Add trigger to setup a LDAP backend as keystone domaine
It is using a trigger tripleo::profile::base::keystone::ldap_backend_enable in puppet-tripleo
who will call a define in puppet-keysone ldap_backend.pp.
Given the following environment:
parameter_defaults:
KeystoneLDAPDomainEnable: true
KeystoneLDAPBackendConfigs:
tripleoldap:
url: ldap://192.0.2.250
user: cn=openstack,ou=Users,dc=redhat,dc=example,dc=com
password: Secrete
suffix: dc=redhat,dc=example,dc=com
user_tree_dn: ou=Users,dc=redhat,dc=example,dc=com
user_filter: "(memberOf=cn=OSuser,ou=Groups,dc=redhat,dc=example,dc=com)"
user_objectclass: person
user_id_attribute: cn
user_allow_create: false
user_allow_update: false
user_allow_delete: false
ControllerExtraConfig:
nova::keystone::authtoken::auth_version: v3
cinder::keystone::authtoken::auth_version: v3
It would then create a domain called tripleoldap with an LDAP
configuration as defined by the hash. The parameters from the
hash are defined by the keystone::ldap_backend resource in
puppet-keystone.
More backends can be added as more entries to that hash.
This also enables multi-domain support for horizon.
Conflicts:
puppet/services/keystone.yaml
Closes-Bug: 1677603
Co-Authored-By: Juan Antonio Osorio Robles <jaosorior@redhat.com>
Depends-On: I1593c6a33ed1a0ea51feda9dfb6e1690eaeac5db
Change-Id: I6c815e4596d595bfa2a018127beaf21249a10643
Signed-off-by: Cyril Lopez <cylopez@redhat.com>
(cherry picked from commit 347f5434b3
)
This commit is contained in:
parent
40dbbd408e
commit
4db1c9f8e4
|
@ -0,0 +1,18 @@
|
|||
# This is an example template on how to configure keystone domain specific LDAP
|
||||
# backends. This will configure a domain called tripleoldap will the attributes
|
||||
# specified.
|
||||
parameter_defaults:
|
||||
KeystoneLDAPDomainEnable: true
|
||||
KeystoneLDAPBackendConfigs:
|
||||
tripleoldap:
|
||||
url: ldap://192.0.2.250
|
||||
user: cn=openstack,ou=Users,dc=tripleo,dc=example,dc=com
|
||||
password: Secrete
|
||||
suffix: dc=tripleo,dc=example,dc=com
|
||||
user_tree_dn: ou=Users,dc=tripleo,dc=example,dc=com
|
||||
user_filter: "(memberOf=cn=OSuser,ou=Groups,dc=tripleo,dc=example,dc=com)"
|
||||
user_objectclass: person
|
||||
user_id_attribute: cn
|
||||
user_allow_create: false
|
||||
user_allow_update: false
|
||||
user_allow_delete: false
|
|
@ -158,6 +158,16 @@ parameters:
|
|||
description: >
|
||||
Cron to purge expired tokens - User
|
||||
default: 'keystone'
|
||||
KeystoneLDAPDomainEnable:
|
||||
description: Trigger to call ldap_backend puppet keystone define.
|
||||
type: boolean
|
||||
default: False
|
||||
KeystoneLDAPBackendConfigs:
|
||||
description: Hash containing the configurations for the LDAP backends
|
||||
configured in keystone.
|
||||
type: json
|
||||
default: {}
|
||||
hidden: true
|
||||
|
||||
resources:
|
||||
|
||||
|
@ -171,6 +181,7 @@ resources:
|
|||
|
||||
conditions:
|
||||
keystone_fernet_tokens: {equals: [{get_param: KeystoneTokenProvider}, "fernet"]}
|
||||
keystone_ldap_domain_enabled: {equals: [{get_param: KeystoneLDAPDomainEnable}, True]}
|
||||
|
||||
outputs:
|
||||
role_data:
|
||||
|
@ -293,6 +304,15 @@ outputs:
|
|||
keystone::cron::token_flush::maxdelay: {get_param: KeystoneCronTokenFlushMaxDelay}
|
||||
keystone::cron::token_flush::destination: {get_param: KeystoneCronTokenFlushDestination}
|
||||
keystone::cron::token_flush::user: {get_param: KeystoneCronTokenFlushUser}
|
||||
-
|
||||
if:
|
||||
- keystone_ldap_domain_enabled
|
||||
-
|
||||
tripleo::profile::base::keystone::ldap_backend_enable: True
|
||||
keystone::using_domain_config: True
|
||||
tripleo::profile::base::keystone::ldap_backends_config:
|
||||
get_param: KeystoneLDAPBackendConfigs
|
||||
- {}
|
||||
|
||||
step_config: |
|
||||
include ::tripleo::profile::base::keystone
|
||||
|
@ -305,6 +325,13 @@ outputs:
|
|||
keystone::db::mysql::allowed_hosts:
|
||||
- '%'
|
||||
- "%{hiera('mysql_bind_host')}"
|
||||
horizon:
|
||||
if:
|
||||
- keystone_ldap_domain_enabled
|
||||
-
|
||||
horizon::keystone_multidomain_support: true
|
||||
horizon::keystone_default_domain: 'Default'
|
||||
- {}
|
||||
# Ansible tasks to handle upgrade
|
||||
upgrade_tasks:
|
||||
- name: Stop keystone service (running under httpd)
|
||||
|
|
|
@ -0,0 +1,5 @@
|
|||
---
|
||||
features:
|
||||
- Add capabilities to configure LDAP backends as for keystone domains.
|
||||
This can be done by using the KeystoneLDAPDomainEnable and
|
||||
KeystoneLDAPBackendConfigs parameters.
|
Loading…
Reference in New Issue