diff --git a/library/keystone_sp b/library/keystone_sp deleted file mode 100644 index 38dc41ac..00000000 --- a/library/keystone_sp +++ /dev/null @@ -1,123 +0,0 @@ -#!/usr/bin/python -# (c) 2015, Kevin Carter -# -# Copyright 2015, Rackspace US, Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -import json - -# import module snippets -from ansible.module_utils.basic import AnsibleModule - - -DOCUMENTATION = """ ---- -module: keystone_sp -version_added: "1.9.2" -short_description: - - Creates a fact for keystone_federated_identities and keystone_protocols -description: - - Sets facts called `keystone_federated_identities` and - `keystone_federated_protocols`, which are lists of hashes built from - keystone_sp using the information in the `federated_identities` and - `protocols` keys. -options: - sp_data: - description: - - Hash to build the service provider lists from - required: true -author: Kevin Carter -""" - -EXAMPLES = """ -# Set the keystone_federated_identities and keystone_federated_protocols facts -- keystone_sp: - sp_data: "{{ keystone_sp }}" - when: keystone_sp is defined -""" - -# Keystone service provider data structure example. -""" -keystone_sp: - trusted_idp_list: - - name: "keystone-idp" - federated_identities: - - domain: Default - project: fedproject - group: fedgroup - role: _member_ - protocols: - - name: saml2 - mapping: - ... - - name: 'testshib-idp' - federated_identities: - - domain: Default - project: fedproject2 - group: fedgroup2 - role: _member_ - protocols: - - name: saml2 - mapping: - ... -""" - - -class KeystoneSp(object): - def __init__(self, module): - """Generate an integer from a name.""" - self.module = module - self.identities_return_list = list() - self.protocols_return_list = list() - self.sp_data = self.module.params['sp_data'] - if isinstance(self.sp_data, str): - self.sp_data = json.loads(self.sp_data) - - def populate_sp_data(self): - trusted_idp_list = self.sp_data['trusted_idp_list'] - for trusted_idp in trusted_idp_list: - federated_identities = trusted_idp.get('federated_identities') - if federated_identities: - self.identities_return_list.extend(federated_identities) - protocols = trusted_idp.get('protocols') - if protocols: - for protocol in protocols: - self.protocols_return_list.append( - {'idp': trusted_idp, 'protocol': protocol}) - - -def main(): - module = AnsibleModule( - argument_spec=dict( - sp_data=dict( - required=True - ) - ), - supports_check_mode=False - ) - try: - ksp = KeystoneSp(module=module) - ksp.populate_sp_data() - module.exit_json( - changed=True, - ansible_facts={ - 'keystone_federated_identities': ksp.identities_return_list, - 'keystone_federated_protocols': ksp.protocols_return_list} - ) - except Exception as exp: - module.fail_json(msg='Failed Process: "%s"' % exp) - - -if __name__ == '__main__': - main() diff --git a/tasks/keystone_federation_sp_idp_setup.yml b/tasks/keystone_federation_sp_idp_setup.yml index 66182924..ed655810 100644 --- a/tasks/keystone_federation_sp_idp_setup.yml +++ b/tasks/keystone_federation_sp_idp_setup.yml @@ -13,22 +13,13 @@ # See the License for the specific language governing permissions and # limitations under the License. -# note that these tasks will run when the id/name parameter is present. -# Providing the id/name without the other required params is a user error. - -# TODO: Revisit this method when Ansible 2 releases -# User with_subelements instead, but in v1.x it's broken - name: Ensure existence of federation objects delegate_to: "{{ keystone_service_setup_host }}" vars: ansible_python_interpreter: "{{ keystone_service_setup_host_python_interpreter }}" block: - - name: Set keystone_federated_identities fact - keystone_sp: - sp_data: "{{ keystone_sp | to_json }}" - - name: Ensure domain which remote IDP users are mapped onto exists - openstack.cloud.os_keystone_domain: + openstack.cloud.identity_domain: cloud: default state: present name: "{{ item.domain }}" @@ -36,10 +27,10 @@ verify: "{{ keystone_service_adminuri_insecure }}" when: item.domain is defined no_log: true - with_items: "{{ keystone_federated_identities | default([]) }}" + with_items: "{{ trusted_idp.federated_identities | default([]) }}" - name: Ensure project which remote IDP users are mapped onto exists - openstack.cloud.os_project: + openstack.cloud.project: cloud: default state: present name: "{{ item.project }}" @@ -48,10 +39,10 @@ verify: "{{ keystone_service_adminuri_insecure }}" when: item.project is defined no_log: true - with_items: "{{ keystone_federated_identities | default([]) }}" + with_items: "{{ trusted_idp.federated_identities | default([]) }}" - name: Ensure user which remote IDP users are mapped onto exists - openstack.cloud.os_user: + openstack.cloud.identity_user: cloud: default state: present name: "{{ item.user }}" @@ -65,35 +56,35 @@ item.password is defined and item.project is defined no_log: true - with_items: "{{ keystone_federated_identities | default([]) }}" + with_items: "{{ trusted_idp.federated_identities | default([]) }}" - name: Ensure Group for external IDP users exists - openstack.cloud.os_group: + openstack.cloud.identity_group: cloud: default state: present name: "{{ item.group }}" domain_id: "{{ item.domain | default('default') }}" interface: admin verify: "{{ keystone_service_adminuri_insecure }}" + with_items: "{{ trusted_idp.federated_identities | default([]) }}" when: item.group is defined no_log: true - with_items: "{{ keystone_federated_identities | default([]) }}" - name: Ensure Role for external IDP users exists - openstack.cloud.os_keystone_role: + openstack.cloud.identity_role: cloud: default state: present name: "{{ item.role | default('_member_') }}" interface: admin verify: "{{ keystone_service_adminuri_insecure }}" + with_items: "{{ trusted_idp.federated_identities | default([]) }}" when: > item.group is defined and item.project is defined no_log: true - with_items: "{{ keystone_federated_identities | default([]) }}" - name: Ensure Group/Project/Role mapping exists - openstack.cloud.os_user_role: + openstack.cloud.role_assignment: cloud: default state: present group: "{{ item.group }}" @@ -101,53 +92,40 @@ role: "{{ item.role | default('_member_') }}" interface: admin verify: "{{ keystone_service_adminuri_insecure }}" + with_items: "{{ trusted_idp.federated_identities | default([]) }}" when: > item.group is defined and item.project is defined no_log: true - with_items: "{{ keystone_federated_identities | default([]) }}" - name: Ensure mapping for external IDP attributes exists - keystone: - command: ensure_mapping - mapping_name: "{{ item.protocol.mapping.name }}" - mapping_rules: "{{ item.protocol.mapping.rules }}" - login_user: "{{ keystone_admin_user_name }}" - login_password: "{{ keystone_auth_admin_password }}" - login_project_name: "{{ keystone_admin_tenant_name }}" - endpoint: "{{ keystone_service_adminurl }}" - insecure: "{{ keystone_service_adminuri_insecure }}" - when: item.protocol.mapping.name is defined + openstack.cloud.federation_mapping: + name: "{{ item.mapping.name }}" + rules: "{{ item.mapping.rules }}" + interface: admin + verify: "{{ keystone_service_adminuri_insecure }}" + when: item.mapping.name is defined no_log: true - with_items: "{{ keystone_federated_protocols | default([]) }}" + with_items: "{{ trusted_idp.protocols | default([]) }}" - name: Ensure external IDP - keystone: - command: ensure_identity_provider - idp_name: "{{ item.name }}" - idp_remote_ids: "{{ item.entity_ids }}" - idp_enabled: true - idp_domain_id: "{{ item.domain_id | default(omit) }}" - login_user: "{{ keystone_admin_user_name }}" - login_password: "{{ keystone_auth_admin_password }}" - login_project_name: "{{ keystone_admin_tenant_name }}" - endpoint: "{{ keystone_service_adminurl }}" - insecure: "{{ keystone_service_adminuri_insecure }}" - when: item.name is defined + openstack.cloud.federation_idp: + name: "{{ trusted_idp.name }}" + remote_ids: "{{ trusted_idp.entity_ids }}" + enabled: true + domain_id: "{{ trusted_idp.domain_id | default(omit) }}" + interface: admin + verify: "{{ keystone_service_adminuri_insecure }}" + when: trusted_idp.name is defined no_log: true - with_items: "{{ keystone_sp.trusted_idp_list | default([]) }}" - name: Ensure federation protocol exists - keystone: - command: ensure_protocol - protocol_name: "{{ item.protocol.name }}" - idp_name: "{{ item.idp.name }}" - mapping_name: "{{ item.protocol.mapping.name }}" - login_user: "{{ keystone_admin_user_name }}" - login_password: "{{ keystone_auth_admin_password }}" - login_project_name: "{{ keystone_admin_tenant_name }}" - endpoint: "{{ keystone_service_adminurl }}" - insecure: "{{ keystone_service_adminuri_insecure }}" - when: item.protocol.name is defined + openstack.cloud.keystone_federation_protocol: + name: "{{ item.name }}" + idp_name: "{{ trusted_idp.name }}" + mapping_id: "{{ item.mapping.name }}" + interface: admin + verify: "{{ keystone_service_adminuri_insecure }}" + when: item.name is defined no_log: true - with_items: "{{ keystone_federated_protocols | default([]) }}" + with_items: "{{ trusted_idp.protocols | default([]) }}" diff --git a/tasks/main_keystone_federation_sp_idp_setup.yml b/tasks/main_keystone_federation_sp_idp_setup.yml index 3aa346a7..fb23fbf8 100644 --- a/tasks/main_keystone_federation_sp_idp_setup.yml +++ b/tasks/main_keystone_federation_sp_idp_setup.yml @@ -1,4 +1,8 @@ -- import_tasks: keystone_federation_sp_idp_setup.yml +- include_tasks: keystone_federation_sp_idp_setup.yml + with_items: "{{ keystone_sp.trusted_idp_list }}" + loop_control: + loop_var: trusted_idp + no_log: true when: - keystone_service_setup | bool - keystone_sp != {}