Merge "Update Keystone Configuration for Liberty"

playbooks/roles/os_keystone/defaults/main.yml

@@ -35,15 +35,15 @@ keystone_rpc_backend: rabbit
 
 ## Drivers
 keystone_auth_methods: "password,token"
-keystone_identity_driver: "keystone.identity.backends.sql.Identity"
-# For a sql backed token storage use: "keystone.token.backends.sql.Token"
-keystone_token_driver: "keystone.token.persistence.backends.memcache.Token"
-keystone_token_provider: "keystone.token.providers.fernet.Provider"
+keystone_identity_driver: sql
+# For a sql backed token storage use: "sql"
+keystone_token_driver: memcache
+keystone_token_provider: fernet
 keystone_token_expiration: 43200
 keystone_token_cache_time: 3600
 
 # Set the revocation driver used within keystone.
-keystone_revocation_driver: keystone.contrib.revoke.backends.sql.Revoke
+keystone_revocation_driver: sql
 keystone_revocation_cache_time: 3600
 keystone_revocation_expiration_buffer: 1800
 
@@ -57,10 +57,10 @@ keystone_fernet_auto_rotation_script: /opt/keystone-fernet-rotate.sh
 
 keystone_cache_expiration_time: 5400
 
-keystone_assignment_driver: keystone.assignment.backends.sql.Assignment
+keystone_assignment_driver: sql
 
 keystone_resource_cache_time: 3600
-keystone_resource_driver: keystone.resource.backends.sql.Resource
+keystone_resource_driver: sql
 
 keystone_bind_address: 0.0.0.0
 
@@ -168,7 +168,7 @@ keystone_ssl_self_signed_subject: "/C=US/ST=Texas/L=San Antonio/O=IT/CN={{ inter
 #     password: "secrete"
 #     ...
 
-keystone_ldap_identity_driver: keystone.identity.backends.ldap.Identity
+keystone_ldap_identity_driver: ldap
 keystone_ldap_domain_config_dir: /etc/keystone/domains
 
 # If you want to regenerate the keystone users SSH keys, on each run, set this var to True

playbooks/roles/os_keystone/templates/keystone-paste.ini.j2

@@ -1,70 +1,67 @@
 # Keystone PasteDeploy configuration file.
 
 [filter:debug]
-paste.filter_factory = keystone.common.wsgi:Debug.factory
+use = egg:keystone#debug
 
 [filter:request_id]
-paste.filter_factory = oslo_middleware:RequestId.factory
+use = egg:keystone#request_id
 
 [filter:build_auth_context]
-paste.filter_factory = keystone.middleware:AuthContextMiddleware.factory
+use = egg:keystone#build_auth_context
 
 [filter:token_auth]
-paste.filter_factory = keystone.middleware:TokenAuthMiddleware.factory
+use = egg:keystone#token_auth
 
 [filter:admin_token_auth]
-paste.filter_factory = keystone.middleware:AdminTokenAuthMiddleware.factory
+use = egg:keystone#admin_token_auth
 
 [filter:json_body]
-paste.filter_factory = keystone.middleware:JsonBodyMiddleware.factory
+use = egg:keystone#json_body
 
 [filter:user_crud_extension]
-paste.filter_factory = keystone.contrib.user_crud:CrudExtension.factory
+use = egg:keystone#user_crud_extension
 
 [filter:crud_extension]
-paste.filter_factory = keystone.contrib.admin_crud:CrudExtension.factory
+use = egg:keystone#crud_extension
 
 [filter:ec2_extension]
-paste.filter_factory = keystone.contrib.ec2:Ec2Extension.factory
+use = egg:keystone#ec2_extension
 
 [filter:ec2_extension_v3]
-paste.filter_factory = keystone.contrib.ec2:Ec2ExtensionV3.factory
+use = egg:keystone#ec2_extension_v3
 
 [filter:federation_extension]
-paste.filter_factory = keystone.contrib.federation.routers:FederationExtension.factory
+use = egg:keystone#federation_extension
 
 [filter:oauth1_extension]
-paste.filter_factory = keystone.contrib.oauth1.routers:OAuth1Extension.factory
+use = egg:keystone#oauth1_extension
 
 [filter:s3_extension]
-paste.filter_factory = keystone.contrib.s3:S3Extension.factory
+use = egg:keystone#s3_extension
 
 [filter:endpoint_filter_extension]
-paste.filter_factory = keystone.contrib.endpoint_filter.routers:EndpointFilterExtension.factory
-
-[filter:endpoint_policy_extension]
-paste.filter_factory = keystone.contrib.endpoint_policy.routers:EndpointPolicyExtension.factory
+use = egg:keystone#endpoint_filter_extension
 
 [filter:simple_cert_extension]
-paste.filter_factory = keystone.contrib.simple_cert:SimpleCertExtension.factory
+use = egg:keystone#simple_cert_extension
 
 [filter:revoke_extension]
-paste.filter_factory = keystone.contrib.revoke.routers:RevokeExtension.factory
+use = egg:keystone#revoke_extension
 
 [filter:url_normalize]
-paste.filter_factory = keystone.middleware:NormalizingFilter.factory
+use = egg:keystone#url_normalize
 
 [filter:sizelimit]
-paste.filter_factory = oslo_middleware.sizelimit:RequestBodySizeLimiter.factory
+use = egg:keystone#sizelimit
 
 [app:public_service]
-paste.app_factory = keystone.service:public_app_factory
+use = egg:keystone#public_service
 
 [app:service_v3]
-paste.app_factory = keystone.service:v3_app_factory
+use = egg:keystone#service_v3
 
 [app:admin_service]
-paste.app_factory = keystone.service:admin_app_factory
+use = egg:keystone#admin_service
 
 [pipeline:public_api]
 # The last item in this pipeline must be public_service or an equivalent
@@ -79,13 +76,13 @@ pipeline = sizelimit url_normalize request_id build_auth_context token_auth admi
 [pipeline:api_v3]
 # The last item in this pipeline must be service_v3 or an equivalent
 # application. It cannot be a filter.
-pipeline = sizelimit url_normalize request_id build_auth_context token_auth admin_token_auth json_body ec2_extension_v3 s3_extension simple_cert_extension revoke_extension federation_extension oauth1_extension endpoint_filter_extension endpoint_policy_extension service_v3
+pipeline = sizelimit url_normalize request_id build_auth_context token_auth admin_token_auth json_body ec2_extension_v3 s3_extension simple_cert_extension revoke_extension federation_extension oauth1_extension endpoint_filter_extension service_v3
 
 [app:public_version_service]
-paste.app_factory = keystone.service:public_version_app_factory
+use = egg:keystone#public_version_service
 
 [app:admin_version_service]
-paste.app_factory = keystone.service:admin_version_app_factory
+use = egg:keystone#admin_version_service
 
 [pipeline:public_version_api]
 pipeline = sizelimit url_normalize public_version_service

playbooks/roles/os_keystone/templates/policy.json.j2

@@ -6,6 +6,7 @@
     "admin_or_owner": "rule:admin_required or rule:owner",
     "token_subject": "user_id:%(target.token.user_id)s",
     "admin_or_token_subject": "rule:admin_required or rule:token_subject",
+    "service_admin_or_token_subject": "rule:service_or_admin or rule:token_subject",
 
     "default": "rule:admin_required",
 
@@ -88,14 +89,13 @@
     "identity:update_policy": "rule:admin_required",
     "identity:delete_policy": "rule:admin_required",
 
-    "identity:check_token": "rule:admin_required",
-    "identity:validate_token": "rule:service_or_admin",
+    "identity:check_token": "rule:admin_or_token_subject",
+    "identity:validate_token": "rule:service_admin_or_token_subject",
     "identity:validate_token_head": "rule:service_or_admin",
     "identity:revocation_list": "rule:service_or_admin",
     "identity:revoke_token": "rule:admin_or_token_subject",
 
     "identity:create_trust": "user_id:%(trust.trustor_user_id)s",
-    "identity:get_trust": "rule:admin_or_owner",
     "identity:list_trusts": "",
     "identity:list_roles_for_trust": "",
     "identity:get_role_for_trust": "",
@@ -128,6 +128,7 @@
     "identity:list_projects_associated_with_endpoint_group": "rule:admin_required",
     "identity:list_endpoints_associated_with_endpoint_group": "rule:admin_required",
     "identity:get_endpoint_group_in_project": "rule:admin_required",
+    "identity:list_endpoint_groups_for_project": "rule:admin_required",
     "identity:add_endpoint_group_to_project": "rule:admin_required",
     "identity:remove_endpoint_group_from_project": "rule:admin_required",