Multidomains support
Support of multidomains creation was added for MOS8.0 Change-Id: Ie082cfa8b5e3b5478362335b125eccb12308efed
This commit is contained in:
parent
8dd63cf88c
commit
c410425b57
|
@ -0,0 +1,25 @@
|
|||
module Puppet::Parser::Functions
|
||||
newfunction(:parse_it, :type => :rvalue, :doc => <<-EOS
|
||||
This function parses text area, create hash and returns values
|
||||
for keystone domain creation
|
||||
EOS
|
||||
) do |args|
|
||||
|
||||
param_hash = {}
|
||||
cert_chain = args[0].slice!(/^(ca_chain=-----BEGIN CERTIFICATE-----)(.*[\r\n])+(-----END CERTIFICATE-----[\s\S]*?)$/)
|
||||
|
||||
if cert_chain
|
||||
splited_cert_chain = cert_chain.split('=',2)
|
||||
param_hash[splited_cert_chain[0]] = splited_cert_chain[1]
|
||||
end
|
||||
|
||||
splited_text = args[0].split("\n")
|
||||
splited_text.each do |item|
|
||||
splited_line = item.split('=',2)
|
||||
param_hash[splited_line[0]] = splited_line[1]
|
||||
end
|
||||
|
||||
return param_hash
|
||||
end
|
||||
end
|
||||
|
|
@ -2,13 +2,13 @@ class plugin_ldap::controller {
|
|||
|
||||
include ::apache::params
|
||||
|
||||
$management_vip = hiera('management_vip')
|
||||
$management_vip = hiera('management_vip')
|
||||
|
||||
## if AD is used, in order to properly display if account is enabled or disabled
|
||||
## additional parameters need to be set.
|
||||
## additional parameters should be set.
|
||||
if $::fuel_settings['ldap']['user_enabled_attribute'] == 'userAccountControl' {
|
||||
$user_enabled_default = 512
|
||||
$user_enabled_mask = 2
|
||||
$user_enabled_mask = 2
|
||||
}
|
||||
|
||||
$identity_driver = 'keystone.identity.backends.ldap.Identity'
|
||||
|
@ -24,6 +24,7 @@ class plugin_ldap::controller {
|
|||
$user_name_attribute = $::fuel_settings['ldap']['user_name_attribute']
|
||||
$user_pass_attribute = $::fuel_settings['ldap']['user_pass_attribute']
|
||||
$user_enabled_attribute = $::fuel_settings['ldap']['user_enabled_attribute']
|
||||
$additional_domains = $::fuel_settings['ldap']['additional_domains']
|
||||
|
||||
$user_allow_create = false
|
||||
$user_allow_update = false
|
||||
|
@ -43,28 +44,7 @@ class plugin_ldap::controller {
|
|||
|
||||
$domain = $::fuel_settings['ldap']['domain']
|
||||
$use_tls = $::fuel_settings['ldap']['use_tls']
|
||||
|
||||
if $use_tls {
|
||||
$ca_chain = pick($::fuel_settings['ldap']['ca_chain'], false)
|
||||
$cacertfile = '/usr/local/share/ca-certificates/cacert-ldap.crt'
|
||||
|
||||
if $ca_chain {
|
||||
$tls_cacertdir = '/etc/ssl/certs'
|
||||
}
|
||||
else {
|
||||
$tls_cacertdir = ''
|
||||
}
|
||||
|
||||
if $ca_chain {
|
||||
file { $cacertfile:
|
||||
ensure => file,
|
||||
mode => 0644,
|
||||
content => $ca_chain,
|
||||
}
|
||||
~>
|
||||
exec { '/usr/sbin/update-ca-certificates': }
|
||||
}
|
||||
}
|
||||
$ca_chain = pick($::fuel_settings['ldap']['ca_chain'], false)
|
||||
|
||||
file { '/etc/keystone/domains':
|
||||
ensure => 'directory',
|
||||
|
@ -73,81 +53,75 @@ class plugin_ldap::controller {
|
|||
mode => '755',
|
||||
}
|
||||
|
||||
file { "/etc/keystone/domains/keystone.${domain}.conf":
|
||||
ensure => 'file',
|
||||
owner => 'root',
|
||||
group => 'root',
|
||||
mode => '644',
|
||||
require => File['/etc/keystone/domains'],
|
||||
}
|
||||
|
||||
File["/etc/keystone/domains/keystone.${domain}.conf"] -> Keystone_config <||>
|
||||
|
||||
keystone_config {
|
||||
"identity/domain_specific_drivers_enabled": value => 'True';
|
||||
}
|
||||
|
||||
Keystone_config {
|
||||
provider => 'ini_setting_domain',
|
||||
plugin_ldap::keystone {$domain:
|
||||
domain => $domain,
|
||||
identity_driver => $identity_driver,
|
||||
url => $url,
|
||||
use_tls => $use_tls,
|
||||
ca_chain => $ca_chain,
|
||||
suffix => $suffix,
|
||||
user => $user,
|
||||
password => $password,
|
||||
query_scope => $query_scope,
|
||||
user_tree_dn => $user_tree_dn,
|
||||
user_filter => $user_filter,
|
||||
user_objectclass => $user_objectclass,
|
||||
user_id_attribute => $user_id_attribute,
|
||||
user_name_attribute => $user_name_attribute,
|
||||
user_pass_attribute => $user_pass_attribute,
|
||||
user_enabled_attribute => $user_enabled_attribute,
|
||||
user_enabled_default => $user_enabled_default,
|
||||
user_enabled_mask => $user_enabled_mask,
|
||||
user_allow_create => $user_allow_create,
|
||||
user_allow_update => $user_allow_update,
|
||||
user_allow_delete => $user_allow_delete,
|
||||
group_tree_dn => $group_tree_dn,
|
||||
group_filter => $group_filter,
|
||||
group_objectclass => $group_objectclass,
|
||||
group_id_attribute => $group_id_attribute,
|
||||
group_name_attribute => $group_name_attribute,
|
||||
group_member_attribute => $group_member_attribute,
|
||||
group_desc_attribute => $group_desc_attribute,
|
||||
group_allow_create => $group_allow_create,
|
||||
group_allow_update => $group_allow_update,
|
||||
group_allow_delete => $group_allow_delete,
|
||||
}
|
||||
|
||||
keystone_config {
|
||||
"${domain}/identity/driver": value => $identity_driver;
|
||||
"${domain}/ldap/url": value => $url;
|
||||
"${domain}/ldap/use_tls": value => $use_tls;
|
||||
"${domain}/ldap/tls_cacertdir": value => $tls_cacertdir;
|
||||
"${domain}/ldap/suffix": value => $suffix;
|
||||
"${domain}/ldap/user": value => $user;
|
||||
"${domain}/ldap/password": value => $password;
|
||||
"${domain}/ldap/query_scope": value => $query_scope;
|
||||
"${domain}/ldap/user_tree_dn": value => $user_tree_dn;
|
||||
"${domain}/ldap/user_filter": value => $user_filter;
|
||||
"${domain}/ldap/user_objectclass": value => $user_objectclass;
|
||||
"${domain}/ldap/user_id_attribute": value => $user_id_attribute;
|
||||
"${domain}/ldap/user_name_attribute": value => $user_name_attribute;
|
||||
"${domain}/ldap/user_pass_attribute": value => $user_pass_attribute;
|
||||
"${domain}/ldap/user_enabled_attribute": value => $user_enabled_attribute;
|
||||
"${domain}/ldap/user_enabled_default": value => $user_enabled_default;
|
||||
"${domain}/ldap/user_enabled_mask": value => $user_enabled_mask;
|
||||
"${domain}/ldap/user_allow_create": value => $user_allow_create;
|
||||
"${domain}/ldap/user_allow_update": value => $user_allow_update;
|
||||
"${domain}/ldap/user_allow_delete": value => $user_allow_delete;
|
||||
"${domain}/ldap/group_tree_dn": value => $group_tree_dn;
|
||||
"${domain}/ldap/group_filter": value => $group_filter;
|
||||
"${domain}/ldap/group_objectclass": value => $group_objectclass;
|
||||
"${domain}/ldap/group_id_attribute": value => $group_id_attribute;
|
||||
"${domain}/ldap/group_name_attribute": value => $group_name_attribute;
|
||||
"${domain}/ldap/group_member_attribute": value => $group_member_attribute;
|
||||
"${domain}/ldap/group_desc_attribute": value => $group_desc_attribute;
|
||||
"${domain}/ldap/group_allow_create": value => $group_allow_create;
|
||||
"${domain}/ldap/group_allow_update": value => $group_allow_update;
|
||||
"${domain}/ldap/group_allow_delete": value => $group_allow_delete;
|
||||
} ~>
|
||||
Plugin_ldap::Keystone<||> ~>
|
||||
service { 'httpd':
|
||||
name => "$apache::params::service_name",
|
||||
ensure => running,
|
||||
name => "$apache::params::service_name",
|
||||
ensure => running,
|
||||
}
|
||||
|
||||
keystone_domain { "${domain}":
|
||||
ensure => present,
|
||||
enabled => true,
|
||||
#Create domains using info from text area 'List of additional Domains'
|
||||
if $additional_domains {
|
||||
$domains_list = split($additional_domains, '^$')
|
||||
plugin_ldap::multiple_domain { $domains_list:
|
||||
identity_driver => $identity_driver,
|
||||
}
|
||||
}
|
||||
|
||||
file_line { 'OPENSTACK_KEYSTONE_URL':
|
||||
path => '/etc/openstack-dashboard/local_settings.py',
|
||||
line => "OPENSTACK_KEYSTONE_URL = \"http://${management_vip}:5000/v3/\"",
|
||||
path => '/etc/openstack-dashboard/local_settings.py',
|
||||
line => "OPENSTACK_KEYSTONE_URL = \"http://${management_vip}:5000/v3/\"",
|
||||
match => "^OPENSTACK_KEYSTONE_URL = .*$",
|
||||
} ~> Service ['httpd']
|
||||
}
|
||||
|
||||
file_line { 'OPENSTACK_API_VERSIONS':
|
||||
path => '/etc/openstack-dashboard/local_settings.py',
|
||||
line => "OPENSTACK_API_VERSIONS = { \"identity\": 3 }",
|
||||
path => '/etc/openstack-dashboard/local_settings.py',
|
||||
line => "OPENSTACK_API_VERSIONS = { \"identity\": 3 }",
|
||||
match => "^# OPENSTACK_API_VERSIONS = {.*$",
|
||||
} ~> Service ['httpd']
|
||||
}
|
||||
|
||||
file_line { 'OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT':
|
||||
path => '/etc/openstack-dashboard/local_settings.py',
|
||||
line => "OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT = True",
|
||||
path => '/etc/openstack-dashboard/local_settings.py',
|
||||
line => "OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT = True",
|
||||
match => "^# OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT = .*$",
|
||||
} ~> Service ['httpd']
|
||||
}
|
||||
|
||||
File_line<||> ~> Service ['httpd']
|
||||
}
|
||||
|
|
|
@ -0,0 +1,110 @@
|
|||
define plugin_ldap::keystone (
|
||||
$domain = undef,
|
||||
$identity_driver = undef,
|
||||
$url = undef,
|
||||
$use_tls = undef,
|
||||
$ca_chain = undef,
|
||||
$suffix = undef,
|
||||
$user = undef,
|
||||
$password = undef,
|
||||
$query_scope = undef,
|
||||
$user_tree_dn = undef,
|
||||
$user_filter = undef,
|
||||
$user_objectclass = undef,
|
||||
$user_id_attribute = undef,
|
||||
$user_name_attribute = undef,
|
||||
$user_pass_attribute = undef,
|
||||
$user_enabled_attribute = undef,
|
||||
$user_enabled_default = undef,
|
||||
$user_enabled_mask = undef,
|
||||
$user_allow_create = undef,
|
||||
$user_allow_update = undef,
|
||||
$user_allow_delete = undef,
|
||||
$group_tree_dn = undef,
|
||||
$group_filter = undef,
|
||||
$group_objectclass = undef,
|
||||
$group_id_attribute = undef,
|
||||
$group_name_attribute = undef,
|
||||
$group_member_attribute = undef,
|
||||
$group_desc_attribute = undef,
|
||||
$group_allow_create = undef,
|
||||
$group_allow_update = undef,
|
||||
$group_allow_delete = undef,
|
||||
){
|
||||
|
||||
if $use_tls {
|
||||
$cacertfile = "/usr/local/share/ca-certificates/cacert-ldap-${domain}.crt"
|
||||
|
||||
if $ca_chain {
|
||||
$tls_cacertdir = '/etc/ssl/certs'
|
||||
}
|
||||
else {
|
||||
$tls_cacertdir = ''
|
||||
}
|
||||
|
||||
if $ca_chain {
|
||||
file { $cacertfile:
|
||||
ensure => file,
|
||||
mode => 0644,
|
||||
content => $ca_chain,
|
||||
}
|
||||
~>
|
||||
exec { "$domain" :
|
||||
command => '/usr/sbin/update-ca-certificates'
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
file { "/etc/keystone/domains/keystone.${domain}.conf":
|
||||
ensure => 'file',
|
||||
owner => 'root',
|
||||
group => 'root',
|
||||
mode => '644',
|
||||
require => File['/etc/keystone/domains'],
|
||||
}
|
||||
|
||||
File["/etc/keystone/domains/keystone.${domain}.conf"] -> Keystone_config <||>
|
||||
|
||||
Keystone_config {
|
||||
provider => 'ini_setting_domain',
|
||||
}
|
||||
|
||||
keystone_config {
|
||||
"${domain}/identity/driver": value => $identity_driver;
|
||||
"${domain}/ldap/url": value => $url;
|
||||
"${domain}/ldap/use_tls": value => $use_tls;
|
||||
"${domain}/ldap/tls_cacertdir": value => $tls_cacertdir;
|
||||
"${domain}/ldap/suffix": value => $suffix;
|
||||
"${domain}/ldap/user": value => $user;
|
||||
"${domain}/ldap/password": value => $password;
|
||||
"${domain}/ldap/query_scope": value => $query_scope;
|
||||
"${domain}/ldap/user_tree_dn": value => $user_tree_dn;
|
||||
"${domain}/ldap/user_filter": value => $user_filter;
|
||||
"${domain}/ldap/user_objectclass": value => $user_objectclass;
|
||||
"${domain}/ldap/user_id_attribute": value => $user_id_attribute;
|
||||
"${domain}/ldap/user_name_attribute": value => $user_name_attribute;
|
||||
"${domain}/ldap/user_pass_attribute": value => $user_pass_attribute;
|
||||
"${domain}/ldap/user_enabled_attribute": value => $user_enabled_attribute;
|
||||
"${domain}/ldap/user_enabled_default": value => $user_enabled_default;
|
||||
"${domain}/ldap/user_enabled_mask": value => $user_enabled_mask;
|
||||
"${domain}/ldap/user_allow_create": value => $user_allow_create;
|
||||
"${domain}/ldap/user_allow_update": value => $user_allow_update;
|
||||
"${domain}/ldap/user_allow_delete": value => $user_allow_delete;
|
||||
"${domain}/ldap/group_tree_dn": value => $group_tree_dn;
|
||||
"${domain}/ldap/group_filter": value => $group_filter;
|
||||
"${domain}/ldap/group_objectclass": value => $group_objectclass;
|
||||
"${domain}/ldap/group_id_attribute": value => $group_id_attribute;
|
||||
"${domain}/ldap/group_name_attribute": value => $group_name_attribute;
|
||||
"${domain}/ldap/group_member_attribute": value => $group_member_attribute;
|
||||
"${domain}/ldap/group_desc_attribute": value => $group_desc_attribute;
|
||||
"${domain}/ldap/group_allow_create": value => $group_allow_create;
|
||||
"${domain}/ldap/group_allow_update": value => $group_allow_update;
|
||||
"${domain}/ldap/group_allow_delete": value => $group_allow_delete;
|
||||
}
|
||||
|
||||
keystone_domain { "${domain}":
|
||||
ensure => present,
|
||||
enabled => true,
|
||||
}
|
||||
|
||||
}
|
|
@ -0,0 +1,40 @@
|
|||
define plugin_ldap::multiple_domain (
|
||||
$domain_info = $title,
|
||||
$identity_driver = undef
|
||||
){
|
||||
$domain_params_hash = parse_it($domain_info)
|
||||
plugin_ldap::keystone { "$domain_params_hash['domain']" :
|
||||
domain => $domain_params_hash['domain'],
|
||||
identity_driver => $identity_driver,
|
||||
url => $domain_params_hash['url'],
|
||||
use_tls => $domain_params_hash['use_tls'],
|
||||
ca_chain => $domain_params_hash['ca_chain'],
|
||||
suffix => $domain_params_hash['suffix'],
|
||||
user => $domain_params_hash['user'],
|
||||
password => $domain_params_hash['password'],
|
||||
query_scope => $domain_params_hash['query_scope'],
|
||||
user_tree_dn => $domain_params_hash['user_tree_dn'],
|
||||
user_filter => $domain_params_hash['user_filter'],
|
||||
user_objectclass => $domain_params_hash['user_objectclass'],
|
||||
user_id_attribute => $domain_params_hash['user_id_attribute'],
|
||||
user_name_attribute => $domain_params_hash['user_name_attribute'],
|
||||
user_pass_attribute => $domain_params_hash['user_pass_attribute'],
|
||||
user_enabled_attribute => $domain_params_hash['user_enabled_attribute'],
|
||||
user_enabled_default => $domain_params_hash['user_enabled_default'],
|
||||
user_enabled_mask => $domain_params_hash['user_enabled_mask'],
|
||||
user_allow_create => $domain_params_hash['user_allow_create'],
|
||||
user_allow_update => $domain_params_hash['user_allow_update'],
|
||||
user_allow_delete => $domain_params_hash['user_allow_delete'],
|
||||
group_tree_dn => $domain_params_hash['group_tree_dn'],
|
||||
group_filter => $domain_params_hash['group_filter'],
|
||||
group_objectclass => $domain_params_hash['group_objectclass'],
|
||||
group_id_attribute => $domain_params_hash['group_id_attribute'],
|
||||
group_name_attribute => $domain_params_hash['group_name_attribute'],
|
||||
group_member_attribute => $domain_params_hash['group_member_attribute'],
|
||||
group_desc_attribute => $domain_params_hash['group_desc_attribute'],
|
||||
group_allow_create => $domain_params_hash['group_allow_create'],
|
||||
group_allow_update => $domain_params_hash['group_allow_update'],
|
||||
group_allow_delete => $domain_params_hash['group_allow_delete'],
|
||||
}
|
||||
|
||||
}
|
|
@ -146,3 +146,9 @@ attributes:
|
|||
description: 'LDAP attribute mapped to description.'
|
||||
weight: 105
|
||||
type: "text"
|
||||
additional_domains:
|
||||
type: "textarea"
|
||||
weight: 110
|
||||
value: ''
|
||||
label: "List of additional Domains"
|
||||
description: "Blocks of additional domains/parameters that should be created"
|
||||
|
|
|
@ -1,16 +1,16 @@
|
|||
name: ldap
|
||||
title: LDAP plugin for Keystone
|
||||
version: '1.0.0'
|
||||
version: '2.0.0'
|
||||
description: Enable to use LDAP authentication backend for Keystone
|
||||
fuel_version: ['7.0']
|
||||
fuel_version: ['8.0']
|
||||
licenses: ['Apache License Version 2.0']
|
||||
authors: ['Mirantis']
|
||||
homepage: 'https://github.com/stackforge/fuel-plugin-ldap'
|
||||
groups: ['network']
|
||||
releases:
|
||||
- os: ubuntu
|
||||
version: 2015.1-7.0
|
||||
mode: ['ha', 'multinode']
|
||||
version: liberty-8.0
|
||||
mode: ['ha']
|
||||
deployment_scripts_path: deployment_scripts/
|
||||
repository_path: repositories/ubuntu
|
||||
package_version: '3.0.0'
|
||||
|
|
Loading…
Reference in New Issue