Fix token handling for keystone
In order to avoid errors when deploying multiple controller nodes, we need to deploy credential-tokens from data bags just like we already do for fernet-tokens. Otherwise each controller would use a different set of tokens generated locally. Drop the corresponding calls to keystone-manage, as they are a) not idempotent and b) generate files that are never used anyway. Depends-On: Icf0a8f644ddbfa61bfef124a772663e8af4e1f16 Change-Id: Idabc34d101d9fb145a205acedf8f652ebec3ad9f
This commit is contained in:
parent
7e9d7c9966
commit
7d8b8b5c27
|
@ -132,11 +132,21 @@ default['openstack']['identity']['ssl']['ca_certs_path'] = "#{node['openstack'][
|
|||
# 'fernet_key0' and 'fernet_key1' will be read from the databag/vault
|
||||
# 'keystone).
|
||||
# For more information please read:
|
||||
# http://docs.openstack.org/admin-guide-cloud/keystone_fernet_token_faq.html
|
||||
# https://docs.openstack.org/keystone/queens/admin/identity-fernet-token-faq.html
|
||||
default['openstack']['identity']['fernet']['keys'] = [0, 1]
|
||||
default['openstack']['identity']['conf']['fernet_tokens']['key_repository'] =
|
||||
'/etc/keystone/fernet-tokens'
|
||||
|
||||
# Credential keys to read from databags/vaults. This should be changed in the
|
||||
# environment when rotating keys (with the defaults below, the items
|
||||
# 'credential_key0' and 'credential_key1' will be read from the databag/vault
|
||||
# 'keystone).
|
||||
# For more information please read:
|
||||
# https://docs.openstack.org/keystone/queens/admin/identity-credential-encryption.html
|
||||
default['openstack']['identity']['credential']['keys'] = [0, 1]
|
||||
default['openstack']['identity']['conf']['credential']['key_repository'] =
|
||||
'/etc/keystone/credential-tokens'
|
||||
|
||||
# The external (REMOTE_USER) auth plugin module. (String value)
|
||||
default['openstack']['identity']['auth']['external'] = 'keystone.auth.plugins.external.DefaultDomain'
|
||||
# Default auth methods. (List value)
|
||||
|
|
|
@ -0,0 +1,46 @@
|
|||
# encoding: UTF-8
|
||||
#
|
||||
# Cookbook Name:: openstack-identity
|
||||
# Recipe:: _credential_tokens
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the 'License');
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an 'AS IS' BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
# This recipe is automatically included in openstack-identity::service-apache.
|
||||
# It will add the needed configuration options to the keystone.conf and create
|
||||
# the needed credential keys from predefined secrets (e.g. encrypted data
|
||||
# bags or vaults).
|
||||
|
||||
class ::Chef::Recipe
|
||||
include ::Openstack
|
||||
end
|
||||
|
||||
key_repository =
|
||||
node['openstack']['identity']['conf']['credential']['key_repository']
|
||||
|
||||
directory key_repository do
|
||||
owner node['openstack']['identity']['user']
|
||||
group node['openstack']['identity']['group']
|
||||
mode 0o0700
|
||||
end
|
||||
|
||||
node['openstack']['identity']['credential']['keys'].each do |key_index|
|
||||
key = secret(node['openstack']['secret']['secrets_data_bag'],
|
||||
"credential_key#{key_index}")
|
||||
file File.join(key_repository, key_index.to_s) do
|
||||
content key
|
||||
owner node['openstack']['identity']['user']
|
||||
group node['openstack']['identity']['group']
|
||||
mode 0o0400
|
||||
sensitive true
|
||||
end
|
||||
end
|
|
@ -120,29 +120,10 @@ file '/var/lib/keystone/keystone.db' do
|
|||
not_if { node['openstack']['db']['identity']['service_type'] == 'sqlite' }
|
||||
end
|
||||
|
||||
# include the recipe to setup fernet tokens
|
||||
# include the recipes to setup tokens
|
||||
include_recipe 'openstack-identity::_credential_tokens'
|
||||
include_recipe 'openstack-identity::_fernet_tokens'
|
||||
|
||||
# initialize fernet tokens
|
||||
execute 'fernet setup' do
|
||||
user 'root'
|
||||
command <<-EOH.gsub(/\s+/, ' ').strip!
|
||||
keystone-manage fernet_setup
|
||||
--keystone-user #{keystone_user}
|
||||
--keystone-group #{keystone_group}
|
||||
EOH
|
||||
notifies :run, 'execute[credential setup]', :immediately
|
||||
end
|
||||
|
||||
execute 'credential setup' do
|
||||
user 'root'
|
||||
command <<-EOH.gsub(/\s+/, ' ').strip!
|
||||
keystone-manage credential_setup
|
||||
--keystone-user #{keystone_user}
|
||||
--keystone-group #{keystone_group}
|
||||
EOH
|
||||
end
|
||||
|
||||
# define the address to bind the keystone apache public service to
|
||||
public_bind_service = node['openstack']['bind_service']['public']['identity']
|
||||
public_bind_address = bind_address public_bind_service
|
||||
|
|
|
@ -64,6 +64,12 @@ shared_context 'identity_stubs' do
|
|||
allow_any_instance_of(Chef::Recipe).to receive(:get_password)
|
||||
.with('user', 'admin')
|
||||
.and_return('admin')
|
||||
allow_any_instance_of(Chef::Recipe).to receive(:secret)
|
||||
.with('secrets', 'credential_key0')
|
||||
.and_return('thisiscredentialkey0')
|
||||
allow_any_instance_of(Chef::Recipe).to receive(:secret)
|
||||
.with('secrets', 'credential_key1')
|
||||
.and_return('thisiscredentialkey1')
|
||||
allow_any_instance_of(Chef::Recipe).to receive(:secret)
|
||||
.with('secrets', 'fernet_key0')
|
||||
.and_return('thisisfernetkey0')
|
||||
|
|
Loading…
Reference in New Issue