Commit Graph

153 Commits

Author SHA1 Message Date
Dmitriy Rabotyagov 7dbec32273 Add quorum queues support for service
This change implements and enables by default quorum support
for rabbitmq as well as providing default variables to globally tune
it's behaviour.

In order to ensure upgrade path and ability to switch back to HA queues
we change vhost names with removing leading `/`, as enabling quorum
requires to remove exchange which is tricky thing to do with running
services.

Change-Id: I81216a7eabe6b99d08ab15a62c046108fcb2bfc5
2023-11-10 17:00:57 +01:00
Andrew Bonney 2ed76dee5d oidc: fix overloading of redirect_uri for cli client
The redirect URI specified in the Apache config for OIDC
was unintentionally serving a dual purpose as a redirect
URI and a handler for command line auth.

As of mod_auth_openidc v2.4.9 this no longer works.
This change splits the paths for command line auth and
the redirect URI into two to work around this.

Change-Id: I27c612cf8537b401c1195ae0892bf5569e2f3858
2023-10-20 14:04:31 +01:00
Andrew Bonney b54478e7e1 oidc: fix recognition of x forwarded headers from v2.4.11
The Apache mod_auth_openidc requires explicit configuration in
order to read the X-Forwarded-Proto from the reverse proxy as
of version v2.4.11 which comes in from Ubuntu Jammy.

Eventually this will need to become the default and the
variable added in this patch can be removed.

Change-Id: Ic9d37a8463d137508d20de20b10af806a223f852
2023-09-29 08:24:16 +00:00
Damian Dabrowski b73bcd9981 Fix SSL logic in keystone-httpd.conf.j2
Defining SSL parameters has nothing to do with
keystone_service_internaluri_proto. It should not be taken into
consideration there.
Theoretically speaking, environment can have TLS disabled on frontend
but enabled on backend.

Change-Id: I81b66a7388c335958badf7135f4289c3423cb229
2023-06-04 17:24:09 +02:00
Zuul 2378e452ad Merge "Rename keystone_ssl to keystone_backend_ssl" 2023-04-20 18:46:50 +00:00
Damian Dabrowski 59f04a63c5 Remove security.txt parts
Keystone is no longer responsible for storing and serving security.txt
file. It is now fully handled by haproxy.

Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/880110
Change-Id: Iefd090dce0441f81eb4d5b203f61a4587a5beedb
2023-04-11 21:09:57 +00:00
Damian Dabrowski 6661a9dab7 Rename keystone_ssl to keystone_backend_ssl
To standarize variable name across roles, this change renames
`keystone_ssl` to `keystone_backend_ssl`.
All other roles use `<service>_backend_ssl` format.
It also better describes what it does. With `keystone_ssl` it's unclear
whether it is about frontend or backend.

Backward compatibility will not be implemented because securing haproxy
traffic to its backends with TLS is currently not supported by OSA so
it is hard to leverage `keystone_ssl` variable anyway.

Change-Id: Ibf8607a4cf62ab518a09d64b1054ff7fbc580000
2023-04-08 12:53:10 +00:00
Dmitriy Rabotyagov 0a24c61e3e Improve way of cache backend selection
At the moment we don't provide any option rather then use memcached
backend. With that we also hardocde list of packages that should be
installed inside virtualenv for selected backend.

Adding bmemcached requirement to oslo_cache.memcache_pool [1] gives us
opportunity to refactor this bit of deployment and allow to be more
flexible in backend selection and requirements installation for it.

[1] https://review.opendev.org/c/openstack/oslo.cache/+/854628

Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/858981/4
Change-Id: I2810208301fb31eeeabf31e4b38add7f8aa3e00b
2022-09-23 10:49:09 +02:00
Zuul b9fc36753b Merge "Fix keystone_secure_proxy_ssl_header logic" 2022-08-12 19:15:45 +00:00
Dmitriy Rabotyagov 33ee3fcb17 Fix keystone_secure_proxy_ssl_header logic
Previous commit [1] introduced logic that breaks proper service
discovery. Now we're fixing logic, following next rules/assumptiuons:
+----------+---------+---------------+
| HAProxy  | Apache  | RequestHeader |
+----------+---------+-- ------------+
| non-SSL  | non-SSL | http          |
| non-SSL  | SSL     | http          |
| SSL      | SSL     | https         |
| SSL      | non-SSL | https         |
+----------+---------+---------------+

[1] 6fae2bdade

Change-Id: Ibf7759eea63b7150aeae655c10eccc69cd3417ea
2022-08-12 09:13:34 +00:00
mroth26 ec9ffea3ca Add PKCE method for OIDC
Change-Id: Icb77fff4a2f823f4c2a84dc77c21e4ddf0c8e22c
2022-08-08 16:23:58 +02:00
Sven Anders 54a4e496b9 Handle host with unset ansible_host
We are having all machines in DNS and want to be able to change IP addresses in DNS. So we do not 
use ansible_host in our host_vars/machine.yml

As os_keystone is the first Ansible role we use. We will make similar changes to other roles later 
on.

Change-Id: Ic9f43cc3f6b62b5098e85afcf55f008c022517f6
2022-04-26 13:39:33 +00:00
Zuul 30f199ce30 Merge "Drop distributed_lock parameter" 2022-03-16 15:20:58 +00:00
Marcus Bahn dc62f04827 add oauth support
Some OIDCOAuth* variables were needed to allow CLI access via `--os-auth-type v3oidcaccesstoken`.

See https://docs.egi.eu/providers/cloud-compute/openstack/aai/#cli-access and https://docs.egi.eu/providers/cloud-compute/openstack/aai/#apache-configuration

Change-Id: I693684e4dc85c096f46a3385d70202c39d379d25
2022-03-10 11:47:11 +01:00
Dmitriy Rabotyagov ba7b704062 Drop distributed_lock parameter
It has been dropped in Victoria and don't have any effect now.

Change-Id: Ia8a520acc70dbde4e04d429c1f980af89516094d
2022-03-03 15:37:21 +01:00
Zuul ba9d685380 Merge "Define X-Forwarded-Proto for keystone" 2022-02-15 18:58:13 +00:00
Zuul cb3a1b487a Merge "Use uwsgi role for keystone" 2022-02-15 10:43:50 +00:00
Zuul cbe25b61e4 Merge "Switch keystone logging to syslog" 2022-02-15 10:25:41 +00:00
Dmitriy Rabotyagov 6fae2bdade Define X-Forwarded-Proto for keystone
Add X-Forwarded-Proto header based on the haproxy termination
and if keystone configured to use SSL for internal connection

Change-Id: Ia627e19923e1e24d2fede49aefb7251bb75d88de
2022-02-09 23:03:39 +00:00
Dmitriy Rabotyagov 790d0c3482 Drop ProxyPass out of VHost
As ProxyPass defined out of VHost, it has global effect, resulting
in Horizon Identity section to be jsut proxied to keystone API
instead of rederred by Django as instructed by Horizon VHost.

Change-Id: I596614f55a8db8e814b1d24a78c3f1a9d0e00bb2
Closes-Bug: #1960342
2022-02-09 13:44:27 +02:00
Dmitriy Rabotyagov cb7eaa7ce3 Use uwsgi role for keystone
Instead of having own implementation of uwsgi, use common role.

This allows to reduce maintainable code and ease
providing fixes and features to uwsgi deployment code.

Change-Id: I2dc9c749c37e41959da2403fab7512ab17b859e4
2022-02-09 12:10:18 +02:00
Dmitriy Rabotyagov 82caa30754 Switch keystone logging to syslog
Instead of using file logging we switch apache conf to log into syslog
which results in journald. This aligns with other services way of
logging.

Change-Id: I4c619500f7df389a60a7baf0d444ddbc7fc2a9dc
2022-02-09 09:58:28 +02:00
Andrew Bonney dfa253d72c Adjust default configuration to support TLS v1.3
This adds a new variable to manage TLS v1.3 cipher suites.

The old variable for TLS v1.2 and below ciphers is renamed for
consistency, but is still supported as a default where overridden
by deployments.

Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/823943
Change-Id: If857ec3e2e3728f6bea9740ff43dcb2df45429d2
2022-01-10 13:49:45 +00:00
Damian Dabrowski b36b942aed Database connection pooling improvements
- Implemented new variable ``connection_recycle_time`` responsible for SQLAlchemy's connection recycling
- Set new default values for db pooling variables which are inherited from the global ones.

Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/819424
Change-Id: Ia507320ca552ec60d893e398ad7f68d4283539be
2021-12-03 16:54:38 +01:00
Zuul 91c397dc8b Merge "Drop Nginx webserver support" 2021-11-26 15:14:18 +00:00
Dmitriy Rabotyagov eb9a0c6cea Drop Nginx webserver support
There is no reason to support multiple web servers as a proxy for
keystone. Nginx is missing modules to support federation. With it's
removal we simplify code and reduce maintaining efforts needed.

Change-Id: Ib3f90a72dfc8f78cf304b0f130883befdeb09220
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/818674
2021-11-22 10:36:35 +00:00
Dmitriy Rabotyagov c2281d2f2b Fix apache ProxyPass arguments
With elimination of CVE-2021-36160 apache stops interpreting trailing
whitespaces in ProxyPass arguments. This is directly not supported based
on the apache documentation [1] and should be fixed

[1] https://httpd.apache.org/docs/trunk/mod/mod_proxy.html#proxypass

Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/811742
Change-Id: I9f46466943544168335b07198264adb8be49d261
Related-Bug: #1945274
2021-09-30 14:11:37 +00:00
Georgina 9a4fd9dcfc Fix oidc scope misspelling in newer releases
A follow on from I8a1d7e8d31b43b70de062d5bbf2f648c71014af0.
Remove ability to use incorrect spelling in future releases.

Change-Id: If27c04ba5ce509a30fe2af2a56771cc1a12dbe9d
2021-07-22 10:04:54 +00:00
Georgina 9c4f9ef4f1 Fix typo in keystone-httpd template
For backwards compatiblity I have left in the original incorrect spelling,
this patch should be backported.

Change-Id: I8a1d7e8d31b43b70de062d5bbf2f648c71014af0
2021-06-30 11:44:35 +00:00
Jonathan Rosser d67c498269 Add variables for rabbitmq ssl configuration
Change-Id: Ie4bdbd1f4d530844dced5161de57665f9dc97fd3
2021-05-13 14:37:56 +00:00
Jonathan Rosser 0f2b8e16c9 Remove references to unsupported operating systems
All references to Gentoo, SUSE, Debian stretch and Centos-7  are removed.
Conditional tasks, ternary operators and variables are simplified where possible
OS specific variables files are generalised where possible

Change-Id: I1624730385a7b54cf36a94d313cc298430129736
2021-03-10 12:16:38 +00:00
Dmitriy Rabotyagov e377209297 Use absolute path for uwsgi_params include
Nginx config verification that is performed by ansible [1] is made
in tmp "on fly" which fails because of the relative import.

We also move task that replaces ports for nginx.conf to the end
so that config validation was accomplished after all configurations
are applied.

[1] https://opendev.org/openstack/openstack-ansible-os_keystone/src/branch/master/tasks/keystone_nginx.yml#L44

Change-Id: Ic52fc7dbdb0324ab8f4b71d25398f23a05df05d7
2021-02-16 11:55:57 +02:00
Jonathan Rosser b71f4853e3 Allow OIDCClaimDelimiter to be set in the apache config file
This may be necessary for federation where there are multiple
OIDC groups that are separate by a ';'. See [1].

[1] https://docs.openstack.org/keystone/ussuri/admin/federation/mapping_combinations.html

Change-Id: I68c0b138955693c8d1992f986878862ea12f5149
2021-02-03 18:19:15 +00:00
James Gibson 5af8175643 Add security.txt file hosting to keystone
If keystone_security_txt_content is defined in user variables,
the keystone service will host this file at the following locations
/security.txt and /.well-known/security.txt as defined in
https://securitytxt.org/

Depends-On: https://review.opendev.org/766030
Change-Id: I3b418a7950cb1b89451e1f19d6e1c82b507aa1c0
2020-12-11 09:59:39 +00:00
Georgina e3294f0f91 Add CADF notifications for federated keystone
Event notifications are useful for those that need to keep an audit
trail. Turned off by default as these logs contain user specific data
and local data protection laws should be considered.
The default notificiation_opt_outs follow the keystone documentation.
Please see here for more information on CADF notifications:
https://docs.openstack.org/keystone/pike/advanced-topics/event_notifications.html

Change-Id: Id1867b6b50fc769757781eabc208ee9ead65f4c9
2020-07-27 19:02:45 +00:00
Danny Meloy eda646382a Add Paramaters to httpd.conf template
Added the following parameters to the httpd.conf template
to be used with mod_auth_openidc Apache mod. Params include:
- OIDCStateMaxNumberOfCookies - this takes parameters in the form
<number> <false|true> where number is the maximum number of state
cookies stored in parallel for outstanding auth requests, and the
boolean indicates whether cookies that are still valid over this
amount are deleted
- OIDCDefaultURL - Defines a default URL to be used in case of
3rd-party or OP initiated SSO when no explicit target_link_uri has
been provided. The user is also sent to this URL is in case an
invalid authorization response was received
(ref: https://github.com/zmartzone/mod_auth_openidc/blob/master/auth_openidc.conf)

The reason these have been added is due to some stability issues
that have been seen regarding cached session cookies that subsequently
cause a "state mismatch" error. Being able to limit the number of active cookies
appears to resolve this issue.

Change-Id: Id2248e93f2636407396d4ac8fe29c8943e4a3a57
2020-06-17 18:31:13 +01:00
Danny Meloy f0ce41ea61 Add OIDCAuthRequestParams parameter to template
Added the OIDCAuthRequestParams line to the keystone-httpd.conf template
This allows for the addition of optional extra parameters that will be sent
along with the Authorization Request when using federated logins:
https://github.com/zmartzone/mod_auth_openidc/blob/master/auth_openidc.conf

Change-Id: I020986bbc2d5baa73a19ee7e1070019cb4e9ce63
2020-06-02 13:39:33 +01:00
Georgina Shippey beebf1196e Add memcached caching
Piggybacking on to the memcached containers that keystone uses for
its token caching we are able to share state between the apache_mod_openidc
instances so that authentications succeed in cases where auth requests
are being routed to more than one keystone container.

Change-Id: Ia978b46f6a6dfc5da8f8ebecb1a3c9fe44948add
2020-04-29 21:52:58 +01:00
Georgina Shippey 3b283edf8a Add option for OIDCOutgoingProxy for mod_auth_openidc
Allows a user to specify the OIDCOutgoingProxy setting for mod_auth_openidc
when setting up an OIDC identity provider.

Change-Id: Ib37ace634f81e4f691d0b1aa8c52424a1c851da4
2020-04-28 18:00:44 +01:00
Guilherme Steinmüller 4d1557dcf2 Refactor memcached_servers
This patch aims to add a prefix for memcached_server
on each role to give the ability for deployers to
override the location of memcached cluster. I.e users
wants to create a single memcached cluster with k8s
for each service.

Change-Id: I57e7a977675c203d811bf0afc60ebf2c5661c284
2020-03-13 22:10:07 +00:00
Georgina 47fe909d54 Federated openid support using auth_mod_openidc
This patch adds support for using mod_auth_openidc instead of shibboleth for
supporting users who have a preference to use oidc for federation. A new
variable called apache_mod is added to keystone_sp allowing the auth library
to be selected. If left undefined shibboleth auth module will continue to be
installed by default maintaining backward compatibility.

This patch does not support simultaneous use of shibboleth and mod_auth_openidc
primarily because shib2 depends on libcurl3 but mod_auth_openidc depends on
libcurl4 which cannot coexist on Ubuntu. This can be resolved when there is a
shib3 package available in a future release of Ubuntu.

Change-Id: I80031f7d3f0fcc2029cd6861dcb6687e8a9f0a2e
2020-01-31 11:28:38 +00:00
Dmitriy Rabotyagov a65a58f2d6 Drop deprecated options
eventlet_server has been deprecated in N [1]
member_role_name and admin_endpoint has been used for v2 only
secure_proxy_ssl_header has been removed in P

[1]https://docs.openstack.org/keystone/train/configuration/config-options.html#eventlet-server

Change-Id: I6bf3eaa1cacb34ba67e6afc63a62d2512bff4d53
2019-12-07 12:01:25 +02:00
Ralf Haferkamp 113d85d23b Fix distro install on openSUSE
With Train (current master) openSUSE is switching the openstack packages
to use Python 3. This means that we need to use the python3 module for
uwsgi.

Change-Id: I0fcb9d6a1df8893f3f4e6593a1614611e6712418
2019-09-18 16:50:35 +02:00
Jonathan Rosser e3a9237b83 Add default bind addresses for nginx, apache and uwsgi
These can be overriden to bind to the actual management network IP
in a real deployment

Change-Id: I4824faedd1c663ac004a9e2674988c565f4cc27f
2019-07-22 13:56:54 +01:00
Zuul e9718f14f3 Merge "Fix distro installs on Ubuntu" 2019-06-11 08:48:32 +00:00
Marc Gariepy 6960c141e5 Add headers to allow the inline script for SSO redirect.
The script sha256 needs to be present to allow the browser to run the
script with the CSP.

The sha is for the Javascript code of the sso_callback_template:
https://github.com/openstack/keystone/blob/master/etc/sso_callback_template.html#L17-L19


Change-Id: I7dd383fcc20c8b46e8e713b28d23e9c9e45679c2
2019-06-06 12:42:06 +00:00
Jimmy McCrory 254a447ffe Fix distro installs on Ubuntu
Beginning in the Stein release, Ubuntu distro packages are now using
Python3. This requires additionally installing and using the uwsgi python3
plugin.

The keystone package includes a dependency for apache2, python3-keystone
should be used instead.

Change-Id: Idbef95bc115755994156ab0fee7538370392e67d
2019-06-03 13:05:41 -07:00
Zuul 7ea449973f Merge "remove old wsgi script in apache" 2019-05-27 17:35:57 +00:00
Marc Gariepy fbed9e974c remove old wsgi script in apache
WSGIScriptAliasMatch is a configuration for mod_wsgi that is not used
anymore.
Prevent ProxyPass to redirect all traffic to keystone uwsgi, the
/Shibboleth.sso needs to be handled by mod_shib

Change-Id: I5117ccb6395c820a19d9070187b0a1e5c9fba448
Depends-On: Ibff3aa2a1ac1bbf2493aaf2419ee1e4dd763934c
2019-05-27 12:06:53 +00:00
Marc Gariepy c5dcce8879 Remove unsupported option for keystone mapping
saml2 is already configured as an entrypoint for the Mapped plugin.

fix sp part of LP:#1808543

Related-Bug: 1808543

mapping in the config has been disable in keystone

Change-Id: Ib926b14f82616f6b4d3c595a8848f191827b4b3e
Depends-On: Ibff3aa2a1ac1bbf2493aaf2419ee1e4dd763934c
2019-05-24 15:15:57 +00:00