Make SSL settings configurable for Keystone
Currently, one cannot enable SSL for Keystone service endpoint since the recipes do not allow configuring the SSL specific parameters. To address this issue, this commit defines some new node attributes for specifying SSL key, certificate and CA certificate paths. Also, this commit exposes few other node attributes giving users more flexibility in their SSL deployment options. Closes-Bug #1441385 Change-Id: I2ee71f4f11e0cba619418bd5c356ec490c3be6e4
This commit is contained in:
parent
34480278c1
commit
b677c725a5
10
README.md
10
README.md
|
@ -275,6 +275,12 @@ Please refer to the Common cookbook for more attributes.
|
|||
* `openstack['identity']['pipeline']['public_api']` - Pipeline of identity public api
|
||||
* `openstack['identity']['pipeline']['admin_api']` - Pipeline of identity admin api
|
||||
* `openstack['identity']['pipeline']['api_v3']` - Pipeline of identity V3 api
|
||||
* `openstack['identity']['ssl']['enabled']` - Enable HTTPS Keystone API endpoint. Default is false
|
||||
* `openstack['identity']['ssl']['cert_required']` - When SSL is enabled this flag is used to require client certificate. Default is false.
|
||||
* `openstack['identity']['ssl']['basedir']` - Path to Keystone SSL directory
|
||||
* `openstack['identity']['ssl']['certfile']`- Cert file location
|
||||
* `openstack['identity']['ssl']['keyfile']` - Key file location
|
||||
* `openstack['identity']['ssl']['ca_certs']` - Path to CA certificate file
|
||||
|
||||
Most `openstack['identity']['ldap']` attributes map directly to the corresponding config options in keystone.conf's `[ldap]` backend. They are primarily used when configuring `openstack['identity']['identity']['backend']` and/or `openstack["identity"]["assignment"]["backend"]` as `ldap` (both default to `sql`).
|
||||
|
||||
|
@ -283,7 +289,6 @@ The `openstack['identity']['ldap']['use_tls']` option should not be used in conj
|
|||
If `openstack['identity']['ldap']['tls_cacertfile']` is set, `openstack['identity']['ldap']['tls_cacertdir']` will be ignored. Set `openstack['identity']['ldap']['tls_cacertfile']` to `nil` if `openstack['identity']['ldap']['tls_cacertdir']` is desired.
|
||||
Values of `openstack['identity']['ldap']['tls_req_cert']` correspond to the standard options permitted by the TLS_REQCERT TLS option (`never` performs no validation of certs, `allow` performs some basic name checks but no thorough CA validation, `demand` requires the certificate chain to be valid for the connection to succeed).
|
||||
|
||||
|
||||
The following attributes are defined in attributes/default.rb of the common cookbook, but are documented here due to their relevance:
|
||||
|
||||
* `openstack['endpoints']['identity-bind']['host']` - The IP address to bind the identity services to
|
||||
|
@ -294,7 +299,8 @@ The following attributes are defined in attributes/default.rb of the common cook
|
|||
|
||||
If the value of the 'bind_interface' attribute is non-nil, then the identity service will be bound to the first IP address on that interface. If the value of the 'bind_interface' attribute is nil, then the identity service will be bound to the IP address specified in the host attribute.
|
||||
|
||||
|
||||
### SSL enabling
|
||||
To enable SSL on Keystone, a key and certficate must be created and installed on server running Keystone. The location of these files can be provided with the node attributes described above. Also, note that `openstack['endpoints']['identity-bind']['scheme']`, from openstack common cookbook, must be set to 'https' in order to enable SSL.
|
||||
|
||||
### Token flushing
|
||||
When managing tokens with an SQL backend the token database may grow unboundedly as new tokens are issued and expired
|
||||
|
|
|
@ -128,6 +128,20 @@ default['openstack']['identity']['users'] = {
|
|||
}
|
||||
}
|
||||
|
||||
# SSL Options
|
||||
# Specify whether to enable SSL for Keystone API endpoint
|
||||
default['openstack']['identity']['ssl']['enabled'] = false
|
||||
# Specify server whether to enforce client certificate requirement
|
||||
default['openstack']['identity']['ssl']['cert_required'] = false
|
||||
# SSL certificate, keyfile and CA certficate file locations
|
||||
default['openstack']['identity']['ssl']['basedir'] = '/etc/keystone/ssl'
|
||||
# Path of the cert file for SSL.
|
||||
default['openstack']['identity']['ssl']['certfile'] = "#{node['openstack']['identity']['ssl']['basedir']}/certs/sslcert.pem"
|
||||
# Path of the keyfile for SSL.
|
||||
default['openstack']['identity']['ssl']['keyfile'] = "#{node['openstack']['identity']['ssl']['basedir']}/private/sslkey.pem"
|
||||
# Path of the CA cert file for SSL.
|
||||
default['openstack']['identity']['ssl']['ca_certs'] = "#{node['openstack']['identity']['ssl']['basedir']}/certs/sslca.pem"
|
||||
|
||||
# Security Assertion Markup Language (SAML)
|
||||
|
||||
# Default TTL, in seconds, for any generated SAML assertion
|
||||
|
|
|
@ -377,6 +377,51 @@ describe 'openstack-identity::server' do
|
|||
end
|
||||
end
|
||||
|
||||
describe '[eventlet_server_ssl] section' do
|
||||
opts = {
|
||||
enable: 'True',
|
||||
certfile: '/etc/keystone/ssl/certs/sslcert.pem',
|
||||
keyfile: '/etc/keystone/ssl/private/sslkey.pem',
|
||||
ca_certs: '/etc/keystone/ssl/certs/sslca.pem',
|
||||
cert_required: 'false'
|
||||
}
|
||||
describe 'with ssl enabled' do
|
||||
before do
|
||||
node.set['openstack']['identity']['ssl']['enabled'] = true
|
||||
node.set['openstack']['identity']['ssl']['basedir'] = '/etc/keystone/ssl'
|
||||
end
|
||||
describe 'with client cert not required' do
|
||||
it 'configures ssl options without client certificate' do
|
||||
opts.each do |key, val|
|
||||
r = line_regexp("#{key} = #{val}")
|
||||
expect(chef_run).to render_config_file(path).with_section_content('eventlet_server_ssl', r)
|
||||
end
|
||||
end
|
||||
end
|
||||
describe 'with client cert required' do
|
||||
before do
|
||||
node.set['openstack']['identity']['ssl']['cert_required'] = true
|
||||
opts['cert_required'.to_sym] = 'true'
|
||||
end
|
||||
it 'configures ssl options with client certificate' do
|
||||
opts.each do |key, val|
|
||||
r = line_regexp("#{key} = #{val}")
|
||||
expect(chef_run).to render_config_file(path).with_section_content('eventlet_server_ssl', r)
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
describe 'without ssl disabled' do
|
||||
before { node.set['openstack']['identity']['ssl']['enabled'] = false }
|
||||
it 'does not configure ssl options' do
|
||||
opts.each do |key, val|
|
||||
expect(chef_run).not_to render_config_file(path).with_section_content('eventlet_server_ssl', /^#{key} = /)
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
describe '[saml] section' do
|
||||
describe 'saml attributes' do
|
||||
saml_default_attrs = %w(assertion_expiration_time=3600
|
||||
|
|
|
@ -240,13 +240,20 @@ admin_bind_host = <%= @admin_bind_address %>
|
|||
#admin_port = 35357
|
||||
admin_port = <%= @admin_port %>
|
||||
|
||||
<% if node['openstack']['identity']['ssl']['enabled'] %>
|
||||
[eventlet_server_ssl]
|
||||
|
||||
#
|
||||
# From keystone
|
||||
#
|
||||
# (boolean value)
|
||||
#return_all_endpoints_if_no_filter=true
|
||||
|
||||
enable = True
|
||||
certfile = <%= node['openstack']['identity']['ssl']['certfile'] %>
|
||||
keyfile = <%= node['openstack']['identity']['ssl']['keyfile'] %>
|
||||
ca_certs = <%= node['openstack']['identity']['ssl']['ca_certs'] %>
|
||||
# Require client certificate. (boolean value)
|
||||
cert_required = <%= node['openstack']['identity']['ssl']['cert_required'] %>
|
||||
<% end %>
|
||||
|
||||
[federation]
|
||||
|
||||
|
|
Loading…
Reference in New Issue