summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorSergey Reshetnyak <sreshetniak@mirantis.com>2017-02-20 18:57:54 +0300
committerSergey Reshetnyak <sreshetniak@mirantis.com>2017-03-13 17:16:19 +0300
commit49c835ec0976c7b5f08c33c665b2bbcc52a4832d (patch)
tree2c1fbbff67c3225b77724f253fc1376636c67b71
parent6024c6d218eb07bd4f5ec33ffb512565d98cd7f2 (diff)
LDAP intergation
This patch adds support LDAP as authentication backend Change-Id: Ic6d04450dcdc68c41aa503370fcc347c894f0093
Notes
Notes (review): Code-Review+2: Andrey Pavlov <apavlov@mirantis.com> Verified+1: Mirantis CCP CI <mirantis-fuel-ccp-ci@mirantis.com> Code-Review+2: Yuriy Taraday <yorik.sar@gmail.com> Workflow+1: Yuriy Taraday <yorik.sar@gmail.com> Verified+2: Jenkins Submitted-by: Jenkins Submitted-at: Tue, 14 Mar 2017 12:23:19 +0000 Reviewed-on: https://review.openstack.org/436082 Project: openstack/fuel-ccp-keystone Branch: refs/heads/master
-rw-r--r--docker/keystone/Dockerfile.j26
-rw-r--r--service/files/defaults.yaml20
-rw-r--r--service/files/keystone.conf.j23
-rw-r--r--service/files/keystone.ldap.cacert.j21
-rw-r--r--service/files/keystone.ldap.conf.j218
-rw-r--r--service/keystone.yaml17
6 files changed, 63 insertions, 2 deletions
diff --git a/docker/keystone/Dockerfile.j2 b/docker/keystone/Dockerfile.j2
index 1b0a292..2c83229 100644
--- a/docker/keystone/Dockerfile.j2
+++ b/docker/keystone/Dockerfile.j2
@@ -7,14 +7,16 @@ RUN apt-get install -y --no-install-recommends \
7 apache2 \ 7 apache2 \
8 libapache2-mod-wsgi \ 8 libapache2-mod-wsgi \
9 mysql-client \ 9 mysql-client \
10 libldap2-dev \
11 libsasl2-dev \
10 && echo > /etc/apache2/ports.conf \ 12 && echo > /etc/apache2/ports.conf \
11 && apt-get clean 13 && apt-get clean
12 14
13{{ copy_sources("openstack/keystone", "/keystone") }} 15{{ copy_sources("openstack/keystone", "/keystone") }}
14 16
15RUN useradd --user-group keystone \ 17RUN useradd --user-group keystone \
16 && /var/lib/microservices/venv/bin/pip install /keystone \ 18 && /var/lib/microservices/venv/bin/pip install ldappool /keystone \
17 && mkdir -p /etc/keystone/fernet-keys /etc/keystone/credential-keys /var/www/cgi-bin/keystone /var/log/apache2 /home/keystone \ 19 && mkdir -p /etc/keystone/fernet-keys /etc/keystone/credential-keys /etc/keystone/domains /var/www/cgi-bin/keystone /var/log/apache2 /home/keystone \
18 && cp -r /keystone/etc/* /etc/keystone/ \ 20 && cp -r /keystone/etc/* /etc/keystone/ \
19 && cp /var/lib/microservices/venv/bin/keystone-wsgi-admin /var/www/cgi-bin/keystone/admin \ 21 && cp /var/lib/microservices/venv/bin/keystone-wsgi-admin /var/www/cgi-bin/keystone/admin \
20 && cp /var/lib/microservices/venv/bin/keystone-wsgi-public /var/www/cgi-bin/keystone/public \ 22 && cp /var/lib/microservices/venv/bin/keystone-wsgi-public /var/www/cgi-bin/keystone/public \
diff --git a/service/files/defaults.yaml b/service/files/defaults.yaml
index 2e05c18..daecd56 100644
--- a/service/files/defaults.yaml
+++ b/service/files/defaults.yaml
@@ -15,6 +15,22 @@ configs:
15 15
16 fernet_secret_name: keystone-fernet-keys 16 fernet_secret_name: keystone-fernet-keys
17 17
18 ldap:
19 enabled: false
20 url: ldap://changeme
21 user: "dc=Manager,dc=example,dc=com"
22 suffix: "dc=example,dc=com"
23
24 tls:
25 enabled: false
26 tls_req_cert: demand
27
28 user_tree_dn: "ou=Users,dc=example,dc=com"
29 user_objectclass: inetOrgPerson
30
31 group_tree_dn: "ou=Groups,dc=example,dc=com"
32 group_objectclass: groupOfNames
33
18 notifications: 34 notifications:
19 enable: false 35 enable: false
20 # format can be basic or cadf: 36 # format can be basic or cadf:
@@ -33,6 +49,10 @@ secret_configs:
33 credential_key: "2jjLrgOLvI-wj7g-8058SSCw0-ZnL4Ghg5cLuBirxL8=" 49 credential_key: "2jjLrgOLvI-wj7g-8058SSCw0-ZnL4Ghg5cLuBirxL8="
34 encrypt_tokens_in_memcached: 50 encrypt_tokens_in_memcached:
35 secret_key: password 51 secret_key: password
52 ldap:
53 password: changeme
54 tls:
55 cacert: null
36 56
37 openstack: 57 openstack:
38 user_password: password 58 user_password: password
diff --git a/service/files/keystone.conf.j2 b/service/files/keystone.conf.j2
index 5a25291..53b87ab 100644
--- a/service/files/keystone.conf.j2
+++ b/service/files/keystone.conf.j2
@@ -26,6 +26,9 @@ provider = fernet
26[assignment] 26[assignment]
27driver = sql 27driver = sql
28 28
29[identity]
30domain_specific_drivers_enabled = true
31
29{% if keystone.notifications.enable %} 32{% if keystone.notifications.enable %}
30[oslo_messaging_notifications] 33[oslo_messaging_notifications]
31driver = messagingv2 34driver = messagingv2
diff --git a/service/files/keystone.ldap.cacert.j2 b/service/files/keystone.ldap.cacert.j2
new file mode 100644
index 0000000..58534a0
--- /dev/null
+++ b/service/files/keystone.ldap.cacert.j2
@@ -0,0 +1 @@
{{ keystone.ldap.tls.cacert }}
diff --git a/service/files/keystone.ldap.conf.j2 b/service/files/keystone.ldap.conf.j2
new file mode 100644
index 0000000..ada7d35
--- /dev/null
+++ b/service/files/keystone.ldap.conf.j2
@@ -0,0 +1,18 @@
1[identity]
2driver = ldap
3
4[ldap]
5url = {{ keystone.ldap.url }}
6user = {{ keystone.ldap.user }}
7password = {{ keystone.ldap.password }}
8suffix = {{ keystone.ldap.suffix }}
9
10use_tls = {{ keystone.ldap.tls.enabled }}
11tls_req_cert = {{ keystone.ldap.tls.tls_req_cert }}
12tls_cacertfile = /etc/keystone/ldap_tls_cacert.pem
13
14user_tree_dn = {{ keystone.ldap.user_tree_dn }}
15user_objectclass = {{ keystone.ldap.user_objectclass }}
16
17group_tree_dn = {{ keystone.ldap.group_tree_dn }}
18group_objectclass = {{ keystone.ldap.group_objectclass }}
diff --git a/service/keystone.yaml b/service/keystone.yaml
index 91a2d68..f8227d9 100644
--- a/service/keystone.yaml
+++ b/service/keystone.yaml
@@ -79,6 +79,12 @@ service:
79 # {%- endif %} 79 # {%- endif %}
80 files: 80 files:
81 - keystone-conf 81 - keystone-conf
82 # {% if keystone.ldap.enabled %}
83 - keystone-ldap-conf
84 # {% if keystone.ldap.tls.enabled %}
85 - keystone-ldap-cacert
86 # {% endif %}
87 # {% endif %}
82 - wsgi-keystone-conf 88 - wsgi-keystone-conf
83 - credential-key 89 - credential-key
84 # {% if keystone.tls.enabled %} 90 # {% if keystone.tls.enabled %}
@@ -99,6 +105,11 @@ service:
99 - name: keystone-create-admin-role 105 - name: keystone-create-admin-role
100 type: single 106 type: single
101 command: openstack role add {{ openstack.role_name }} --user {{ openstack.user_name }} --domain default 107 command: openstack role add {{ openstack.role_name }} --user {{ openstack.user_name }} --domain default
108 # {% if keystone.ldap.enabled %}
109 - name: keystone-create-ldap-domain
110 type: single
111 command: openstack domain create ldap
112 # {% endif %}
102 113
103 # {% if keystone.tls.enabled %} 114 # {% if keystone.tls.enabled %}
104 - name: nginx-keystone 115 - name: nginx-keystone
@@ -116,6 +127,12 @@ files:
116 keystone-conf: 127 keystone-conf:
117 path: /etc/keystone/keystone.conf 128 path: /etc/keystone/keystone.conf
118 content: keystone.conf.j2 129 content: keystone.conf.j2
130 keystone-ldap-conf:
131 path: /etc/keystone/domains/keystone.ldap.conf
132 content: keystone.ldap.conf.j2
133 keystone-ldap-cacert:
134 path: /etc/keystone/ldap_tls_cacert.pem
135 content: keystone.ldap.cacert.j2
119 wsgi-keystone-conf: 136 wsgi-keystone-conf:
120 path: /etc/apache2/conf-enabled/wsgi-keystone.conf 137 path: /etc/apache2/conf-enabled/wsgi-keystone.conf
121 content: wsgi-keystone.conf.j2 138 content: wsgi-keystone.conf.j2