Add support for deploying Keystone with Fernet

This change adds a number of new tasks that are dependent on the value
of the Keystone token provider (keystone_token_provider) user variable.

If the keystone_token_provider user_variable is set to
keystone.token.providers.fernet.Provider then the playbooks will
appropriately create the fernet keys and distribute them to the rest of
the keystone containers.

This also implements key rotation for generated fernet keys similar to
how the os_nova roles implement key rotation.

Finally, we also need to build cryptography from master for now.
Currently, 0.8.x and 0.9.x use versions of cffi<1.0 which causes a bug
when used with mod_wsgi and Apache. This is fixed in cryptography master
and will be released in 1.0.

Closes-bug: 1463569
Change-Id: I8605e0490a8889d57c6b1b7e03e078fb0da978ab

defaults/main.yml

@@ -45,6 +45,10 @@ keystone_revocation_driver: keystone.contrib.revoke.backends.sql.Revoke
 keystone_revocation_cache_time: 3600
 keystone_revocation_expiration_buffer: 1800
 
+## Fernet config vars
+keystone_fernet_tokens_key_repository: "/etc/keystone/fernet-keys"
+keystone_fernet_tokens_max_active_keys: 3
+
 keystone_cache_expiration_time: 5400
 
 keystone_assignment_driver: keystone.assignment.backends.sql.Assignment
@@ -161,6 +165,7 @@ keystone_apt_packages:
   - libldap2-dev
   - libsasl2-dev
   - libxslt1.1
+  - rsync
 
 # Common pip packages
 keystone_pip_packages:

tasks/keystone_fernet.yml

@@ -0,0 +1,29 @@
+---
+# Copyright 2015, Rackspace US, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+- include: keystone_fernet_keys_create.yml
+  when: >
+    inventory_hostname == groups['keystone_all'][0]
+
+- include: keystone_fernet_keys_fetch.yml
+  when: >
+    inventory_hostname == groups['keystone_all'][0]
+
+- include: keystone_fernet_keys_distribute.yml
+  when: >
+    inventory_hostname != groups['keystone_all'][0] and
+    inventory_hostname in groups['keystone_all']
+
+- include: keystone_fernet_cleanup.yml

tasks/keystone_fernet_cleanup.yml

@@ -0,0 +1,24 @@
+---
+# Copyright 2015, Rackspace US, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+- name: Clean up the local key clone
+  local_action:
+    module: file
+      path="/tmp/{{ keystone_fernet_tokens_key_repository|basename }}"
+      state=absent
+  tags:
+    - keystone-cleanup
+    - keystone-setup
+    - keystone-fernet

tasks/keystone_fernet_keys_create.yml

@@ -0,0 +1,38 @@
+---
+# Copyright 2015, Rackspace US, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+- name: Check if fernet keys already exist
+  stat:
+    path: "{{ keystone_fernet_tokens_key_repository }}/0"
+  register: _fernet_keys
+  tags:
+    - keystone-fernet
+
+- name: Create fernet keys for Keystone
+  command: keystone-manage fernet_setup --keystone-user "{{ keystone_system_user_name }}" --keystone-group "{{ keystone_system_group_name }}"
+  sudo: yes
+  sudo_user: "{{ keystone_system_user_name }}"
+  when: not _fernet_keys.stat.exists
+  tags:
+    - keystone-setup
+    - keystone-fernet
+
+- name: Rotate fernet keys for Keystone
+  command: keystone-manage fernet_rotate --keystone-user "{{ keystone_system_user_name }}" --keystone-group "{{ keystone_system_group_name }}"
+  sudo: yes
+  sudo_user: "{{ keystone_system_user_name }}"
+  when: _fernet_keys.stat.exists
+  tags:
+    - keystone-fernet

tasks/keystone_fernet_keys_distribute.yml

@@ -0,0 +1,24 @@
+---
+# Copyright 2015, Rackspace US, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+- name: Distribute the fernet keys to the other keystone containers
+  synchronize:
+    src: "/tmp/{{ keystone_fernet_tokens_key_repository|basename }}"
+    dest: "{{ keystone_fernet_tokens_key_repository|dirname }}"
+    recursive: yes
+    delete: yes
+  tags:
+    - keystone-setup
+    - keystone-fernet

tasks/keystone_fernet_keys_fetch.yml

@@ -0,0 +1,24 @@
+---
+# Copyright 2015, Rackspace US, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+- name: Fetch the fernet key repository
+  synchronize:
+    src: "{{ keystone_fernet_tokens_key_repository }}"
+    dest: /tmp/
+    recursive: yes
+    mode: pull
+  tags:
+    - keystone-setup
+    - keystone-fernet

tasks/keystone_pre_install.yml

@@ -50,6 +50,21 @@
   tags:
     - keystone-dirs
 
+- name: Create keystone fernet-keys dir
+  file:
+    path: "{{ item.path }}"
+    state: directory
+    owner: "{{ item.owner|default(keystone_system_user_name) }}"
+    group: "{{ item.group|default(keystone_system_group_name) }}"
+    mode: "{{ item.mode }}"
+  with_items:
+    - { path: "{{ keystone_fernet_tokens_key_repository }}", mode: '0750' }
+  when: >
+    'fernet' in keystone_token_provider
+  tags:
+    - keystone-dirs
+    - keystone-fernet
+
 - name: Test for log directory or link
   shell: |
     if [ -h "/var/log/keystone"  ]; then

tasks/main.yml

@@ -15,6 +15,11 @@
 
 - include: keystone_pre_install.yml
 - include: keystone_install.yml
+
+- include: keystone_fernet.yml
+  when: >
+    'fernet' in keystone_token_provider
+
 - include: keystone_post_install.yml
 
 - include: keystone_db_setup.yml

templates/keystone.conf.j2

@@ -54,6 +54,11 @@ max_pool_size = {{ keystone_database_max_pool_size }}
 pool_timeout = {{ keystone_database_pool_timeout }}
 
 
+[fernet_keys]
+key_repository = {{ keystone_fernet_tokens_key_repository }}
+max_active_keys = {{ keystone_fernet_tokens_max_active_keys }}
+
+
 [identity]
 driver = {{ keystone_identity_driver }}
 {% if keystone_ldap is defined %}