x
/
fuel-plugin-ldap
Code Issues Proposed changes

Multidomains support 

Support of multidomains creation was added for MOS8.0

Change-Id: Ie082cfa8b5e3b5478362335b125eccb12308efed
This commit is contained in:
Maksym Yatsenko 2016-03-14 16:52:55 +02:00
parent 8dd63cf88c
commit c410425b57
6 changed files with 242 additions and 87 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
deployment_scripts/puppet/modules/plugin_ldap/lib/puppet/parser/functions/parse_it.rb Normal file
View File

@ -0,0 +1,25 @@
module Puppet::Parser::Functions
newfunction(:parse_it, :type => :rvalue, :doc => <<-EOS
This function parses text area, create hash and returns values
for keystone domain creation
EOS
) do |args|
param_hash = {}
cert_chain = args[0].slice!(/^(ca_chain=-----BEGIN CERTIFICATE-----)(.*[\r\n])+(-----END CERTIFICATE-----[\s\S]*?)$/)
if cert_chain
splited_cert_chain = cert_chain.split('=',2)
param_hash[splited_cert_chain[0]] = splited_cert_chain[1]
end
splited_text = args[0].split("\n")
splited_text.each do |item|
splited_line = item.split('=',2)
param_hash[splited_line[0]] = splited_line[1]
end
return param_hash
end
end

140
deployment_scripts/puppet/modules/plugin_ldap/manifests/controller.pp
View File

@ -2,13 +2,13 @@ class plugin_ldap::controller {
include ::apache::params
$management_vip = hiera('management_vip')
$management_vip = hiera('management_vip')
## if AD is used, in order to properly display if account is enabled or disabled
## additional parameters need to be set.
## additional parameters should be set.
if $::fuel_settings['ldap']['user_enabled_attribute'] == 'userAccountControl' {
$user_enabled_default = 512
$user_enabled_mask = 2
$user_enabled_mask = 2
}
$identity_driver = 'keystone.identity.backends.ldap.Identity'
@ -24,6 +24,7 @@ class plugin_ldap::controller {
$user_name_attribute = $::fuel_settings['ldap']['user_name_attribute']
$user_pass_attribute = $::fuel_settings['ldap']['user_pass_attribute']
$user_enabled_attribute = $::fuel_settings['ldap']['user_enabled_attribute']
$additional_domains = $::fuel_settings['ldap']['additional_domains']
$user_allow_create = false
$user_allow_update = false
@ -43,28 +44,7 @@ class plugin_ldap::controller {
$domain = $::fuel_settings['ldap']['domain']
$use_tls = $::fuel_settings['ldap']['use_tls']
if $use_tls {
$ca_chain = pick($::fuel_settings['ldap']['ca_chain'], false)
$cacertfile = '/usr/local/share/ca-certificates/cacert-ldap.crt'
if $ca_chain {
$tls_cacertdir = '/etc/ssl/certs'
}
else {
$tls_cacertdir = ''
}
if $ca_chain {
file { $cacertfile:
ensure => file,
mode => 0644,
content => $ca_chain,
}
~>
exec { '/usr/sbin/update-ca-certificates': }
}
}
$ca_chain = pick($::fuel_settings['ldap']['ca_chain'], false)
file { '/etc/keystone/domains':
ensure => 'directory',
@ -73,81 +53,75 @@ class plugin_ldap::controller {
mode => '755',
}
file { "/etc/keystone/domains/keystone.${domain}.conf":
ensure => 'file',
owner => 'root',
group => 'root',
mode => '644',
require => File['/etc/keystone/domains'],
}
File["/etc/keystone/domains/keystone.${domain}.conf"] -> Keystone_config <||>
keystone_config {
"identity/domain_specific_drivers_enabled": value => 'True';
}
Keystone_config {
provider => 'ini_setting_domain',
plugin_ldap::keystone {$domain:
domain => $domain,
identity_driver => $identity_driver,
url => $url,
use_tls => $use_tls,
ca_chain => $ca_chain,
suffix => $suffix,
user => $user,
password => $password,
query_scope => $query_scope,
user_tree_dn => $user_tree_dn,
user_filter => $user_filter,
user_objectclass => $user_objectclass,
user_id_attribute => $user_id_attribute,
user_name_attribute => $user_name_attribute,
user_pass_attribute => $user_pass_attribute,
user_enabled_attribute => $user_enabled_attribute,
user_enabled_default => $user_enabled_default,
user_enabled_mask => $user_enabled_mask,
user_allow_create => $user_allow_create,
user_allow_update => $user_allow_update,
user_allow_delete => $user_allow_delete,
group_tree_dn => $group_tree_dn,
group_filter => $group_filter,
group_objectclass => $group_objectclass,
group_id_attribute => $group_id_attribute,
group_name_attribute => $group_name_attribute,
group_member_attribute => $group_member_attribute,
group_desc_attribute => $group_desc_attribute,
group_allow_create => $group_allow_create,
group_allow_update => $group_allow_update,
group_allow_delete => $group_allow_delete,
}
keystone_config {
"${domain}/identity/driver": value => $identity_driver;
"${domain}/ldap/url": value => $url;
"${domain}/ldap/use_tls": value => $use_tls;
"${domain}/ldap/tls_cacertdir": value => $tls_cacertdir;
"${domain}/ldap/suffix": value => $suffix;
"${domain}/ldap/user": value => $user;
"${domain}/ldap/password": value => $password;
"${domain}/ldap/query_scope": value => $query_scope;
"${domain}/ldap/user_tree_dn": value => $user_tree_dn;
"${domain}/ldap/user_filter": value => $user_filter;
"${domain}/ldap/user_objectclass": value => $user_objectclass;
"${domain}/ldap/user_id_attribute": value => $user_id_attribute;
"${domain}/ldap/user_name_attribute": value => $user_name_attribute;
"${domain}/ldap/user_pass_attribute": value => $user_pass_attribute;
"${domain}/ldap/user_enabled_attribute": value => $user_enabled_attribute;
"${domain}/ldap/user_enabled_default": value => $user_enabled_default;
"${domain}/ldap/user_enabled_mask": value => $user_enabled_mask;
"${domain}/ldap/user_allow_create": value => $user_allow_create;
"${domain}/ldap/user_allow_update": value => $user_allow_update;
"${domain}/ldap/user_allow_delete": value => $user_allow_delete;
"${domain}/ldap/group_tree_dn": value => $group_tree_dn;
"${domain}/ldap/group_filter": value => $group_filter;
"${domain}/ldap/group_objectclass": value => $group_objectclass;
"${domain}/ldap/group_id_attribute": value => $group_id_attribute;
"${domain}/ldap/group_name_attribute": value => $group_name_attribute;
"${domain}/ldap/group_member_attribute": value => $group_member_attribute;
"${domain}/ldap/group_desc_attribute": value => $group_desc_attribute;
"${domain}/ldap/group_allow_create": value => $group_allow_create;
"${domain}/ldap/group_allow_update": value => $group_allow_update;
"${domain}/ldap/group_allow_delete": value => $group_allow_delete;
} ~>
Plugin_ldap::Keystone<||> ~>
service { 'httpd':
name => "$apache::params::service_name",
ensure => running,
name => "$apache::params::service_name",
ensure => running,
}
keystone_domain { "${domain}":
ensure => present,
enabled => true,
#Create domains using info from text area 'List of additional Domains'
if $additional_domains {
$domains_list = split($additional_domains, '^$')
plugin_ldap::multiple_domain { $domains_list:
identity_driver => $identity_driver,
}
}
file_line { 'OPENSTACK_KEYSTONE_URL':
path => '/etc/openstack-dashboard/local_settings.py',
line => "OPENSTACK_KEYSTONE_URL = \"http://${management_vip}:5000/v3/\"",
path => '/etc/openstack-dashboard/local_settings.py',
line => "OPENSTACK_KEYSTONE_URL = \"http://${management_vip}:5000/v3/\"",
match => "^OPENSTACK_KEYSTONE_URL = .*$",
} ~> Service ['httpd']
}
file_line { 'OPENSTACK_API_VERSIONS':
path => '/etc/openstack-dashboard/local_settings.py',
line => "OPENSTACK_API_VERSIONS = { \"identity\": 3 }",
path => '/etc/openstack-dashboard/local_settings.py',
line => "OPENSTACK_API_VERSIONS = { \"identity\": 3 }",
match => "^# OPENSTACK_API_VERSIONS = {.*$",
} ~> Service ['httpd']
}
file_line { 'OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT':
path => '/etc/openstack-dashboard/local_settings.py',
line => "OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT = True",
path => '/etc/openstack-dashboard/local_settings.py',
line => "OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT = True",
match => "^# OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT = .*$",
} ~> Service ['httpd']
}
File_line<||> ~> Service ['httpd']
}

110
deployment_scripts/puppet/modules/plugin_ldap/manifests/keystone.pp Normal file
View File

@ -0,0 +1,110 @@
define plugin_ldap::keystone (
$domain = undef,
$identity_driver = undef,
$url = undef,
$use_tls = undef,
$ca_chain = undef,
$suffix = undef,
$user = undef,
$password = undef,
$query_scope = undef,
$user_tree_dn = undef,
$user_filter = undef,
$user_objectclass = undef,
$user_id_attribute = undef,
$user_name_attribute = undef,
$user_pass_attribute = undef,
$user_enabled_attribute = undef,
$user_enabled_default = undef,
$user_enabled_mask = undef,
$user_allow_create = undef,
$user_allow_update = undef,
$user_allow_delete = undef,
$group_tree_dn = undef,
$group_filter = undef,
$group_objectclass = undef,
$group_id_attribute = undef,
$group_name_attribute = undef,
$group_member_attribute = undef,
$group_desc_attribute = undef,
$group_allow_create = undef,
$group_allow_update = undef,
$group_allow_delete = undef,
){
if $use_tls {
$cacertfile = "/usr/local/share/ca-certificates/cacert-ldap-${domain}.crt"
if $ca_chain {
$tls_cacertdir = '/etc/ssl/certs'
}
else {
$tls_cacertdir = ''
}
if $ca_chain {
file { $cacertfile:
ensure => file,
mode => 0644,
content => $ca_chain,
}
~>
exec { "$domain" :
command => '/usr/sbin/update-ca-certificates'
}
}
}
file { "/etc/keystone/domains/keystone.${domain}.conf":
ensure => 'file',
owner => 'root',
group => 'root',
mode => '644',
require => File['/etc/keystone/domains'],
}
File["/etc/keystone/domains/keystone.${domain}.conf"] -> Keystone_config <||>
Keystone_config {
provider => 'ini_setting_domain',
}
keystone_config {
"${domain}/identity/driver": value => $identity_driver;
"${domain}/ldap/url": value => $url;
"${domain}/ldap/use_tls": value => $use_tls;
"${domain}/ldap/tls_cacertdir": value => $tls_cacertdir;
"${domain}/ldap/suffix": value => $suffix;
"${domain}/ldap/user": value => $user;
"${domain}/ldap/password": value => $password;
"${domain}/ldap/query_scope": value => $query_scope;
"${domain}/ldap/user_tree_dn": value => $user_tree_dn;
"${domain}/ldap/user_filter": value => $user_filter;
"${domain}/ldap/user_objectclass": value => $user_objectclass;
"${domain}/ldap/user_id_attribute": value => $user_id_attribute;
"${domain}/ldap/user_name_attribute": value => $user_name_attribute;
"${domain}/ldap/user_pass_attribute": value => $user_pass_attribute;
"${domain}/ldap/user_enabled_attribute": value => $user_enabled_attribute;
"${domain}/ldap/user_enabled_default": value => $user_enabled_default;
"${domain}/ldap/user_enabled_mask": value => $user_enabled_mask;
"${domain}/ldap/user_allow_create": value => $user_allow_create;
"${domain}/ldap/user_allow_update": value => $user_allow_update;
"${domain}/ldap/user_allow_delete": value => $user_allow_delete;
"${domain}/ldap/group_tree_dn": value => $group_tree_dn;
"${domain}/ldap/group_filter": value => $group_filter;
"${domain}/ldap/group_objectclass": value => $group_objectclass;
"${domain}/ldap/group_id_attribute": value => $group_id_attribute;
"${domain}/ldap/group_name_attribute": value => $group_name_attribute;
"${domain}/ldap/group_member_attribute": value => $group_member_attribute;
"${domain}/ldap/group_desc_attribute": value => $group_desc_attribute;
"${domain}/ldap/group_allow_create": value => $group_allow_create;
"${domain}/ldap/group_allow_update": value => $group_allow_update;
"${domain}/ldap/group_allow_delete": value => $group_allow_delete;
}
keystone_domain { "${domain}":
ensure => present,
enabled => true,
}
}

40
deployment_scripts/puppet/modules/plugin_ldap/manifests/multiple_domain.pp Normal file
View File

@ -0,0 +1,40 @@
define plugin_ldap::multiple_domain (
$domain_info = $title,
$identity_driver = undef
){
$domain_params_hash = parse_it($domain_info)
plugin_ldap::keystone { "$domain_params_hash['domain']" :
domain => $domain_params_hash['domain'],
identity_driver => $identity_driver,
url => $domain_params_hash['url'],
use_tls => $domain_params_hash['use_tls'],
ca_chain => $domain_params_hash['ca_chain'],
suffix => $domain_params_hash['suffix'],
user => $domain_params_hash['user'],
password => $domain_params_hash['password'],
query_scope => $domain_params_hash['query_scope'],
user_tree_dn => $domain_params_hash['user_tree_dn'],
user_filter => $domain_params_hash['user_filter'],
user_objectclass => $domain_params_hash['user_objectclass'],
user_id_attribute => $domain_params_hash['user_id_attribute'],
user_name_attribute => $domain_params_hash['user_name_attribute'],
user_pass_attribute => $domain_params_hash['user_pass_attribute'],
user_enabled_attribute => $domain_params_hash['user_enabled_attribute'],
user_enabled_default => $domain_params_hash['user_enabled_default'],
user_enabled_mask => $domain_params_hash['user_enabled_mask'],
user_allow_create => $domain_params_hash['user_allow_create'],
user_allow_update => $domain_params_hash['user_allow_update'],
user_allow_delete => $domain_params_hash['user_allow_delete'],
group_tree_dn => $domain_params_hash['group_tree_dn'],
group_filter => $domain_params_hash['group_filter'],
group_objectclass => $domain_params_hash['group_objectclass'],
group_id_attribute => $domain_params_hash['group_id_attribute'],
group_name_attribute => $domain_params_hash['group_name_attribute'],
group_member_attribute => $domain_params_hash['group_member_attribute'],
group_desc_attribute => $domain_params_hash['group_desc_attribute'],
group_allow_create => $domain_params_hash['group_allow_create'],
group_allow_update => $domain_params_hash['group_allow_update'],
group_allow_delete => $domain_params_hash['group_allow_delete'],
}
}

6
environment_config.yaml
View File

@ -146,3 +146,9 @@ attributes:
description: 'LDAP attribute mapped to description.'
weight: 105
type: "text"
additional_domains:
type: "textarea"
weight: 110
value: ''
label: "List of additional Domains"
description: "Blocks of additional domains/parameters that should be created"

8
metadata.yaml
View File

@ -1,16 +1,16 @@
name: ldap
title: LDAP plugin for Keystone
version: '1.0.0'
version: '2.0.0'
description: Enable to use LDAP authentication backend for Keystone
fuel_version: ['7.0']
fuel_version: ['8.0']
licenses: ['Apache License Version 2.0']
authors: ['Mirantis']
homepage: 'https://github.com/stackforge/fuel-plugin-ldap'
groups: ['network']
releases:
- os: ubuntu
version: 2015.1-7.0
mode: ['ha', 'multinode']
version: liberty-8.0
mode: ['ha']
deployment_scripts_path: deployment_scripts/
repository_path: repositories/ubuntu
package_version: '3.0.0'