openstack
/
openstack-ansible-os_keystone
Code Issues Proposed changes

Merge "Federated openid support using auth_mod_openidc"

This commit is contained in:
Zuul 2020-02-01 09:50:42 +00:00 committed by Gerrit Code Review
parent e0197db984 47fe909d54
commit 7275ae85d1
10 changed files with 127 additions and 29 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
defaults/main.yml
View File

@ -329,6 +329,7 @@ keystone_idp: {}
keystone_sp: {}
#keystone_sp:
# cert_duration_years: 5
# apache_mod: shibboleth #or mod_auth_openidc
# trusted_dashboard_list:
# - "https://{{ external_lb_vip_address }}/auth/websso/"
# - "https://{{ horizon_server_name }}/auth/websso/"
@ -425,6 +426,34 @@ keystone_sp: {}
# attributes:
# - name: 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn'
# id: upn
#
# - name: "keycloak-oidc-idp"
# oidc_provider_metadata_url: https://identity-provider/.well-known/openid-configuration
# oidc_client_id: keystone
# oidc_client_secret: secret
# oidc_crypto_passphrase: random string
# oidc_redirect_uri: https://keystone:5000/v3/OS-FEDERATION/identity_providers/keycloak-idp/protocols/openid/auth
# entity_ids:
# - 'https://identity-provider/openid-endpoint/'
# federated_identities:
# - domain: default
# project: fedproject
# group: fedgroup
# role: _member_
# protocols:
# - name: openid
# mapping:
# name: keycloak-oidc-idp-openid-mapping
# rules:
# - remote:
# - type: OIDC-email
# local:
# - group:
# name: fedgroup
# domain:
# name: Default
# user:
# name: '{0}'
keystone_service_in_ldap: false

16
releasenotes/notes/mod-auth-openidc-102bd253b677f3fc.yaml Normal file
View File

@ -0,0 +1,16 @@
---
features:
- Added support for using mod_auth_openidc instead of shibboleth as a
service provider for supporting users who have a preference to use OIDC
for federation. Mod_auth_openidc is the apache module that is recommended
in the keystone documentation for implementing openidc.
Added a variable to called apache_mod to keystone_sp, if left undefined
shibboleth will continue to be installed by default provided keystone_sp is
not empty. Mod_auth_openidc will not be installed unless it is spelled
correctly, any misspellings will result in a shibboleth install.
Note that installing shibboleth on Debian based metal distro deployments
may break services that depend on libcurl4, as shib2 requires libcurl3,
and they are unable to coexist. This can be resolved when there is a
shib3 package available in a future release of Ubuntu/Debian.
There is currently no support for simultaneous use of shibboleth2 and
mod_auth_openidc.

22
tasks/keystone_apache.yml
View File

@ -32,6 +32,17 @@
owner: "{{ keystone_apache_default_log_owner }}"
group: "{{ keystone_apache_default_log_grp }}"
- name: Place apache2 config files
template:
src: "{{ item.src }}"
dest: "{{ item.dest }}"
owner: "root"
group: "root"
with_items: "{{ keystone_apache_configs }}"
notify:
- Manage LB
- Restart web server
## NOTE(cloudnull):
## Module enable/disable process is only functional on Debian and SUSE based systems.
- name: Enable/disable apache2 modules
@ -58,17 +69,6 @@
- Manage LB
- Restart web server
- name: Drop apache2 config files
template:
src: "{{ item.src }}"
dest: "{{ item.dest }}"
owner: "root"
group: "root"
with_items: "{{ keystone_apache_configs }}"
notify:
- Manage LB
- Restart web server
- name: Disable default apache site
file:
path: "{{ item }}"

0
tasks/keystone_federation_sp_setup.yml → tasks/keystone_federation_sp_shib_setup.yml
View File

20
tasks/main.yml
View File

@ -48,6 +48,21 @@
tags:
- always
- name: Fact for apache module shibboleth to be installed
set_fact:
keystone_sp_apache_mod_shib:
"{{ (keystone_sp != {} and
(keystone_sp.apache_mod is undefined or
(keystone_sp.apache_mod is defined and keystone_sp.apache_mod != 'mod_auth_openidc'))
) | ternary('true', 'false') }}"
- name: Fact for apache module mod_auth_openidc to be installed
set_fact:
keystone_sp_apache_mod_auth_openidc:
"{{ (keystone_sp != {} and
keystone_sp.apache_mod is defined and keystone_sp.apache_mod == 'mod_auth_openidc')
| ternary('true', 'false') }}"
- import_tasks: db_setup.yml
when:
- "keystone_services['keystone-wsgi-public']['group'] in group_names"
@ -123,8 +138,9 @@
tags:
- keystone-config
- import_tasks: keystone_federation_sp_setup.yml
when: keystone_sp != {}
- import_tasks: keystone_federation_sp_shib_setup.yml
when:
- keystone_sp_apache_mod_shib
tags:
- keystone-config

41
templates/keystone-httpd.conf.j2
View File

@ -18,7 +18,7 @@ Listen {{ keystone_service_port }}
Header set Content-Security-Policy "default-src 'self' https: wss:;"
{% if keystone_sp != {} -%}
Header set Content-Security-Policy "script-src 'sha256-oBahlBFQem+nMs1JwgcBB03Hy8nRh5e8qEGTOcxmAuM=';"
{% endif %}
{% endif -%}
Header set X-Frame-Options "{{ keystone_x_frame_options | default ('DENY') }}"
{% if keystone_ssl | bool and keystone_service_internaluri_proto == "https" -%}
@ -33,9 +33,36 @@ Listen {{ keystone_service_port }}
SSLHonorCipherOrder On
SSLCipherSuite {{ keystone_ssl_cipher_suite }}
SSLOptions +StdEnvVars +ExportCertData
{% endif -%}
{% if keystone_sp_apache_mod_auth_openidc -%}
OIDCClaimPrefix "{{ keystone_sp.trusted_idp_list.0.oidc_claim_prefix | default('OIDC-') }}"
OIDCResponseType "{{ keystone_sp.trusted_idp_list.0.oidc_resp_type | default('id_token') }}"
OIDCScope "{{ keystone_sp.trusted_idp_list.0.idc_scope | default('openid email profile') }}"
OIDCProviderMetadataURL {{ keystone_sp.trusted_idp_list.0.oidc_provider_metadata_url }}
OIDCClientID {{ keystone_sp.trusted_idp_list.0.oidc_client_id }}
OIDCClientSecret {{ keystone_sp.trusted_idp_list.0.oidc_client_secret }}
OIDCCryptoPassphrase {{ keystone_sp.trusted_idp_list.0.oidc_crypto_passphrase }}
OIDCRedirectURI {{ keystone_sp.trusted_idp_list.0.oidc_redirect_uri }}
{% if keystone_sp.trusted_idp_list.0.oidc_auth_verify_jwks_uri is defined -%}
OIDCOAuthVerifyJwksUri {{ keystone_sp.trusted_idp_list.0.oidc_auth_verify_jwks_uri }}
{% endif %}
{% if keystone_sp != {} -%}
<Location /v3/OS-FEDERATION/identity_providers/{{ keystone_sp.trusted_idp_list.0.name }}/protocols/openid/auth>
Require valid-user
AuthType auth-openidc
</Location>
<Location /v3/auth/OS-FEDERATION/websso/openid>
Require valid-user
AuthType openid-connect
</Location>
<Location /v3/auth/OS-FEDERATION/identity_providers/{{ keystone_sp.trusted_idp_list.0.name }}/protocols/openid/websso>
Require valid-user
AuthType openid-connect
</Location>
{% endif %}
{%- if keystone_sp_apache_mod_shib -%}
ShibURLScheme {{ keystone_service_publicuri_proto }}
<Location /Shibboleth.sso>
@ -57,19 +84,21 @@ Listen {{ keystone_service_port }}
ShibExportAssertion Off
Require valid-user
</LocationMatch>
{% endif %}
{% if keystone_sp != {} -%}
<Directory /var/www/cgi-bin/keystone>
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from all
</Directory>
{% if keystone_sp != {} -%}
ProxyPass /Shibboleth.sso !
{% endif %}
{% if keystone_sp_apache_mod_shib -%}
ProxyPass /Shibboleth.sso !
{% endif -%}
ProxyPass / uwsgi://127.0.0.1:{{ keystone_uwsgi_ports['keystone-wsgi-public']['socket'] }}/
</VirtualHost>

10
templates/keystone.conf.j2
View File

@ -43,11 +43,7 @@ cache_time = {{ keystone_revocation_cache_time }}
[auth]
{% if keystone_sp != {} %}
methods = {{ keystone_auth_methods }},saml2
{% else %}
methods = {{ keystone_auth_methods }}
{% endif %}
methods = {{ keystone_auth_methods }}{% if keystone_sp_apache_mod_shib %},saml2{% endif %}{% if keystone_sp_apache_mod_auth_openidc %},openid{% endif %}
{% if keystone_database_enabled | bool %}
@ -132,7 +128,11 @@ key_repository = {{ keystone_credential_key_repository }}
{% if keystone_sp != {} %}
[federation]
{% if keystone_sp_apache_mod_auth_openidc %}
remote_id_attribute = HTTP_OIDC_ISS
{% elif keystone_sp_apache_mod_shib %}
remote_id_attribute = Shib-Identity-Provider
{% endif %}
{% if keystone_sp.trusted_dashboard_list is defined %}
{% for item in keystone_sp.trusted_dashboard_list %}
trusted_dashboard = {{ item }}

8
vars/debian.yml
View File

@ -57,7 +57,9 @@ keystone_idp_distro_packages:
- xmlsec1
keystone_sp_distro_packages:
- libapache2-mod-shib2
- "{{ keystone_sp_apache_mod_shib | ternary('libcurl3', 'libcurl4') }}"
- "{{ keystone_sp_apache_mod_auth_openidc | ternary('libapache2-mod-auth-openidc',
'libapache2-mod-shib2') }}"
keystone_developer_mode_distro_packages:
- build-essential
@ -86,7 +88,9 @@ keystone_apache_modules:
- name: "ssl"
state: "{{ (keystone_ssl | bool) | ternary('present', 'absent') }}"
- name: "shib2"
state: "{{ ( keystone_sp != {} ) | ternary('present', 'absent') }}"
state: "{{ keystone_sp_apache_mod_shib | ternary('present', 'absent') }}"
- name: "auth_openidc"
state: "{{ keystone_sp_apache_mod_auth_openidc | ternary('present', 'absent') }}"
- name: "proxy_uwsgi"
state: "present"
- name: "headers"

3
vars/redhat.yml
View File

@ -51,7 +51,8 @@ keystone_idp_distro_packages:
- xmlsec1
keystone_sp_distro_packages:
- shibboleth
- "{{ keystone_sp_apache_mod_auth_openidc | ternary('mod_auth_openidc',
'shibboleth') }}"
keystone_developer_mode_distro_packages:
- gcc

7
vars/suse.yml
View File

@ -52,7 +52,8 @@ keystone_idp_distro_packages:
- xmlsec1
keystone_sp_distro_packages:
- shibboleth-sp
- "{{ keystone_sp_apache_mod_auth_openidc | ternary('apache2-mod_auth_openidc',
'shibboleth-sp') }}"
keystone_developer_mode_distro_packages:
- "{{ (ansible_distribution_version is version ('42', '>=')) | ternary('patterns-openSUSE-devel_basis', 'patterns-devel-base-devel_basis') }}"
@ -86,7 +87,9 @@ keystone_apache_modules:
- name: "ssl"
state: "{{ (keystone_ssl | bool) | ternary('present', 'absent') }}"
- name: "shib2"
state: "{{ ( keystone_sp != {} ) | ternary('present', 'absent') }}"
state: "{{ keystone_sp_apache_mod_shib | ternary('present', 'absent') }}"
- name: "auth_openidc"
state: "{{ keystone_sp_apache_mod_auth_openidc | ternary('present', 'absent') }}"
- name: "proxy"
state: "present"
- name: "proxy_http"