Commit Graph

75 Commits

Author SHA1 Message Date
Andrew Bonney 2ed76dee5d oidc: fix overloading of redirect_uri for cli client
The redirect URI specified in the Apache config for OIDC
was unintentionally serving a dual purpose as a redirect
URI and a handler for command line auth.

As of mod_auth_openidc v2.4.9 this no longer works.
This change splits the paths for command line auth and
the redirect URI into two to work around this.

Change-Id: I27c612cf8537b401c1195ae0892bf5569e2f3858
2023-10-20 14:04:31 +01:00
Andrew Bonney b54478e7e1 oidc: fix recognition of x forwarded headers from v2.4.11
The Apache mod_auth_openidc requires explicit configuration in
order to read the X-Forwarded-Proto from the reverse proxy as
of version v2.4.11 which comes in from Ubuntu Jammy.

Eventually this will need to become the default and the
variable added in this patch can be removed.

Change-Id: Ic9d37a8463d137508d20de20b10af806a223f852
2023-09-29 08:24:16 +00:00
Damian Dabrowski 6661a9dab7 Rename keystone_ssl to keystone_backend_ssl
To standarize variable name across roles, this change renames
`keystone_ssl` to `keystone_backend_ssl`.
All other roles use `<service>_backend_ssl` format.
It also better describes what it does. With `keystone_ssl` it's unclear
whether it is about frontend or backend.

Backward compatibility will not be implemented because securing haproxy
traffic to its backends with TLS is currently not supported by OSA so
it is hard to leverage `keystone_ssl` variable anyway.

Change-Id: Ibf8607a4cf62ab518a09d64b1054ff7fbc580000
2023-04-08 12:53:10 +00:00
OpenStack Release Bot d83b32adca Update master for stable/zed
Add file to the reno documentation build to show release notes for
stable/zed.

Use pbr instruction to increment the minor version number
automatically so that master versions are higher than the versions on
stable/zed.

Sem-Ver: feature
Change-Id: I83fbde781bbedd6e84f2ff1b1136b4558bf1da00
2022-12-13 13:15:56 +00:00
Dmitriy Rabotyagov 0a24c61e3e Improve way of cache backend selection
At the moment we don't provide any option rather then use memcached
backend. With that we also hardocde list of packages that should be
installed inside virtualenv for selected backend.

Adding bmemcached requirement to oslo_cache.memcache_pool [1] gives us
opportunity to refactor this bit of deployment and allow to be more
flexible in backend selection and requirements installation for it.

[1] https://review.opendev.org/c/openstack/oslo.cache/+/854628

Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/858981/4
Change-Id: I2810208301fb31eeeabf31e4b38add7f8aa3e00b
2022-09-23 10:49:09 +02:00
Kevin Carter 3928511919 Add the option to deploy keystone without apache
This change gives the keystone role the ability to deploy keystone using
only uWSGI, which eliminates Apache and all of its dependencies from the
environment. While this capability is not as feature rich as the apache
based deployment, which is still the default, it does offer a signficant
reduction in process overhead targeting minimal deployment usec-ases,
for deployments which do not need or want advanced keystone features
this is a huge benefit.

Signed-off-by: Kevin Carter <kevin@cloudnull.com>
Change-Id: I5a8484082f6331d2c5a452af2760c8e79d44fab8
2022-09-08 14:35:49 -05:00
Jonathan Rosser 14a2bd072c Migrate ssl certificate generation to the PKI role
This is now common functionality in an ansible role, rather than
being implemented directly in openstack-ansible service roles.

This patch creates the apache server certificate and key using the
pki role when keystone_ssl is true.

A CA certificate and key are generated and installed when keystone
is configured to be an IDP, triggered by keystone_idp.certfile being
defined.

Depends-On: https://review.opendev.org/c/openstack/ansible-role-pki/+/830794
Change-Id: Ie70aecc93b8acb7c1bbad02e98254b7c50c4c86f
2022-03-10 09:58:39 +00:00
Dmitriy Rabotyagov cb7eaa7ce3 Use uwsgi role for keystone
Instead of having own implementation of uwsgi, use common role.

This allows to reduce maintainable code and ease
providing fixes and features to uwsgi deployment code.

Change-Id: I2dc9c749c37e41959da2403fab7512ab17b859e4
2022-02-09 12:10:18 +02:00
Jonathan Rosser 7424f8f69a Remove legacy db pooling variables
Change-Id: I54edc22032950f640d824bb8baf170d3599d0f4b
2022-02-01 04:12:55 -05:00
Andrew Bonney dfa253d72c Adjust default configuration to support TLS v1.3
This adds a new variable to manage TLS v1.3 cipher suites.

The old variable for TLS v1.2 and below ciphers is renamed for
consistency, but is still supported as a default where overridden
by deployments.

Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/823943
Change-Id: If857ec3e2e3728f6bea9740ff43dcb2df45429d2
2022-01-10 13:49:45 +00:00
Damian Dabrowski b36b942aed Database connection pooling improvements
- Implemented new variable ``connection_recycle_time`` responsible for SQLAlchemy's connection recycling
- Set new default values for db pooling variables which are inherited from the global ones.

Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/819424
Change-Id: Ia507320ca552ec60d893e398ad7f68d4283539be
2021-12-03 16:54:38 +01:00
Dmitriy Rabotyagov eb9a0c6cea Drop Nginx webserver support
There is no reason to support multiple web servers as a proxy for
keystone. Nginx is missing modules to support federation. With it's
removal we simplify code and reduce maintaining efforts needed.

Change-Id: Ib3f90a72dfc8f78cf304b0f130883befdeb09220
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/818674
2021-11-22 10:36:35 +00:00
Georgina 9a4fd9dcfc Fix oidc scope misspelling in newer releases
A follow on from I8a1d7e8d31b43b70de062d5bbf2f648c71014af0.
Remove ability to use incorrect spelling in future releases.

Change-Id: If27c04ba5ce509a30fe2af2a56771cc1a12dbe9d
2021-07-22 10:04:54 +00:00
Andreas Jaeger 209dda107f Use newer openstackdocstheme and reno versions
The sync from https://review.opendev.org/733244 updated to
openstackdocstheme 2.2.1 and reno 3.1.0 versions.

Set openstackdocs_pdf_link to link to PDF file. Note that
the link to the published document only works on docs.openstack.org
where the PDF file is placed in the top-level html directory. The
site-preview places the PDF in a pdf directory.

openstackdocstheme renames some variables, so follow the renames
before the next release removes them. A couple of variables are also
not needed anymore, remove them.

See also
http://lists.openstack.org/pipermail/openstack-discuss/2020-May/014971.html

Change-Id: Iecbe3fa0e8cafb7a69d398d2bb039693c7d24957
2020-06-03 19:57:43 +02:00
OpenStack Release Bot 62aa03a247 Update master for stable/ussuri
Add file to the reno documentation build to show release notes for
stable/ussuri.

Use pbr instruction to increment the minor version number
automatically so that master versions are higher than the versions on
stable/ussuri.

Change-Id: I35d0841dd643d46e91ad44654897a4a7a2d76ea2
Sem-Ver: feature
2020-06-01 13:15:15 +00:00
Andreas Jaeger bcdf63a48b Update docstheme for style
New version of openstackdocstheme (Victoria+) respects pygments_style.
Since this repo is using now Victoria (master) requirements but has
not branched for Ussuri yet, it uses the new version.

Change pygments_style to 'native' since old theme version always used
'native' and the theme now respects the setting and using 'sphinx' can
lead to some strange rendering.

Change-Id: I9a8e5558cc159fe476a32c905cde19c7fb7d7099
2020-05-20 18:49:15 +02:00
Andreas Jaeger 9f264efe3b Cleanup py27 support
This repo is now testing only with Python 3, so let's make
a few cleanups:
- Remove python 2.7 stanza from setup.py
- Remove obsolete sections from setup.cfg
- Cleanup */source/conf.py to remove now obsolete content.

Change-Id: I601d900d4c34565e08d121f4100ebd3b1140b991
2020-04-22 13:51:52 +02:00
Georgina 47fe909d54 Federated openid support using auth_mod_openidc
This patch adds support for using mod_auth_openidc instead of shibboleth for
supporting users who have a preference to use oidc for federation. A new
variable called apache_mod is added to keystone_sp allowing the auth library
to be selected. If left undefined shibboleth auth module will continue to be
installed by default maintaining backward compatibility.

This patch does not support simultaneous use of shibboleth and mod_auth_openidc
primarily because shib2 depends on libcurl3 but mod_auth_openidc depends on
libcurl4 which cannot coexist on Ubuntu. This can be resolved when there is a
shib3 package available in a future release of Ubuntu.

Change-Id: I80031f7d3f0fcc2029cd6861dcb6687e8a9f0a2e
2020-01-31 11:28:38 +00:00
Dmitriy Rabotyagov 633405db12 Replace git.openstack.org with opendev.org
This patch replaces git.openstack.org with opendev.org as redirection
from old path was enabled.
Also we change upper constraints url due to [1]

[1] http://lists.openstack.org/pipermail/openstack-discuss/2019-May/006478.html

Depends-On: https://review.opendev.org/693841/
Change-Id: I960e6ce75e9106f340b32d355949db31d907b3cc
2019-11-14 17:39:38 +00:00
OpenStack Release Bot 1c127d4bdb Update master for stable/train
Add file to the reno documentation build to show release notes for
stable/train.

Use pbr instruction to increment the minor version number
automatically so that master versions are higher than the versions on
stable/train.

Change-Id: Ifd8157a8f959a5e8475be6b411c83b165ad4e9ea
Sem-Ver: feature
2019-10-22 18:59:21 +00:00
Jonathan Rosser 254811b184 Add application credentials as a default authentication method
Change-Id: I3fd50b45ad0f7cb0f7ee0d9eb70053c04e5d721f
2019-10-01 21:28:48 +01:00
Zuul 1f9b55cbc5 Merge "Replacing the HTTP protocal with HTTPS in jobs.yaml." 2019-04-24 20:15:02 +00:00
OpenStack Release Bot c8f6655eb1 Update master for stable/stein
Add file to the reno documentation build to show release notes for
stable/stein.

Use pbr instruction to increment the minor version number
automatically so that master versions are higher than the versions on
stable/stein.

Change-Id: I6e54970c514acdd618e873c688f6499d71cb238c
Sem-Ver: feature
2019-04-08 09:19:09 +00:00
weiyj 87b3926ed1 spelling error
Change-Id: I2ef0bb22d095b7eaed9b95a97668bcafa588252f
2018-12-31 14:52:53 +08:00
Matthew Thode 599727704a
Force force-tlsv12 only
Secure by default

Change-Id: I8e1e26291be2a5d2b3153a853c21965d54eac3e9
2018-12-06 10:22:23 -06:00
zhouxinyong dbe134ea15 Replacing the HTTP protocal with HTTPS in jobs.yaml.
Change-Id: I2c56d6f94711894a34709f50f5e9cb4ffb5cb688
2018-11-14 00:47:31 +08:00
Jean-Philippe Evrard 6f8dca7f7d Fix typo in release note
That typo was wrongly fixed into OSA reno, instead of fixing it
in the role.

This should fix things.

Change-Id: I3876209f37a4a1f2569900a296d5c1264061c914
2018-10-27 16:08:21 +02:00
Jimmy McCrory d638110970 Remove keystone service user
The keystone service user is never used by the keystone service. Remove
the tasks creating it and related variables.

Change-Id: Iede26cba97ab43cdd0abc3887883e61d40007b34
2018-10-18 09:56:05 -07:00
Francois Deppierraz a4e5138027 releasenotes: oslo-messaging-separate-backends add project name
Without this patch, the release notes published at
https://docs.openstack.org/releasenotes/openstack-ansible/rocky.html contains
the same line multiple times which is not very clear.

[...]
    Support separate oslo.messaging services for RPC and Notifications
    to enable operation of separate and different messaging backend servers.

    Support separate oslo.messaging services for RPC and Notifications
    to enable operation of separate and different messaging backend servers.
[...]

Change-Id: I0ed1a43670d97f2e2215d04c641f7bd4cfbe4f44
2018-10-15 16:57:13 +02:00
OpenStack Release Bot 88051cb3fb Update reno for stable/rocky
Change-Id: I895f9a25bb5dc30ab7e295f9708c87ca9ab37259
2018-08-10 16:47:10 +00:00
Kevin Carter ac9d598d33 Add systemd journal logging to the service config
The systemd journal would normally be populated with the standard out of
a service however with the use of uwsgi this is not actually happening
resulting in us only capturing the logs from the uwsgi process instead
of the service itself. This change implements journal logging in the
service config, which is part of OSLO logging.

OSLO logging docs found here: <https://docs.openstack.org/oslo.log/3.28.1/journal.html>

Change-Id: I943bd5f1ac767f83d853cee09a5857f6f9f0efff
Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>
2018-07-26 16:01:29 +00:00
Jesse Pretorius 67bf87f330 Execute service setup against a delegated host using Ansible built-in modules
In order to reduce the packages required to pip install on to the hosts,
we allow the service setup to be delegated to a specific host, defaulting
to the deploy host. We also switch as many tasks as possible to using the
built-in Ansible modules which make use of the shade library.

The 'virtualenv' package is now installed appropriately by the openstack_hosts
role, so there's no need to install it any more. The 'httplib2' package is a
legacy Ansible requirement for the get_url/get_uri module which is no longer
needed. The keystone client library is not required any more now that we're
using the upstream modules. As there are no required packages left, the task
to install them is also removed.

With the dependent patches, the openstack_openrc role is now executed once
on the designated host, so it is no longer required as a meta-dependency for
the role.

Depends-On: https://review.openstack.org/579233
Depends-On: https://review.openstack.org/579959
Depends-On: https://review.openstack.org/580156
Change-Id: I8f193d5f6f1f6020b23a4c4eebf3ad537d61e0b7
2018-07-13 19:01:59 +00:00
Jesse Pretorius f88841f37f Use correct variable for sso_callback_template deployment
The sso_callback_template file needs to be deployed for a
Keystone SP, not IDP. This patch fixes the conditional.

Closes-Bug: #1772772
Change-Id: I420e291807434382b4d3cd4c8809c7540a419f5a
2018-06-05 18:50:14 +01:00
Andrew Smith 2b7eb22a89 Update to use oslo.messaging service for RPC and Notify
This introduces oslo.messaging variables that define the RPC and
Notify transports for the OpenStack services. These parameters
replace the rabbitmq values and are used to generate the messaging
transport_url for the service. The association of the messaging
backend server to the oslo.messaging services will then be
transparent to the keystone service.

This patch:
* Add oslo.messaging variables for RPC and Notify to defaults
* Update transport_url generation
* Update examples
* Add oslo.messaging to inventory
* Add release note

Depends-On: If4326a6848d2d32af284fdbb94798eb0b03734d5
Depends-On: I2b09145b60116c029fc85477399c24f94974b61d
Change-Id: I8d5b09dd0cb905e0dee40e260efbfeff1da180ce
2018-05-23 11:57:27 -04:00
Markos Chandras 1460a23423 Add support for using distribution packages for OpenStack services
Distributions provide packages for the OpenStack services so we add
support for using these instead of the pip ones.

Depends-On: I5a78e2120e596d36629b4ba978b2b5df76b149b0
Depends-On: Ib64dcbc960df7d369d202ce8cf7bdc29b3ee0e0a
Depends-On: Id9dd2dea146709414ab9ce8d439f1587e6776fd4
Depends-On: I2ba89e25c0010c9a5b515a3d0c9c731b30876e74
Depends-On: I0442b0aa94c3d0882d1118ad0c824d123bd21c88
Change-Id: I26848678dd07a409ef3e159cffb4ba6f0a228ab4
Implements: blueprint openstack-distribution-packages
2018-05-14 13:13:41 +01:00
Jesse Pretorius 8367e44230 Use the venv contents instead of a git source for templates
When deploying the base templates for api-paste, policy files
and other files which are included in the service git source,
we now use the venv files instead of requiring access to a
git source and a complex set of lookups and variable
implementations.

This is simpler and more cross-series, and works from Queens
due to the related bug's patches.

Change-Id: I6a4e2514e66b15b2ae227e62b6dc9ae1a50a4fbd
Related-Bug: #1718356
2018-04-03 09:53:34 +01:00
OpenStack Release Bot d97e6b3ca3 Update reno for stable/queens
Change-Id: I7df240ab185d32a53bd25c1ed9f43630447230d2
2018-02-14 15:46:32 +00:00
Jean-Philippe Evrard ab66ca247e Fix memcache caching w/ multiple cache servers
We found a bug recently where either oslo.cache or python-memcached
aren't using the `backend_argument` properly with more than one
memcached server defined. Until we get the memcached client libraries
figured out, `memcache_servers` works just the same for a single
memcached instance and it works defined with a ring of memcached
instances.

The current variable used for the directive memcache_servers was
pointing to localhost servers, that were historically used for
UUID token cache. Only the ``keystone_cache_backend_argument``
has the right list of servers, but the variable's content is
already formatted to match the cache_backend_argument directive,
and therefore needs editing to be used in ``memcache_servers``.

This is far too fragile, and simplification was needed. This
patch moves to a new variable (with a graceful deprecation
cycle), ``keystone_cache_servers``, a simple list containing the
servers.

The variable ``keystone_memcached_max_compare_and_set_retry``
wasn't used and was therefore removed too.

Related-Bug: 1743036
Closes-Bug: 1681695
Co-Authored-By: Lance Bragstad <lbragstad@gmail.com>

Change-Id: I85ebce8b41dd440e1866a08aa1329b3df798c04f
2018-01-29 09:40:12 +00:00
Andreas Jaeger b1467933c4 Remove setting of version/release from releasenotes
Release notes are version independent, so remove version/release
values. We've found that projects now require the service package
to be installed in order to build release notes, and this is entirely
due to the current convention of pulling in the version information.

Release notes should not need installation in order to build, so this
unnecessary version setting needs to be removed.

This is needed for new release notes publishing, see
I56909152975f731a9d2c21b2825b972195e48ee8 and the discussion starting
at
http://lists.openstack.org/pipermail/openstack-dev/2017-November/124480.html
.

Change-Id: Ifd60c0793970e1df3f3f99bc33fc972758da40b1
2017-11-17 07:58:53 +01:00
Matthew Thode 81a28142a0 Add security headers to web accessable services.
Adds the following headers as static:

    X-Content-Type-Options "nosniff"
    X-XSS-Protection "1; mode=block"
    append Content-Security-Policy "default-src 'self' https: wss:;"

nosniff prevents non-executable mime times from becoming executable.
The X-XSS-Protection header will prevent the loading of a page if the
browser detects an xss attack.  The Content-Security-Policy declares
what dynamic resources are allowed to load.

Adds the following header as user-setable via the
keystone_x_frame_options variable.

    X-Frame-Options "DENY"

By default the X-Frame-Options header denies embedding in an iframe.

Change-Id: Iadd3e93bdb7e9d41ae1d027196367448dbce19f1
Partial-Bug: 1717321
2017-10-22 03:01:16 +00:00
Jesse Pretorius 46931b172c Initial OSA zuul v3 role jobs
This patch implements an initial set of jobs intended to match
the current job execution method. It does not intend to improve
how the jobs are executed - only to replicate what is currently
in openstack-infra/openstack-zuul-jobs and provide the platform
to iterate on.

Change-Id: Ic04b7e658e7755c8e66e47a84442a5f3c791fa78
2017-10-18 11:21:52 +00:00
OpenStack Release Bot 4258fadedc Update reno for stable/pike
Change-Id: I7add8b8d439d02ea70d5cf96fa51db6cbcd65dca
2017-08-21 10:31:49 +01:00
Major Hayden 08f879649b
Add extra headers for Keystone
This patch allows deployers to add arbitrary headers to Keystone
responses. This can be handy for CORS or for passing certain
headers through nginx to the requester.

Closes-Bug: 1695827
Change-Id: I8f838ecce118cb36081b98f483ddef465ddbae3f
2017-08-17 14:44:44 -05:00
ZhongShengping 6241f5e6c6 Fix openstackdocstheme settings
To use openstackdocstheme 1.11.0 properly, this patch fixes
some settings according to follow[0].

[0]https://docs.openstack.org/openstackdocstheme/latest/

Change-Id: Ifec7dc5ac514bac099d2e48f8bae4a3f4b134ef4
2017-07-03 16:18:03 +08:00
Jesse Pretorius 84af640aa0 Switch to using Nginx/uWSGI by default
This patch implements the use of uWSGI exclusively,
always with a web server acting as a reverse proxy.
It removes the option of using uWSGI with Apache
and mod_wsgi.

In the case of Keystone being used in a Federated
Service Provider configuration, it will use Apache
as the web server but for all other environments
it will use Nginx instead.

Change-Id: If6e95fc0d3f7d34780db1aed2b8cedca87499934
2017-06-29 16:42:36 +00:00
ZhongShengping 40c91b5c29 Switch from oslosphinx to openstackdocstheme
As part of the docs migration work[0] for Pike we need to switch to use the
openstackdocstheme.

[0]https://review.openstack.org/#/c/472275/

Change-Id: I140c31bf00c5b807248adb08c62db3de5d5b7a19
2017-06-26 11:35:28 +08:00
ZhongShengping 0b24181253 Deprecate rpc_backend option
Option "rpc_backend" from group "DEFAULT" is deprecated for removal
(Replaced by [DEFAULT]/transport_url). Its value may be silently
ignored in the future.

Change-Id: Ib9adcd5e9fe058a4780505000ab9fbffe7df638f
Implements: blueprint deprecate-rpc-backend
2017-06-17 11:49:07 +00:00
ArchiFleKs c0b5e8c90a Bootstrap Keystone with versionless endpoints
Change-Id: Id88657f2abb4bd0741751a6cf035d93ad62bc310
Depends-On: I8fce922e2907584138a132f37887f227eabe9abe
Partial-Bug: #1688320
2017-05-16 16:29:37 +02:00
Jesse Pretorius 16e93acc66 Rename release note to unique hash
Change-Id: If6db59a60a03ef39a61a4cfcb49c9fd551636df7
2017-04-28 11:39:09 +01:00
Jesse Pretorius fc0ae60d81 Reduce init restart/kill times
The systemd unit 'TimeoutSec' value which controls the time
between sending a SIGTERM signal and a SIGKILL signal when
stopping or restarting the service has been reduced from 300
seconds to 120 seconds. This provides 2 minutes for long-lived
sessions to drain while preventing new ones from starting
before a restart or a stop.

The 'RestartSec' value which controls the time between the
service stop and start when restarting has been reduced from
150 seconds to 2 seconds to make the restart happen faster.

These values can be adjusted by using the *_init_config_overrides
variables which use the config_template task to change template
defaults.

Change-Id: I66594554d7444ef5fb0ff30f0382815aeffa4bfb
2017-04-26 13:07:28 +00:00