ec2_extension public_service
|
||||
|
||||
[pipeline:admin_api]
|
||||
# The last item in this pipeline must be admin_service or an equivalent
|
||||
# application. It cannot be a filter.
|
||||
pipeline = cors sizelimit url_normalize request_id admin_token_auth build_auth_context token_auth json_body ec2_extension s3_extension admin_service
|
||||
|
||||
[pipeline:api_v3]
|
||||
# The last item in this pipeline must be service_v3 or an equivalent
|
||||
# application. It cannot be a filter.
|
||||
pipeline = cors sizelimit url_normalize request_id admin_token_auth build_auth_context token_auth json_body ec2_extension_v3 s3_extension service_v3
|
||||
|
||||
[app:public_version_service]
|
||||
use = egg:keystone#public_version_service
|
||||
|
||||
[app:admin_version_service]
|
||||
use = egg:keystone#admin_version_service
|
||||
|
||||
[pipeline:public_version_api]
|
||||
pipeline = cors sizelimit url_normalize public_version_service
|
||||
|
||||
[pipeline:admin_version_api]
|
||||
pipeline = cors sizelimit url_normalize admin_version_service
|
||||
|
||||
[composite:main]
|
||||
use = egg:Paste#urlmap
|
||||
/v2.0 = public_api
|
||||
/v3 = api_v3
|
||||
/ = public_version_api
|
||||
|
||||
[composite:admin]
|
||||
use = egg:Paste#urlmap
|
||||
/v2.0 = admin_api
|
||||
/v3 = api_v3
|
||||
/ = admin_version_api
|
@ -1 +0,0 @@
|
||||
keystone-paste.ini.Debian
|
File diff suppressed because it is too large
Load Diff
@ -1 +0,0 @@
|
||||
keystone.conf.Debian
|
@ -1,198 +0,0 @@
|
||||
{
|
||||
"admin_required": "role:admin or is_admin:1",
|
||||
"service_role": "role:service",
|
||||
"service_or_admin": "rule:admin_required or rule:service_role",
|
||||
"owner" : "user_id:%(user_id)s",
|
||||
"admin_or_owner": "rule:admin_required or rule:owner",
|
||||
"token_subject": "user_id:%(target.token.user_id)s",
|
||||
"admin_or_token_subject": "rule:admin_required or rule:token_subject",
|
||||
"service_admin_or_token_subject": "rule:service_or_admin or rule:token_subject",
|
||||
|
||||
"default": "rule:admin_required",
|
||||
|
||||
"identity:get_region": "",
|
||||
"identity:list_regions": "",
|
||||
"identity:create_region": "rule:admin_required",
|
||||
"identity:update_region": "rule:admin_required",
|
||||
"identity:delete_region": "rule:admin_required",
|
||||
|
||||
"identity:get_service": "rule:admin_required",
|
||||
"identity:list_services": "rule:admin_required",
|
||||
"identity:create_service": "rule:admin_required",
|
||||
"identity:update_service": "rule:admin_required",
|
||||
"identity:delete_service": "rule:admin_required",
|
||||
|
||||
"identity:get_endpoint": "rule:admin_required",
|
||||
"identity:list_endpoints": "rule:admin_required",
|
||||
"identity:create_endpoint": "rule:admin_required",
|
||||
"identity:update_endpoint": "rule:admin_required",
|
||||
"identity:delete_endpoint": "rule:admin_required",
|
||||
|
||||
"identity:get_domain": "rule:admin_required",
|
||||
"identity:list_domains": "rule:admin_required",
|
||||
"identity:create_domain": "rule:admin_required",
|
||||
"identity:update_domain": "rule:admin_required",
|
||||
"identity:delete_domain": "rule:admin_required",
|
||||
|
||||
"identity:get_project": "rule:admin_required or project_id:%(target.project.id)s",
|
||||
"identity:list_projects": "rule:admin_required",
|
||||
"identity:list_user_projects": "rule:admin_or_owner",
|
||||
"identity:create_project": "rule:admin_required",
|
||||
"identity:update_project": "rule:admin_required",
|
||||
"identity:delete_project": "rule:admin_required",
|
||||
|
||||
"identity:get_user": "rule:admin_required",
|
||||
"identity:list_users": "rule:admin_required",
|
||||
"identity:create_user": "rule:admin_required",
|
||||
"identity:update_user": "rule:admin_required",
|
||||
"identity:delete_user": "rule:admin_required",
|
||||
"identity:change_password": "rule:admin_or_owner",
|
||||
|
||||
"identity:get_group": "rule:admin_required",
|
||||
"identity:list_groups": "rule:admin_required",
|
||||
"identity:list_groups_for_user": "rule:admin_or_owner",
|
||||
"identity:create_group": "rule:admin_required",
|
||||
"identity:update_group": "rule:admin_required",
|
||||
"identity:delete_group": "rule:admin_required",
|
||||
"identity:list_users_in_group": "rule:admin_required",
|
||||
"identity:remove_user_from_group": "rule:admin_required",
|
||||
"identity:check_user_in_group": "rule:admin_required",
|
||||
"identity:add_user_to_group": "rule:admin_required",
|
||||
|
||||
"identity:get_credential": "rule:admin_required",
|
||||
"identity:list_credentials": "rule:admin_required",
|
||||
"identity:create_credential": "rule:admin_required",
|
||||
"identity:update_credential": "rule:admin_required",
|
||||
"identity:delete_credential": "rule:admin_required",
|
||||
|
||||
"identity:ec2_get_credential": "rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)",
|
||||
"identity:ec2_list_credentials": "rule:admin_or_owner",
|
||||
"identity:ec2_create_credential": "rule:admin_or_owner",
|
||||
"identity:ec2_delete_credential": "rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)",
|
||||
|
||||
"identity:get_role": "rule:admin_required",
|
||||
"identity:list_roles": "rule:admin_required",
|
||||
"identity:create_role": "rule:admin_required",
|
||||
"identity:update_role": "rule:admin_required",
|
||||
"identity:delete_role": "rule:admin_required",
|
||||
"identity:get_domain_role": "rule:admin_required",
|
||||
"identity:list_domain_roles": "rule:admin_required",
|
||||
"identity:create_domain_role": "rule:admin_required",
|
||||
"identity:update_domain_role": "rule:admin_required",
|
||||
"identity:delete_domain_role": "rule:admin_required",
|
||||
|
||||
"identity:get_implied_role": "rule:admin_required ",
|
||||
"identity:list_implied_roles": "rule:admin_required",
|
||||
"identity:create_implied_role": "rule:admin_required",
|
||||
"identity:delete_implied_role": "rule:admin_required",
|
||||
"identity:list_role_inference_rules": "rule:admin_required",
|
||||
"identity:check_implied_role": "rule:admin_required",
|
||||
|
||||
"identity:check_grant": "rule:admin_required",
|
||||
"identity:list_grants": "rule:admin_required",
|
||||
"identity:create_grant": "rule:admin_required",
|
||||
"identity:revoke_grant": "rule:admin_required",
|
||||
|
||||
"identity:list_role_assignments": "rule:admin_required",
|
||||
"identity:list_role_assignments_for_tree": "rule:admin_required",
|
||||
|
||||
"identity:get_policy": "rule:admin_required",
|
||||
"identity:list_policies": "rule:admin_required",
|
||||
"identity:create_policy": "rule:admin_required",
|
||||
"identity:update_policy": "rule:admin_required",
|
||||
"identity:delete_policy": "rule:admin_required",
|
||||
|
||||
"identity:check_token": "rule:admin_or_token_subject",
|
||||
"identity:validate_token": "rule:service_admin_or_token_subject",
|
||||
"identity:validate_token_head": "rule:service_or_admin",
|
||||
"identity:revocation_list": "rule:service_or_admin",
|
||||
"identity:revoke_token": "rule:admin_or_token_subject",
|
||||
|
||||
"identity:create_trust": "user_id:%(trust.trustor_user_id)s",
|
||||
"identity:list_trusts": "",
|
||||
"identity:list_roles_for_trust": "",
|
||||
"identity:get_role_for_trust": "",
|
||||
"identity:delete_trust": "",
|
||||
|
||||
"identity:create_consumer": "rule:admin_required",
|
||||
"identity:get_consumer": "rule:admin_required",
|
||||
"identity:list_consumers": "rule:admin_required",
|
||||
"identity:delete_consumer": "rule:admin_required",
|
||||
"identity:update_consumer": "rule:admin_required",
|
||||
|
||||
"identity:authorize_request_token": "rule:admin_required",
|
||||
"identity:list_access_token_roles": "rule:admin_required",
|
||||
"identity:get_access_token_role": "rule:admin_required",
|
||||
"identity:list_access_tokens": "rule:admin_required",
|
||||
"identity:get_access_token": "rule:admin_required",
|
||||
"identity:delete_access_token": "rule:admin_required",
|
||||
|
||||
"identity:list_projects_for_endpoint": "rule:admin_required",
|
||||
"identity:add_endpoint_to_project": "rule:admin_required",
|
||||
"identity:check_endpoint_in_project": "rule:admin_required",
|
||||
"identity:list_endpoints_for_project": "rule:admin_required",
|
||||
"identity:remove_endpoint_from_project": "rule:admin_required",
|
||||
|
||||
"identity:create_endpoint_group": "rule:admin_required",
|
||||
"identity:list_endpoint_groups": "rule:admin_required",
|
||||
"identity:get_endpoint_group": "rule:admin_required",
|
||||
"identity:update_endpoint_group": "rule:admin_required",
|
||||
"identity:delete_endpoint_group": "rule:admin_required",
|
||||
"identity:list_projects_associated_with_endpoint_group": "rule:admin_required",
|
||||
"identity:list_endpoints_associated_with_endpoint_group": "rule:admin_required",
|
||||
"identity:get_endpoint_group_in_project": "rule:admin_required",
|
||||
"identity:list_endpoint_groups_for_project": "rule:admin_required",
|
||||
"identity:add_endpoint_group_to_project": "rule:admin_required",
|
||||
"identity:remove_endpoint_group_from_project": "rule:admin_required",
|
||||
|
||||
"identity:create_identity_provider": "rule:admin_required",
|
||||
"identity:list_identity_providers": "rule:admin_required",
|
||||
"identity:get_identity_providers": "rule:admin_required",
|
||||
"identity:update_identity_provider": "rule:admin_required",
|
||||
"identity:delete_identity_provider": "rule:admin_required",
|
||||
|
||||
"identity:create_protocol": "rule:admin_required",
|
||||
"identity:update_protocol": "rule:admin_required",
|
||||
"identity:get_protocol": "rule:admin_required",
|
||||
"identity:list_protocols": "rule:admin_required",
|
||||
"identity:delete_protocol": "rule:admin_required",
|
||||
|
||||
"identity:create_mapping": "rule:admin_required",
|
||||
"identity:get_mapping": "rule:admin_required",
|
||||
"identity:list_mappings": "rule:admin_required",
|
||||
"identity:delete_mapping": "rule:admin_required",
|
||||
"identity:update_mapping": "rule:admin_required",
|
||||
|
||||
"identity:create_service_provider": "rule:admin_required",
|
||||
"identity:list_service_providers": "rule:admin_required",
|
||||
"identity:get_service_provider": "rule:admin_required",
|
||||
"identity:update_service_provider": "rule:admin_required",
|
||||
"identity:delete_service_provider": "rule:admin_required",
|
||||
|
||||
"identity:get_auth_catalog": "",
|
||||
"identity:get_auth_projects": "",
|
||||
"identity:get_auth_domains": "",
|
||||
|
||||
"identity:list_projects_for_groups": "",
|
||||
"identity:list_domains_for_groups": "",
|
||||
|
||||
"identity:list_revoke_events": "",
|
||||
|
||||
"identity:create_policy_association_for_endpoint": "rule:admin_required",
|
||||
"identity:check_policy_association_for_endpoint": "rule:admin_required",
|
||||
"identity:delete_policy_association_for_endpoint": "rule:admin_required",
|
||||
"identity:create_policy_association_for_service": "rule:admin_required",
|
||||
"identity:check_policy_association_for_service": "rule:admin_required",
|
||||
"identity:delete_policy_association_for_service": "rule:admin_required",
|
||||
"identity:create_policy_association_for_region_and_service": "rule:admin_required",
|
||||
"identity:check_policy_association_for_region_and_service": "rule:admin_required",
|
||||
"identity:delete_policy_association_for_region_and_service": "rule:admin_required",
|
||||
"identity:get_policy_for_endpoint": "rule:admin_required",
|
||||
"identity:list_endpoints_for_policy": "rule:admin_required",
|
||||
|
||||
"identity:create_domain_config": "rule:admin_required",
|
||||
"identity:get_domain_config": "rule:admin_required",
|
||||
"identity:update_domain_config": "rule:admin_required",
|
||||
"identity:delete_domain_config": "rule:admin_required",
|
||||
"identity:get_domain_config_default": "rule:admin_required"
|
||||
}
|
@ -1,130 +0,0 @@
|
||||
{%- from "keystone/map.jinja" import server with context %}
|
||||
{%- set site = salt['pillar.get']('apache:server:site:'+site_name) %}
|
||||
Listen {% if server.bind.address is defined %}{{ server.bind.address }}{% else %}{{ server.bind.public_address }}{% endif %}:5000
|
||||
Listen {% if server.bind.address is defined %}{{ server.bind.address }}{% else %}{{ server.bind.public_address }}{% endif %}:35357
|
||||
|
||||
<VirtualHost {% if server.bind.address is defined %}{{ server.bind.address }}{% else %}{{ server.bind.public_address }}{% endif %}:5000>
|
||||
{%- include "apache/files/_name.conf" %}
|
||||
{%- include "apache/files/_ssl.conf" %}
|
||||
{%- include "apache/files/_locations.conf" %}
|
||||
|
||||
WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
|
||||
WSGIProcessGroup keystone-public
|
||||
WSGIScriptAlias / /usr/bin/keystone-wsgi-public
|
||||
WSGIApplicationGroup %{GLOBAL}
|
||||
WSGIPassAuthorization On
|
||||
LimitRequestBody 114688
|
||||
<IfVersion >= 2.4>
|
||||
ErrorLogFormat "%{cu}t %M"
|
||||
</IfVersion>
|
||||
{%- include "apache/files/_log.conf" %}
|
||||
|
||||
<Directory /usr/bin>
|
||||
<IfVersion >= 2.4>
|
||||
Require all granted
|
||||
</IfVersion>
|
||||
<IfVersion < 2.4>
|
||||
Order allow,deny
|
||||
Allow from all
|
||||
</IfVersion>
|
||||
</Directory>
|
||||
|
||||
{% if server.websso is defined %}
|
||||
WSGIScriptAliasMatch ^(/v3/OS-FEDERATION/identity_providers/.*?/protocols/.*?/auth)$ /usr/bin/keystone-wsgi-public/$1
|
||||
<Location /Shibboleth.sso>
|
||||
SetHandler shib
|
||||
</Location>
|
||||
<LocationMatch /v3/auth/OS-FEDERATION/identity_providers/.*?/protocols/saml2/websso>
|
||||
ShibRequestSetting requireSession 1
|
||||
AuthType shibboleth
|
||||
ShibExportAssertion Off
|
||||
Require valid-user
|
||||
</LocationMatch>
|
||||
<LocationMatch /v3/auth/OS-FEDERATION/websso/saml2>
|
||||
ShibRequestSetting requireSession 1
|
||||
AuthType shibboleth
|
||||
ShibExportAssertion Off
|
||||
Require valid-user
|
||||
</LocationMatch>
|
||||
<LocationMatch /v3/OS-FEDERATION/identity_providers/.*?/protocols/saml2/auth>
|
||||
ShibRequestSetting requireSession 1
|
||||
AuthType shibboleth
|
||||
ShibExportAssertion Off
|
||||
Require valid-user
|
||||
</LocationMatch>
|
||||
{%- endif %}
|
||||
|
||||
</VirtualHost>
|
||||
|
||||
<VirtualHost {% if server.bind.address is defined %}{{ server.bind.address }}{% else %}{{ server.bind.public_address }}{% endif %}:35357>
|
||||
{%- include "apache/files/_name.conf" %}
|
||||
{%- include "apache/files/_ssl.conf" %}
|
||||
{%- include "apache/files/_locations.conf" %}
|
||||
|
||||
WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
|
||||
WSGIProcessGroup keystone-admin
|
||||
WSGIScriptAlias / /usr/bin/keystone-wsgi-admin
|
||||
WSGIApplicationGroup %{GLOBAL}
|
||||
WSGIPassAuthorization On
|
||||
LimitRequestBody 114688
|
||||
<IfVersion >= 2.4>
|
||||
ErrorLogFormat "%{cu}t %M"
|
||||
</IfVersion>
|
||||
{%- include "apache/files/_log.conf" %}
|
||||
|
||||
<Directory /usr/bin>
|
||||
<IfVersion >= 2.4>
|
||||
Require all granted
|
||||
</IfVersion>
|
||||
<IfVersion < 2.4>
|
||||
Order allow,deny
|
||||
Allow from all
|
||||
</IfVersion>
|
||||
</Directory>
|
||||
|
||||
{% if server.websso is defined %}
|
||||
WSGIScriptAliasMatch ^(/v3/OS-FEDERATION/identity_providers/.*?/protocols/.*?/auth)$ /usr/bin/keystone-wsgi-admin/$1
|
||||
<Location /Shibboleth.sso>
|
||||
SetHandler shib
|
||||
</Location>
|
||||
<LocationMatch /v3/auth/OS-FEDERATION/identity_providers/.*?/protocols/saml2/websso>
|
||||
ShibRequestSetting requireSession 1
|
||||
AuthType shibboleth
|
||||
ShibExportAssertion Off
|
||||
Require valid-user
|
||||
</LocationMatch>
|
||||
<LocationMatch /v3/auth/OS-FEDERATION/websso/saml2>
|
||||
ShibRequestSetting requireSession 1
|
||||
AuthType shibboleth
|
||||
ShibExportAssertion Off
|
||||
Require valid-user
|
||||
</LocationMatch>
|
||||
<LocationMatch /v3/OS-FEDERATION/identity_providers/.*?/protocols/saml2/auth>
|
||||
ShibRequestSetting requireSession 1
|
||||
AuthType shibboleth
|
||||
ShibExportAssertion Off
|
||||
Require valid-user
|
||||
</LocationMatch>
|
||||
{%- endif %}
|
||||
|
||||
</VirtualHost>
|
||||
|
||||
Alias /identity /usr/bin/keystone-wsgi-public
|
||||
<Location /identity>
|
||||
SetHandler wsgi-script
|
||||
Options +ExecCGI
|
||||
|
||||
WSGIProcessGroup keystone-public
|
||||
WSGIApplicationGroup %{GLOBAL}
|
||||
WSGIPassAuthorization On
|
||||
</Location>
|
||||
|
||||
Alias /identity_admin /usr/bin/keystone-wsgi-admin
|
||||
<Location /identity_admin>
|
||||
SetHandler wsgi-script
|
||||
Options +ExecCGI
|
||||
|
||||
WSGIProcessGroup keystone-admin
|
||||
WSGIApplicationGroup %{GLOBAL}
|
||||
WSGIPassAuthorization On
|
||||
</Location>
|
@ -1,15 +0,0 @@
|
||||
{%- if pillar.keystone.get('server', {'enabled': False}).enabled -%}
|
||||
{%- from "keystone/map.jinja" import server with context -%}
|
||||
keystone.token: '{{ server.service_token }}'
|
||||
keystone.endpoint: 'http://{{ server.bind.address }}:{{ server.bind.private_port }}/v2.0'
|
||||
{%- else -%}
|
||||
{%- from "keystone/map.jinja" import client with context -%}
|
||||
keystone.user: '{{ client.server.user }}'
|
||||
keystone.password: '{{ client.server.password }}'
|
||||
keystone.tenant: '{{ client.server.tenant }}'
|
||||
keystone.auth_url: 'http://{{ client.server.host }}:{{ client.server.public_port }}/v2.0/'
|
||||
{%- endif %}
|
||||
|
||||
{#-
|
||||
vim: syntax=jinja
|
||||
-#}
|
@ -1,22 +0,0 @@
|
||||
<!DOCTYPE html>
|
||||
<html xmlns="http://www.w3.org/1999/xhtml">
|
||||
<head>
|
||||
<title>Keystone WebSSO redirect</title>
|
||||
</head>
|
||||
<body>
|
||||
<form id="sso" name="sso" action="$host" method="post">
|
||||
Please wait...
|
||||
<br/>
|
||||
<input type="hidden" name="token" id="token" value="$token"/>
|
||||
<noscript>
|
||||
<input type="submit" name="submit_no_javascript" id="submit_no_javascript"
|
||||
value="If your JavaScript is disabled, please click to continue"/>
|
||||
</noscript>
|
||||
</form>
|
||||
<script type="text/javascript">
|
||||
window.onload = function() {
|
||||
document.forms['sso'].submit();
|
||||
}
|
||||
</script>
|
||||
</body>
|
||||
</html>
|
@ -1,11 +0,0 @@
|
||||
|
||||
include:
|
||||
{% if pillar.keystone.server is defined %}
|
||||
- keystone.server
|
||||
{% endif %}
|
||||
{% if pillar.keystone.client is defined %}
|
||||
- keystone.client
|
||||
{% endif %}
|
||||
{% if pillar.keystone.control is defined %}
|
||||
- keystone.control
|
||||
{% endif %}
|
@ -1,48 +0,0 @@
|
||||
|
||||
{% set server = salt['grains.filter_by']({
|
||||
'Debian': {
|
||||
'pkgs': ['keystone', 'python-keystone', 'python-keystoneclient', 'python-psycopg2', 'python-mysqldb', 'mysql-client', 'python-six', 'python-memcache', 'python-openstackclient', 'gettext-base', 'python-pycadf'],
|
||||
'service_name': 'keystone',
|
||||
'version': 'icehouse',
|
||||
'api_version': '2',
|
||||
'tokens': {
|
||||
'engine': 'database',
|
||||
'expiration': '86400'
|
||||
},
|
||||
'notification': False,
|
||||
'roles': ['admin', 'Member']
|
||||
},
|
||||
'RedHat': {
|
||||
'pkgs': ['openstack-keystone', 'openstack-utils', 'python-keystone', 'python-keystoneclient', 'python-pycadf'],
|
||||
'service_name': 'openstack-keystone',
|
||||
'api_version': '2',
|
||||
'version': 'icehouse',
|
||||
'tokens': {
|
||||
'engine': 'database',
|
||||
'expiration': '86400'
|
||||
},
|
||||
'notification': False,
|
||||
'roles': ['admin', 'Member']
|
||||
},
|
||||
}, merge=pillar.keystone.get('server', {})) %}
|
||||
|
||||
{% set client = salt['grains.filter_by']({
|
||||
'Debian': {
|
||||
'pkgs': ['python-keystoneclient', 'python-openstackclient'],
|
||||
'service': 'keystone',
|
||||
'roles': ['admin', 'Member'],
|
||||
},
|
||||
'RedHat': {
|
||||
'pkgs': ['python-keystoneclient'],
|
||||
'roles': ['admin', 'Member'],
|
||||
},
|
||||
}, merge=pillar.keystone.get('client', {})) %}
|
||||
|
||||
{% set control = salt['grains.filter_by']({
|
||||
'Debian': {
|
||||
'pkgs': [],
|
||||
},
|
||||
'RedHat': {
|
||||
'pkgs': [],
|
||||
},
|
||||
}, merge=pillar.keystone.get('control', {})) %}
|
@ -1,28 +0,0 @@
|
||||
{%- from "keystone/map.jinja" import server with context %}
|
||||
{%- if server.get('enabled', False) %}
|
||||
local_plugin:
|
||||
collectd_check_local_endpoint:
|
||||
endpoint:
|
||||
keystone-public-api:
|
||||
expected_code: 300
|
||||
url: "http://{{ server.bind.address|replace('0.0.0.0', '127.0.0.1') }}:{{ server.bind.public_port }}/"
|
||||
keystone-admin-api:
|
||||
expected_code: 300
|
||||
url: "http://{{ server.bind.address|replace('0.0.0.0', '127.0.0.1') }}:{{ server.bind.private_port }}/"
|
||||
|
||||
remote_plugin:
|
||||
openstack_keystone:
|
||||
plugin: python
|
||||
template: keystone/files/collectd_openstack_keystone.conf
|
||||
url: "http://{{ server.bind.public_address }}:{{ server.bind.public_port }}/v{% if server.get('api_version', 2)|int == 2 %}2.0{% else %}3{% endif %}"
|
||||
username: {{ server.admin_name }}
|
||||
password: {{ server.admin_password }}
|
||||
tenant: {{ server.admin_tenant }}
|
||||
check_openstack_api:
|
||||
plugin: python
|
||||
template: keystone/files/collectd_check_openstack_api.conf
|
||||
url: "http://{{ server.bind.public_address }}:{{ server.bind.public_port }}/v{% if server.get('api_version', 2)|int == 2 %}2.0{% else %}3{% endif %}"
|
||||
username: {{ server.admin_name }}
|
||||
password: {{ server.admin_password }}
|
||||
tenant: {{ server.admin_tenant }}
|
||||
{%- endif %}
|
@ -1,13 +0,0 @@
|
||||
config:
|
||||
{%- if pillar.keystone.server is defined %}
|
||||
{%- from "keystone/map.jinja" import server with context %}
|
||||
keystone.conf:
|
||||
source: "salt://keystone/files/{{ server.version }}/keystone.conf.{{ grains.os_family|default('Debian') }}"
|
||||
template: jinja
|
||||
keystone-paste.ini:
|
||||
source: "salt://keystone/files/{{ server.version }}/keystone-paste.ini.{{ grains.os_family|default('Debian') }}"
|
||||
template: jinja
|
||||
policy.json:
|
||||
source: "salt://keystone/files/{{ server.version }}/policy-v{{ server.api_version }}.json"
|
||||
template: jinja
|
||||
{%- endif %}
|
@ -1,4 +0,0 @@
|
||||
dashboard:
|
||||
keystone:
|
||||
format: json
|
||||
template: keystone/files/grafana_dashboards/keystone_influxdb.json
|
@ -1,163 +0,0 @@
|
||||
{%- if pillar.keystone.server is defined %}
|
||||
log_collector:
|
||||
decoder:
|
||||
keystone:
|
||||
engine: sandbox
|
||||
module_file: /usr/share/lma_collector/decoders/openstack_log.lua
|
||||
module_dir: /usr/share/lma_collector/common;/usr/share/heka/lua_modules
|
||||
adjust_timezone: true
|
||||
splitter:
|
||||
keystone:
|
||||
engine: token
|
||||
delimiter: '\n'
|
||||
input:
|
||||
keystone_log:
|
||||
engine: logstreamer
|
||||
log_directory: "/var/log"
|
||||
file_match: 'keystone/(?P<Service>.+)\.log\.?(?P<Seq>\d*)$'
|
||||
differentiator: ['keystone', '_', 'Service']
|
||||
priority: ["^Seq"]
|
||||
decoder: "keystone_decoder"
|
||||
splitter: "keystone_splitter"
|
||||
metric_collector:
|
||||
trigger:
|
||||
keystone_response_time_duration:
|
||||
description: 'Keystone API is too slow'
|
||||
severity: warning
|
||||
no_data_policy: okay
|
||||
rules:
|
||||
- metric: openstack_keystone_http_response_times
|
||||
field:
|
||||
http_method: '== GET || == POST'
|
||||
http_status: '== 2xx'
|
||||
relational_operator: '>'
|
||||
threshold: 0.3
|
||||
window: 60
|
||||
periods: 0
|
||||
value: upper_90
|
||||
function: max
|
||||
keystone_logs_error:
|
||||
description: 'Too many errors have been detected in Keystone logs'
|
||||
severity: warning
|
||||
no_data_policy: okay
|
||||
rules:
|
||||
- metric: log_messages
|
||||
field:
|
||||
service: keystone
|
||||
level: error
|
||||
relational_operator: '>'
|
||||
threshold: 0.1
|
||||
window: 70
|
||||
periods: 0
|
||||
function: max
|
||||
keystone_public_api_local_endpoint:
|
||||
description: 'Keystone public API is locally down'
|
||||
severity: down
|
||||
rules:
|
||||
- metric: openstack_check_local_api
|
||||
field:
|
||||
service: keystone-public-api
|
||||
relational_operator: '=='
|
||||
threshold: 0
|
||||
window: 60
|
||||
periods: 0
|
||||
function: last
|
||||
alarm:
|
||||
keystone_response_time:
|
||||
alerting: enabled
|
||||
triggers:
|
||||
- keystone_response_time_duration
|
||||
dimension:
|
||||
service: keystone-response-time
|
||||
keystone_logs:
|
||||
alerting: enabled
|
||||
triggers:
|
||||
- keystone_logs_error
|
||||
dimension:
|
||||
service: keystone-logs
|
||||
keystone_public_api_endpoint:
|
||||
alerting: enabled
|
||||
triggers:
|
||||
- keystone_public_api_local_endpoint
|
||||
dimension:
|
||||
service: keystone-public-api-endpoint
|
||||
remote_collector:
|
||||
trigger:
|
||||
keystone_public_api_check_failed:
|
||||
description: 'Endpoint check for keystone-public-api is failed'
|
||||
severity: down
|
||||
rules:
|
||||
- metric: openstack_check_api
|
||||
field:
|
||||
service: keystone-public-api
|
||||
relational_operator: '=='
|
||||
threshold: 0
|
||||
window: 60
|
||||
periods: 0
|
||||
function: last
|
||||
alarm:
|
||||
keystone_public_api_check:
|
||||
alerting: enabled
|
||||
triggers:
|
||||
- keystone_public_api_check_failed
|
||||
dimension:
|
||||
service: keystone-public-api-check
|
||||
aggregator:
|
||||
alarm_cluster:
|
||||
keystone_response_time:
|
||||
policy: status_of_members
|
||||
alerting: enabled
|
||||
group_by: hostname
|
||||
match:
|
||||
service: keystone-response-time
|
||||
members:
|
||||
- keystone_response_time
|
||||
dimension:
|
||||
service: keystone
|
||||
nagios_host: 01-service-clusters
|
||||
keystone_logs:
|
||||
policy: status_of_members
|
||||
alerting: enabled
|
||||
group_by: hostname
|
||||
match:
|
||||
service: keystone-logs
|
||||
members:
|
||||
- keystone_logs
|
||||
dimension:
|
||||
service: keystone
|
||||
nagios_host: 01-service-clusters
|
||||
keystone_public_api_endpoint:
|
||||
policy: availability_of_members
|
||||
alerting: enabled
|
||||
group_by: hostname
|
||||
match:
|
||||
service: keystone-public-api-endpoint
|
||||
members:
|
||||
- keystone_public_api_endpoint
|
||||
dimension:
|
||||
service: keystone
|
||||
nagios_host: 01-service-clusters
|
||||
keystone_public_api_check:
|
||||
policy: highest_severity
|
||||
alerting: enabled
|
||||
match:
|
||||
service: keystone-public-api-check
|
||||
members:
|
||||
- keystone_public_api_check
|
||||
dimension:
|
||||
service: keystone
|
||||
nagios_host: 01-service-clusters
|
||||
keystone:
|
||||
policy: highest_severity
|
||||
alerting: enabled_with_notification
|
||||
match:
|
||||
service: keystone
|
||||
members:
|
||||
- keystone_response_time
|
||||
- keystone_logs
|
||||
- keystone_public_api_endpoint
|
||||
- keystone_public_api_check
|
||||
dimension:
|
||||
cluster_name: keystone
|
||||
nagios_host: 00-top-clusters
|
||||
{%- endif %}
|
@ -1,9 +0,0 @@
|
||||
orchestrate:
|
||||
server:
|
||||
priority: 500
|
||||
batch: 1
|
||||
client:
|
||||
priority: 510
|
||||
control:
|
||||
priority: 520
|
||||
|
@ -1,13 +0,0 @@
|
||||
check:
|
||||
local_keystone_server_proc:
|
||||
command: "PATH=$PATH:/usr/lib64/nagios/plugins:/usr/lib/nagios/plugins check_procs -C keystone-all -u keystone -c 1:1024"
|
||||
interval: 60
|
||||
occurrences: 1
|
||||
subscribers:
|
||||
- local-keystone-server
|
||||
remote_keystone_server_api:
|
||||
command: "PATH=$PATH:/usr/local/bin oschecks-check_keystone_api --os-auth-url='http://:::openstack.host:::::::openstack.port:::/v2.0' --os-username :::openstack.user::: --os-password :::openstack.password::: --tenant :::openstack.tenant:::"
|
||||
interval: 300
|
||||
occurrences: 1
|
||||
subscribers:
|
||||
- remote-network
|
@ -1,58 +0,0 @@
|
||||
doc:
|
||||
name: Keystone
|
||||
description: Keystone provides authentication, authorization and service discovery mechanisms via HTTP primarily for use by projects in the OpenStack family.
|
||||
role:
|
||||
{%- if pillar.keystone.client is defined %}
|
||||
client:
|
||||
name: client
|
||||
param: {}
|
||||
{%- endif %}
|
||||
{%- if pillar.keystone.server is defined %}
|
||||
{%- from "keystone/map.jinja" import server with context %}
|
||||
server:
|
||||
name: server
|
||||
endpoint:
|
||||
keystone_api_admin:
|
||||
name: keystone-api-admin
|
||||
type: keystone-api-admin
|
||||
address: http://{{ server.bind.address }}:{{ server.bind.private_port }}
|
||||
protocol: http
|
||||
keystone_api_public:
|
||||
name: keystone-api-public
|
||||
type: keystone-api-public
|
||||
address: http://{{ server.bind.address }}:{{ server.bind.public_port }}
|
||||
protocol: http
|
||||
param:
|
||||
bind:
|
||||
value: {{ server.bind.address }}:{{ server.bind.private_port }}
|
||||
value: {{ server.bind.address }}:{{ server.bind.public_port }}
|
||||
token_engine:
|
||||
value: {{ server.tokens.engine }}
|
||||
region:
|
||||
name: "Region"
|
||||
value: {{ server.region }}
|
||||
service_tenant:
|
||||
value: {{ server.service_tenant }}
|
||||
version:
|
||||
name: "Version"
|
||||
value: {{ server.version }}
|
||||
database_host:
|
||||
name: "Database"
|
||||
value: {{ server.database.user }}@{{ server.database.host }}:3306/{{ server.database.name }}
|
||||
services:
|
||||
value: |
|
||||
{%- for service_name, service in server.get('service', {}).iteritems() %}
|
||||
* {{ service_name }}: {{ service.type }}, publicurl '{{ service.bind.get('public_protocol', 'http') }}://{{ service.bind.public_address }}:{{ service.bind.public_port }}{{ service.bind.public_path }}'
|
||||
{%- endfor %}
|
||||
packages:
|
||||
value: |
|
||||
{%- for pkg in server.pkgs %}
|
||||
{%- set pkg_version = "dpkg -l "+pkg+" | grep "+pkg+" | awk '{print $3}'" %}
|
||||
* {{ pkg }}: {{ salt['cmd.run'](pkg_version) }}
|
||||
{%- endfor %}
|
||||
{%- endif %}
|
||||
{%- if pillar.keystone.control is defined %}
|
||||
control:
|
||||
name: control
|
||||
param: {}
|
||||
{%- endif %}
|
@ -1,355 +0,0 @@
|
||||
{%- from "keystone/map.jinja" import server with context %}
|
||||
{%- if server.enabled %}
|
||||
|
||||
keystone_packages:
|
||||
pkg.installed:
|
||||
- names: {{ server.pkgs }}
|
||||
|
||||
{%- if server.service_name in ['apache2', 'httpd'] %}
|
||||
include:
|
||||
- apache
|
||||
|
||||
{%- if grains.os_family == "Debian" %}
|
||||
keystone:
|
||||
{%- endif %}
|
||||
{%- if grains.os_family == "RedHat" %}
|
||||
openstack-keystone:
|
||||
{%- endif %}
|
||||
service.dead:
|
||||
- enable: False
|
||||
- watch:
|
||||
- pkg: keystone_packages
|
||||
|
||||
{%- endif %}
|
||||
|
||||
keystone_salt_config:
|
||||
file.managed:
|
||||
- name: /etc/salt/minion.d/keystone.conf
|
||||
- template: jinja
|
||||
- source: salt://keystone/files/salt-minion.conf
|
||||
- mode: 600
|
||||
|
||||
{%- if not salt['user.info']('keystone') %}
|
||||
|
||||
keystone_user:
|
||||
user.present:
|
||||
- name: keystone
|
||||
- home: /var/lib/keystone
|
||||
- uid: 301
|
||||
- gid: 301
|
||||
- shell: /bin/false
|
||||
- system: True
|
||||
- require_in:
|
||||
- pkg: keystone_packages
|
||||
|
||||
keystone_group:
|
||||
group.present:
|
||||
- name: keystone
|
||||
- gid: 301
|
||||
- system: True
|
||||
- require_in:
|
||||
- pkg: keystone_packages
|
||||
- user: keystone_user
|
||||
|
||||
{%- endif %}
|
||||
|
||||
/etc/keystone/keystone.conf:
|
||||
file.managed:
|
||||
- source: salt://keystone/files/{{ server.version }}/keystone.conf.{{ grains.os_family }}
|
||||
- template: jinja
|
||||
- require:
|
||||
- pkg: keystone_packages
|
||||
- watch_in:
|
||||
- service: keystone_service
|
||||
|
||||
{% if server.websso is defined %}
|
||||
|
||||
/etc/keystone/sso_callback_template.html:
|
||||
file.managed:
|
||||
- source: salt://keystone/files/sso_callback_template.html
|
||||
- require:
|
||||
- pkg: keystone_packages
|
||||
- watch_in:
|
||||
- service: keystone_service
|
||||
|
||||
{%- endif %}
|
||||
|
||||
/etc/keystone/keystone-paste.ini:
|
||||
file.managed:
|
||||
- source: salt://keystone/files/{{ server.version }}/keystone-paste.ini.{{ grains.os_family }}
|
||||
- template: jinja
|
||||
- require:
|
||||
- pkg: keystone_packages
|
||||
{%- if not grains.get('noservices', False) %}
|
||||
- watch_in:
|
||||
- service: keystone_service
|
||||
{%- endif %}
|
||||
|
||||
/etc/keystone/policy.json:
|
||||
file.managed:
|
||||
- source: salt://keystone/files/{{ server.version }}/policy-v{{ server.api_version }}.json
|
||||
- require:
|
||||
- pkg: keystone_packages
|
||||
{%- if not grains.get('noservices', False) %}
|
||||
- watch_in:
|
||||
- service: keystone_service
|
||||
{%- endif %}
|
||||
|
||||
{%- if server.get("domain", {}) %}
|
||||
|
||||
/etc/keystone/domains:
|
||||
file.directory:
|
||||
- mode: 0755
|
||||
- require:
|
||||
- pkg: keystone_packages
|
||||
|
||||
{%- for domain_name, domain in server.domain.iteritems() %}
|
||||
|
||||
/etc/keystone/domains/keystone.{{ domain_name }}.conf:
|
||||
file.managed:
|
||||
- source: salt://keystone/files/keystone.domain.conf
|
||||
- template: jinja
|
||||
- require:
|
||||
- file: /etc/keystone/domains
|
||||
{%- if not grains.get('noservices', False) %}
|
||||
- watch_in:
|
||||
- service: keystone_service
|
||||
{%- endif %}
|
||||
- defaults:
|
||||
domain_name: {{ domain_name }}
|
||||
|
||||
{%- if domain.get('ldap', {}).get('tls', {}).get('cacert', False) %}
|
||||
|
||||
keystone_domain_{{ domain_name }}_cacert:
|
||||
file.managed:
|
||||
- name: /etc/keystone/domains/{{ domain_name }}.pem
|
||||
- contents_pillar: keystone:server:domain:{{ domain_name }}:ldap:tls:cacert
|
||||
- require:
|
||||
- file: /etc/keystone/domains
|
||||
{%- if not grains.get('noservices', False) %}
|
||||
- watch_in:
|
||||
- service: keystone_service
|
||||
{%- endif %}
|
||||
|
||||
{%- endif %}
|
||||
|
||||
{%- if not grains.get('noservices', False) %}
|
||||
keystone_domain_{{ domain_name }}:
|
||||
cmd.run:
|
||||
- name: source /root/keystonercv3 && openstack domain create --description "{{ domain.description }}" {{ domain_name }}
|
||||
- unless: source /root/keystonercv3 && openstack domain list | grep " {{ domain_name }}"
|
||||
- require:
|
||||
- file: /root/keystonercv3
|
||||
- service: keystone_service
|
||||
{%- endif %}
|
||||
|
||||
{%- endfor %}
|
||||
|
||||
{%- endif %}
|
||||
|
||||
{%- if server.get('ldap', {}).get('tls', {}).get('cacert', False) %}
|
||||
|
||||
keystone_ldap_default_cacert:
|
||||
file.managed:
|
||||
- name: {{ server.ldap.tls.cacertfile }}
|
||||
- contents_pillar: keystone:server:ldap:tls:cacert
|
||||
- require:
|
||||
- pkg: keystone_packages
|
||||
{%- if not grains.get('noservices', False) %}
|
||||
- watch_in:
|
||||
- service: keystone_service
|
||||
{%- endif %}
|
||||
|
||||
{%- endif %}
|
||||
|
||||
{%- if not grains.get('noservices', False) %}
|
||||
keystone_service:
|
||||
service.running:
|
||||
- name: {{ server.service_name }}
|
||||
- enable: True
|
||||
- watch:
|
||||
- file: /etc/keystone/keystone.conf
|
||||
{%- endif %}
|
||||
|
||||
{%- if grains.get('virtual_subtype', None) == "Docker" %}
|
||||
keystone_entrypoint:
|
||||
file.managed:
|
||||
- name: /entrypoint.sh
|
||||
- template: jinja
|
||||
- source: salt://keystone/files/entrypoint.sh
|
||||
- mode: 755
|
||||
{%- endif %}
|
||||
|
||||
/root/keystonerc:
|
||||
file.managed:
|
||||
- source: salt://keystone/files/keystonerc
|
||||
- template: jinja
|
||||
- require:
|
||||
- pkg: keystone_packages
|
||||
|
||||
/root/keystonercv3:
|
||||
file.managed:
|
||||
- source: salt://keystone/files/keystonercv3
|
||||
- template: jinja
|
||||
- require:
|
||||
- pkg: keystone_packages
|
||||
|
||||
{%- if not grains.get('noservices', False) %}
|
||||
keystone_syncdb:
|
||||
cmd.run:
|
||||
- name: keystone-manage db_sync; sleep 1
|
||||
- require:
|
||||
- service: keystone_service
|
||||
{%- endif %}
|
||||
|
||||
{% if server.tokens.engine == 'fernet' %}
|
||||
|
||||
keystone_fernet_keys:
|
||||
file.directory:
|
||||
- name: {{ server.tokens.location }}
|
||||
- mode: 750
|
||||
- user: keystone
|
||||
- group: keystone
|
||||
- require:
|
||||
- pkg: keystone_packages
|
||||
- require_in:
|
||||
- service: keystone_fernet_setup
|
||||
|
||||
{%- if not grains.get('noservices', False) %}
|
||||
keystone_fernet_setup:
|
||||
cmd.run:
|
||||
- name: keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
|
||||
- require:
|
||||
- service: keystone_service
|
||||
- file: keystone_fernet_keys
|
||||
{%- endif %}
|
||||
|
||||
{% endif %}
|
||||
|
||||
{%- if not grains.get('noservices', False) %}
|
||||
|
||||
{%- if not salt['pillar.get']('linux:system:repo:mirantis_openstack', False) %}
|
||||
|
||||
keystone_service_tenant:
|
||||
keystone.tenant_present:
|
||||
- name: {{ server.service_tenant }}
|
||||
- connection_token: {{ server.service_token }}
|
||||
- connection_endpoint: 'http://{{ server.bind.address }}:{{ server.bind.private_port }}/v2.0'
|
||||
- require:
|
||||
- cmd: keystone_syncdb
|
||||
- file: keystone_salt_config
|
||||
|
||||
keystone_admin_tenant:
|
||||
keystone.tenant_present:
|
||||
- name: {{ server.admin_tenant }}
|
||||
- connection_token: {{ server.service_token }}
|
||||
- connection_endpoint: 'http://{{ server.bind.address }}:{{ server.bind.private_port }}/v2.0'
|
||||
- require:
|
||||
- keystone: keystone_service_tenant
|
||||
|
||||
keystone_roles:
|
||||
keystone.role_present:
|
||||
- names: {{ server.roles }}
|
||||
- connection_token: {{ server.service_token }}
|
||||
- connection_endpoint: 'http://{{ server.bind.address }}:{{ server.bind.private_port }}/v2.0'
|
||||
- require:
|
||||
- keystone: keystone_service_tenant
|
||||
|
||||
keystone_admin_user:
|
||||
keystone.user_present:
|
||||
- name: {{ server.admin_name }}
|
||||
- password: {{ server.admin_password }}
|
||||
- email: {{ server.admin_email }}
|
||||
- tenant: {{ server.admin_tenant }}
|
||||
- roles:
|
||||
{{ server.admin_tenant }}:
|
||||
- admin
|
||||
- connection_token: {{ server.service_token }}
|
||||
- connection_endpoint: 'http://{{ server.bind.address }}:{{ server.bind.private_port }}/v2.0'
|
||||
- require:
|
||||
- keystone: keystone_admin_tenant
|
||||
- keystone: keystone_roles
|
||||
|
||||
{%- endif %}
|
||||
|
||||
{%- for service_name, service in server.get('service', {}).iteritems() %}
|
||||
|
||||
keystone_{{ service_name }}_service:
|
||||
keystone.service_present:
|
||||
- name: {{ service_name }}
|
||||
- service_type: {{ service.type }}
|
||||
- description: {{ service.description }}
|
||||
- connection_token: {{ server.service_token }}
|
||||
- connection_endpoint: 'http://{{ server.bind.address }}:{{ server.bind.private_port }}/v2.0'
|
||||
- require:
|
||||
- keystone: keystone_roles
|
||||
|
||||
keystone_{{ service_name }}_endpoint:
|
||||
keystone.endpoint_present:
|
||||
- name: {{ service.get('service', service_name) }}
|
||||
- publicurl: '{{ service.bind.get('public_protocol', 'http') }}://{{ service.bind.public_address }}:{{ service.bind.public_port }}{{ service.bind.public_path }}'
|
||||
- internalurl: '{{ service.bind.get('internal_protocol', 'http') }}://{{ service.bind.internal_address }}:{{ service.bind.internal_port }}{{ service.bind.internal_path }}'
|
||||
- adminurl: '{{ service.bind.get('admin_protocol', 'http') }}://{{ service.bind.admin_address }}:{{ service.bind.admin_port }}{{ service.bind.admin_path }}'
|
||||
- region: {{ service.get('region', 'RegionOne') }}
|
||||
- connection_token: {{ server.service_token }}
|
||||
- connection_endpoint: 'http://{{ server.bind.address }}:{{ server.bind.private_port }}/v2.0'
|
||||
- require:
|
||||
- keystone: keystone_{{ service_name }}_service
|
||||
- file: keystone_salt_config
|
||||
|
||||
{% if service.user is defined %}
|
||||
|
||||
keystone_user_{{ service.user.name }}:
|
||||
keystone.user_present:
|
||||
- name: {{ service.user.name }}
|
||||
- password: {{ service.user.password }}
|
||||
- email: {{ server.admin_email }}
|
||||
- tenant: {{ server.service_tenant }}
|
||||
- roles:
|
||||
{{ server.service_tenant }}:
|
||||
- admin
|
||||
- connection_token: {{ server.service_token }}
|
||||
- connection_endpoint: 'http://{{ server.bind.address }}:{{ server.bind.private_port }}/v2.0'
|
||||
- require:
|
||||
- keystone: keystone_roles
|
||||
|
||||
{% endif %}
|
||||
|
||||
{%- endfor %}
|
||||
|
||||
{%- for tenant_name, tenant in server.get('tenant', {}).iteritems() %}
|
||||
|
||||
keystone_tenant_{{ tenant_name }}:
|
||||
keystone.tenant_present:
|
||||
- name: {{ tenant_name }}
|
||||
- connection_token: {{ server.service_token }}
|
||||
- connection_endpoint: 'http://{{ server.bind.address }}:{{ server.bind.private_port }}/v2.0'
|
||||
- require:
|
||||
- keystone: keystone_roles
|
||||
|
||||
{%- for user_name, user in tenant.get('user', {}).iteritems() %}
|
||||
|
||||
keystone_user_{{ user_name }}:
|
||||
keystone.user_present:
|
||||
- name: {{ user_name }}
|
||||
- password: {{ user.password }}
|
||||
- email: {{ user.get('email', 'root@localhost') }}
|
||||
- tenant: {{ tenant_name }}
|
||||
- roles:
|
||||
{{ tenant_name }}:
|
||||
{%- if user.get('roles', False) %}
|
||||
{{ user.roles }}
|
||||
{%- else %}
|
||||
- Member
|
||||
{%- endif %}
|
||||
- connection_token: {{ server.service_token }}
|
||||
- connection_endpoint: 'http://{{ server.bind.address }}:{{ server.bind.private_port }}/v2.0'
|
||||
- require:
|
||||
- keystone: keystone_tenant_{{ tenant_name }}
|
||||
|
||||
{%- endfor %}
|
||||
|
||||
{%- endfor %}
|
||||
{%- endif %} {# end noservices #}
|
||||
|
||||
{%- endif %}
|
@ -1,3 +0,0 @@
|
||||
name: "keystone"
|
||||
version: "2016.4.1"
|
||||
source: "https://github.com/openstack/salt-formula-keystone"
|
@ -1,2 +0,0 @@
|
||||
classes:
|
||||
- service.keystone.support
|
@ -1,49 +0,0 @@
|
||||
applications:
|
||||
- keystone
|
||||
classes:
|
||||
- service.keystone.support
|
||||
parameters:
|
||||
keystone:
|
||||
server:
|
||||
enabled: true
|
||||
version: ${_param:keystone_version}
|
||||
service_token: ${_param:keystone_service_token}
|
||||
service_tenant: service
|
||||
admin_tenant: admin
|
||||
admin_name: admin
|
||||
admin_password: ${_param:keystone_admin_password}
|
||||
admin_email: root@domain.com
|
||||
bind:
|
||||
address: ${_param:cluster_local_address}
|
||||
private_address: ${_param:cluster_vip_address}
|
||||
private_port: 35357
|
||||
public_address: ${_param:cluster_vip_address}
|
||||
public_port: 5000
|
||||
region: RegionOne
|
||||
database:
|
||||
engine: mysql
|
||||
host: ${_param:cluster_vip_address}
|
||||
name: keystone
|
||||
password: ${_param:mysql_keystone_password}
|
||||
user: keystone
|
||||
tokens:
|
||||
engine: cache
|
||||
expiration: 43200
|
||||
location: /etc/keystone/fernet-keys/
|
||||
message_queue:
|
||||
engine: rabbitmq
|
||||
host: ${_param:cluster_vip_address}
|
||||
port: 5672
|
||||
user: openstack
|
||||
password: ${_param:rabbitmq_openstack_password}
|
||||
virtual_host: '/openstack'
|
||||
ha_queues: true
|
||||
cache:
|
||||
engine: memcached
|
||||
members:
|
||||
- host: ${_param:cluster_node01_address}
|
||||
port: 11211
|
||||
- host: ${_param:cluster_node02_address}
|
||||
port: 11211
|
||||
- host: ${_param:cluster_node03_address}
|
||||
port: 11211
|
@ -1,44 +0,0 @@
|
||||
parameters:
|
||||
kubernetes:
|
||||
control:
|
||||
configmap:
|
||||
keystone-server:
|
||||
grains:
|
||||
os_family: Debian
|
||||
pillar:
|
||||
keystone:
|
||||
server:
|
||||
enabled: true
|
||||
version: ${_param:keystone_version}
|
||||
service_token: ${_param:keystone_service_token}
|
||||
service_tenant: service
|
||||
admin_tenant: admin
|
||||
admin_name: admin
|
||||
admin_password: ${_param:keystone_admin_password}
|
||||
admin_email: root@localhost
|
||||
bind:
|
||||
address: 0.0.0.0
|
||||
private_address: ${_param:keystone_service_host}
|
||||
private_port: 35357
|
||||
public_address: ${_param:keystone_service_host}
|
||||
public_port: 5000
|
||||
region: RegionOne
|
||||
database:
|
||||
engine: mysql
|
||||
host: ${_param:mysql_service_host}
|
||||
port: 3306
|
||||
name: 'keystone'
|
||||
password: '${_param:mysql_keystone_password}'
|
||||
user: 'keystone'
|
||||
tokens:
|
||||
engine: fernet
|
||||
expiration: 43200
|
||||
location: /var/lib/keystone/fernet-keys/
|
||||
message_queue:
|
||||
engine: rabbitmq
|
||||
host: ${_param:rabbitmq_service_host}
|
||||
port: 5672
|
||||
user: openstack
|
||||
password: ${_param:rabbitmq_openstack_password}
|
||||
virtual_host: '/openstack'
|
||||
ha_queues: true
|
@ -1,45 +0,0 @@
|
||||
applications:
|
||||
- keystone
|
||||
classes:
|
||||
- service.keystone.support
|
||||
parameters:
|
||||
keystone:
|
||||
server:
|
||||
enabled: true
|
||||
version: ${_param:keystone_version}
|
||||
service_token: ${_param:keystone_service_token}
|
||||
service_tenant: service
|
||||
admin_tenant: admin
|
||||
admin_name: admin
|
||||
admin_password: ${_param:keystone_admin_password}
|
||||
admin_email: root@localhost
|
||||
bind:
|
||||
address: 0.0.0.0
|
||||
private_address: ${_param:keystone_service_host}
|
||||
private_port: 35357
|
||||
public_address: ${_param:keystone_service_host}
|
||||
public_port: 5000
|
||||
region: RegionOne
|
||||
database:
|
||||
engine: mysql
|
||||
host: 'localhost'
|
||||
name: 'keystone'
|
||||
password: '${_param:mysql_keystone_password}'
|
||||
user: 'keystone'
|
||||
tokens:
|
||||
engine: cache
|
||||
expiration: 43200
|
||||
location: /etc/keystone/fernet-keys/
|
||||
message_queue:
|
||||
engine: rabbitmq
|
||||
host: ${_param:single_address}
|
||||
port: 5672
|
||||
user: openstack
|
||||
password: ${_param:rabbitmq_openstack_password}
|
||||
virtual_host: '/openstack'
|
||||
ha_queues: true
|
||||
cache:
|
||||
engine: memcached
|
||||
members:
|
||||
- host: localhost
|
||||
port: 11211
|
@ -1,15 +0,0 @@
|
||||
parameters:
|
||||
keystone:
|
||||
_support:
|
||||
collectd:
|
||||
enabled: true
|
||||
heka:
|
||||
enabled: true
|
||||
sensu:
|
||||
enabled: true
|
||||
sphinx:
|
||||
enabled: true
|
||||
config:
|
||||
enabled: true
|
||||
grafana:
|
||||
enabled: true
|
@ -1,46 +0,0 @@
|
||||
keystone:
|
||||
server:
|
||||
enabled: true
|
||||
version: liberty
|
||||
service_token: token
|
||||
service_tenant: service
|
||||
admin_tenant: admin
|
||||
admin_name: admin
|
||||
admin_password: password
|
||||
admin_email: root@domain.com
|
||||
bind:
|
||||
address: 127.0.0.1
|
||||
private_address: 127.0.0.1
|
||||
private_port: 35357
|
||||
public_address: 127.0.0.1
|
||||
public_port: 5000
|
||||
region: RegionOne
|
||||
database:
|
||||
engine: mysql
|
||||
host: 127.0.0.1
|
||||
name: keystone
|
||||
password: password
|
||||
user: keystone
|
||||
tokens:
|
||||
engine: cache
|
||||
expiration: 86400
|
||||
location: /etc/keystone/fernet-keys/
|
||||
notification: true
|
||||
notification_format: cadf
|
||||
message_queue:
|
||||
engine: rabbitmq
|
||||
host: 127.0.0.1
|
||||
port: 5672
|
||||
user: openstack
|
||||
password: password
|
||||
virtual_host: '/openstack'
|
||||
ha_queues: true
|
||||
cache:
|
||||
engine: memcached
|
||||
members:
|
||||
- host: 127.0.0.1
|
||||
port: 11211
|
||||
- host: 127.0.0.1
|
||||
port: 11211
|
||||
- host: 127.0.0.1
|
||||
port: 11211
|
@ -1,41 +0,0 @@
|
||||
keystone:
|
||||
server:
|
||||
enabled: true
|
||||
version: liberty
|
||||
service_token: token
|
||||
service_tenant: service
|
||||
admin_tenant: admin
|
||||
admin_name: admin
|
||||
admin_password: password
|
||||
admin_email: root@localhost
|
||||
bind:
|
||||
address: 0.0.0.0
|
||||
private_address: 127.0.0.1
|
||||
private_port: 35357
|
||||
public_address: 127.0.0.1
|
||||
public_port: 5000
|
||||
region: RegionOne
|
||||
database:
|
||||
engine: mysql
|
||||
host: 'localhost'
|
||||
name: 'keystone'
|
||||
password: 'password'
|
||||
user: 'keystone'
|
||||
notification: true
|
||||
message_queue:
|
||||
engine: rabbitmq
|
||||
host: 127.0.0.1
|
||||
port: 5672
|
||||
user: openstack
|
||||
password: password
|
||||
virtual_host: '/openstack'
|
||||
ha_queues: true
|
||||
tokens:
|
||||
engine: cache
|
||||
expiration: 86400
|
||||
location: /etc/keystone/fernet-keys/
|
||||
cache:
|
||||
engine: memcached
|
||||
members:
|
||||
- host: localhost
|
||||
port: 11211
|
@ -1,33 +0,0 @@
|
||||
keystone:
|
||||
server:
|
||||
enabled: true
|
||||
version: liberty
|
||||
service_token: token
|
||||
service_tenant: service
|
||||
admin_tenant: admin
|
||||
admin_name: admin
|
||||
admin_password: password
|
||||
admin_email: root@localhost
|
||||
bind:
|
||||
address: 0.0.0.0
|
||||
private_address: 127.0.0.1
|
||||
private_port: 35357
|
||||
public_address: 127.0.0.1
|
||||
public_port: 5000
|
||||
region: RegionOne
|
||||
database:
|
||||
engine: mysql
|
||||
host: 'localhost'
|
||||
name: 'keystone'
|
||||
password: 'password'
|
||||
user: 'keystone'
|
||||
tokens:
|
||||
engine: fernet
|
||||
expiration: 86400
|
||||
location: /etc/keystone/fernet-keys/
|
||||
max_active_keys: 4
|
||||
cache:
|
||||
engine: memcached
|
||||
members:
|
||||
- host: localhost
|
||||
port: 11211
|
@ -1,163 +0,0 @@
|
||||
#!/usr/bin/env bash
|
||||
|
||||
set -e
|
||||
[ -n "$DEBUG" ] && set -x
|
||||
|
||||
CURDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
|
||||
METADATA=${CURDIR}/../metadata.yml
|
||||
FORMULA_NAME=$(cat $METADATA | python -c "import sys,yaml; print yaml.load(sys.stdin)['name']")
|
||||
|
||||
## Overrideable parameters
|
||||
PILLARDIR=${PILLARDIR:-${CURDIR}/pillar}
|
||||
BUILDDIR=${BUILDDIR:-${CURDIR}/build}
|
||||
VENV_DIR=${VENV_DIR:-${BUILDDIR}/virtualenv}
|
||||
DEPSDIR=${BUILDDIR}/deps
|
||||
|
||||
SALT_FILE_DIR=${SALT_FILE_DIR:-${BUILDDIR}/file_root}
|
||||
SALT_PILLAR_DIR=${SALT_PILLAR_DIR:-${BUILDDIR}/pillar_root}
|
||||
SALT_CONFIG_DIR=${SALT_CONFIG_DIR:-${BUILDDIR}/salt}
|
||||
SALT_CACHE_DIR=${SALT_CACHE_DIR:-${SALT_CONFIG_DIR}/cache}
|
||||
|
||||
SALT_OPTS="${SALT_OPTS} --retcode-passthrough --local -c ${SALT_CONFIG_DIR} --log-file=/dev/null"
|
||||
|
||||
if [ "x${SALT_VERSION}" != "x" ]; then
|
||||
PIP_SALT_VERSION="==${SALT_VERSION}"
|
||||
fi
|
||||
|
||||
## Functions
|
||||
log_info() {
|
||||
echo "[INFO] $*"
|
||||
}
|
||||
|
||||
log_err() {
|
||||
echo "[ERROR] $*" >&2
|
||||
}
|
||||
|
||||
setup_virtualenv() {
|
||||
log_info "Setting up Python virtualenv"
|
||||
virtualenv $VENV_DIR
|
||||
source ${VENV_DIR}/bin/activate
|
||||
pip install salt${PIP_SALT_VERSION}
|
||||
}
|
||||
|
||||
setup_pillar() {
|
||||
[ ! -d ${SALT_PILLAR_DIR} ] && mkdir -p ${SALT_PILLAR_DIR}
|
||||
echo "base:" > ${SALT_PILLAR_DIR}/top.sls
|
||||
for pillar in ${PILLARDIR}/*; do
|
||||
state_name=$(basename ${pillar%.sls})
|
||||
echo -e " ${state_name}:\n - ${state_name}" >> ${SALT_PILLAR_DIR}/top.sls
|
||||
done
|
||||
}
|
||||
|
||||
setup_salt() {
|
||||
[ ! -d ${SALT_FILE_DIR} ] && mkdir -p ${SALT_FILE_DIR}
|
||||
[ ! -d ${SALT_CONFIG_DIR} ] && mkdir -p ${SALT_CONFIG_DIR}
|
||||
[ ! -d ${SALT_CACHE_DIR} ] && mkdir -p ${SALT_CACHE_DIR}
|
||||
|
||||
echo "base:" > ${SALT_FILE_DIR}/top.sls
|
||||
for pillar in ${PILLARDIR}/*.sls; do
|
||||
state_name=$(basename ${pillar%.sls})
|
||||
echo -e " ${state_name}:\n - ${FORMULA_NAME}" >> ${SALT_FILE_DIR}/top.sls
|
||||
done
|
||||
|
||||
cat << EOF > ${SALT_CONFIG_DIR}/minion
|
||||
file_client: local
|
||||
cachedir: ${SALT_CACHE_DIR}
|
||||
verify_env: False
|
||||
minion_id_caching: False
|
||||
|
||||
file_roots:
|
||||
base:
|
||||
- ${SALT_FILE_DIR}
|
||||
- ${CURDIR}/..
|
||||
- /usr/share/salt-formulas/env
|
||||
|
||||
pillar_roots:
|
||||
base:
|
||||
- ${SALT_PILLAR_DIR}
|
||||
- ${PILLARDIR}
|
||||
EOF
|
||||
}
|
||||
|
||||
fetch_dependency() {
|
||||
dep_name="$(echo $1|cut -d : -f 1)"
|
||||
dep_source="$(echo $1|cut -d : -f 2-)"
|
||||
dep_root="${DEPSDIR}/$(basename $dep_source .git)"
|
||||
dep_metadata="${dep_root}/metadata.yml"
|
||||
|
||||
[ -d /usr/share/salt-formulas/env/${dep_name} ] && log_info "Dependency $dep_name already present in system-wide salt env" && return 0
|
||||
[ -d $dep_root ] && log_info "Dependency $dep_name already fetched" && return 0
|
||||
|
||||
log_info "Fetching dependency $dep_name"
|
||||
[ ! -d ${DEPSDIR} ] && mkdir -p ${DEPSDIR}
|
||||
git clone $dep_source ${DEPSDIR}/$(basename $dep_source .git)
|
||||
ln -s ${dep_root}/${dep_name} ${SALT_FILE_DIR}/${dep_name}
|
||||
|
||||
METADATA="${dep_metadata}" install_dependencies
|
||||
}
|
||||
|
||||
install_dependencies() {
|
||||
grep -E "^dependencies:" ${METADATA} >/dev/null || return 0
|
||||
(python - | while read dep; do fetch_dependency "$dep"; done) << EOF
|
||||
import sys,yaml
|
||||
for dep in yaml.load(open('${METADATA}', 'ro'))['dependencies']:
|
||||
print '%s:%s' % (dep["name"], dep["source"])
|
||||
EOF
|
||||
}
|
||||
|
||||
clean() {
|
||||
log_info "Cleaning up ${BUILDDIR}"
|
||||
[ -d ${BUILDDIR} ] && rm -rf ${BUILDDIR} || exit 0
|
||||
}
|
||||
|
||||
salt_run() {
|
||||
[ -e ${VEN_DIR}/bin/activate ] && source ${VENV_DIR}/bin/activate
|
||||
salt-call ${SALT_OPTS} $*
|
||||
}
|
||||
|
||||
prepare() {
|
||||
[ -d ${BUILDDIR} ] && mkdir -p ${BUILDDIR}
|
||||
|
||||
which salt-call || setup_virtualenv
|
||||
setup_pillar
|
||||
setup_salt
|
||||
install_dependencies
|
||||
}
|
||||
|
||||
run() {
|
||||
for pillar in ${PILLARDIR}/*.sls; do
|
||||
state_name=$(basename ${pillar%.sls})
|
||||
salt_run --id=${state_name} state.show_sls ${FORMULA_NAME} || (log_err "Execution of ${FORMULA_NAME}.${state_name} failed"; exit 1)
|
||||
done
|
||||
}
|
||||
|
||||
_atexit() {
|
||||
RETVAL=$?
|
||||
trap true INT TERM EXIT
|
||||
|
||||
if [ $RETVAL -ne 0 ]; then
|
||||
log_err "Execution failed"
|
||||
else
|
||||
log_info "Execution successful"
|
||||
fi
|
||||
return $RETVAL
|
||||
}
|
||||
|
||||
## Main
|
||||
trap _atexit INT TERM EXIT
|
||||
|
||||
case $1 in
|
||||
clean)
|
||||
clean
|
||||
;;
|
||||
prepare)
|
||||
prepare
|
||||
;;
|
||||
run)
|
||||
run
|
||||
;;
|
||||
*)
|
||||
prepare
|
||||
run
|
||||
;;
|
||||
esac
|
Loading…
x
Reference in New Issue
Block a user