diff --git a/defaults/main.yml b/defaults/main.yml index acd6a597..c2337448 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -45,6 +45,10 @@ keystone_revocation_driver: keystone.contrib.revoke.backends.sql.Revoke keystone_revocation_cache_time: 3600 keystone_revocation_expiration_buffer: 1800 +## Fernet config vars +keystone_fernet_tokens_key_repository: "/etc/keystone/fernet-keys" +keystone_fernet_tokens_max_active_keys: 3 + keystone_cache_expiration_time: 5400 keystone_assignment_driver: keystone.assignment.backends.sql.Assignment @@ -161,6 +165,7 @@ keystone_apt_packages: - libldap2-dev - libsasl2-dev - libxslt1.1 + - rsync # Common pip packages keystone_pip_packages: diff --git a/tasks/keystone_fernet.yml b/tasks/keystone_fernet.yml new file mode 100644 index 00000000..2954c8c4 --- /dev/null +++ b/tasks/keystone_fernet.yml @@ -0,0 +1,29 @@ +--- +# Copyright 2015, Rackspace US, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +- include: keystone_fernet_keys_create.yml + when: > + inventory_hostname == groups['keystone_all'][0] + +- include: keystone_fernet_keys_fetch.yml + when: > + inventory_hostname == groups['keystone_all'][0] + +- include: keystone_fernet_keys_distribute.yml + when: > + inventory_hostname != groups['keystone_all'][0] and + inventory_hostname in groups['keystone_all'] + +- include: keystone_fernet_cleanup.yml diff --git a/tasks/keystone_fernet_cleanup.yml b/tasks/keystone_fernet_cleanup.yml new file mode 100644 index 00000000..79c80b8b --- /dev/null +++ b/tasks/keystone_fernet_cleanup.yml @@ -0,0 +1,24 @@ +--- +# Copyright 2015, Rackspace US, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +- name: Clean up the local key clone + local_action: + module: file + path="/tmp/{{ keystone_fernet_tokens_key_repository|basename }}" + state=absent + tags: + - keystone-cleanup + - keystone-setup + - keystone-fernet diff --git a/tasks/keystone_fernet_keys_create.yml b/tasks/keystone_fernet_keys_create.yml new file mode 100644 index 00000000..e8ea58b5 --- /dev/null +++ b/tasks/keystone_fernet_keys_create.yml @@ -0,0 +1,38 @@ +--- +# Copyright 2015, Rackspace US, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +- name: Check if fernet keys already exist + stat: + path: "{{ keystone_fernet_tokens_key_repository }}/0" + register: _fernet_keys + tags: + - keystone-fernet + +- name: Create fernet keys for Keystone + command: keystone-manage fernet_setup --keystone-user "{{ keystone_system_user_name }}" --keystone-group "{{ keystone_system_group_name }}" + sudo: yes + sudo_user: "{{ keystone_system_user_name }}" + when: not _fernet_keys.stat.exists + tags: + - keystone-setup + - keystone-fernet + +- name: Rotate fernet keys for Keystone + command: keystone-manage fernet_rotate --keystone-user "{{ keystone_system_user_name }}" --keystone-group "{{ keystone_system_group_name }}" + sudo: yes + sudo_user: "{{ keystone_system_user_name }}" + when: _fernet_keys.stat.exists + tags: + - keystone-fernet diff --git a/tasks/keystone_fernet_keys_distribute.yml b/tasks/keystone_fernet_keys_distribute.yml new file mode 100644 index 00000000..86770b6c --- /dev/null +++ b/tasks/keystone_fernet_keys_distribute.yml @@ -0,0 +1,24 @@ +--- +# Copyright 2015, Rackspace US, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +- name: Distribute the fernet keys to the other keystone containers + synchronize: + src: "/tmp/{{ keystone_fernet_tokens_key_repository|basename }}" + dest: "{{ keystone_fernet_tokens_key_repository|dirname }}" + recursive: yes + delete: yes + tags: + - keystone-setup + - keystone-fernet diff --git a/tasks/keystone_fernet_keys_fetch.yml b/tasks/keystone_fernet_keys_fetch.yml new file mode 100644 index 00000000..162a8865 --- /dev/null +++ b/tasks/keystone_fernet_keys_fetch.yml @@ -0,0 +1,24 @@ +--- +# Copyright 2015, Rackspace US, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +- name: Fetch the fernet key repository + synchronize: + src: "{{ keystone_fernet_tokens_key_repository }}" + dest: /tmp/ + recursive: yes + mode: pull + tags: + - keystone-setup + - keystone-fernet diff --git a/tasks/keystone_pre_install.yml b/tasks/keystone_pre_install.yml index d03248e1..cbf6a144 100644 --- a/tasks/keystone_pre_install.yml +++ b/tasks/keystone_pre_install.yml @@ -50,6 +50,21 @@ tags: - keystone-dirs +- name: Create keystone fernet-keys dir + file: + path: "{{ item.path }}" + state: directory + owner: "{{ item.owner|default(keystone_system_user_name) }}" + group: "{{ item.group|default(keystone_system_group_name) }}" + mode: "{{ item.mode }}" + with_items: + - { path: "{{ keystone_fernet_tokens_key_repository }}", mode: '0750' } + when: > + 'fernet' in keystone_token_provider + tags: + - keystone-dirs + - keystone-fernet + - name: Test for log directory or link shell: | if [ -h "/var/log/keystone" ]; then diff --git a/tasks/main.yml b/tasks/main.yml index 7f239082..6202f443 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -15,6 +15,11 @@ - include: keystone_pre_install.yml - include: keystone_install.yml + +- include: keystone_fernet.yml + when: > + 'fernet' in keystone_token_provider + - include: keystone_post_install.yml - include: keystone_db_setup.yml diff --git a/templates/keystone.conf.j2 b/templates/keystone.conf.j2 index 90f00ca4..a0d9ea6a 100644 --- a/templates/keystone.conf.j2 +++ b/templates/keystone.conf.j2 @@ -54,6 +54,11 @@ max_pool_size = {{ keystone_database_max_pool_size }} pool_timeout = {{ keystone_database_pool_timeout }} +[fernet_keys] +key_repository = {{ keystone_fernet_tokens_key_repository }} +max_active_keys = {{ keystone_fernet_tokens_max_active_keys }} + + [identity] driver = {{ keystone_identity_driver }} {% if keystone_ldap is defined %}