Update Keystone Configuration for Liberty

This patch includes the following updates based on the updated source in Keystone's Liberty release: - keystone-paste.ini - policy.json The following defaults have their values changed in order to accommodate Keystone's configuration method for the Liberty release. Note that any user_variables.yml values that have been set to customise these will need to be reviewed and adjusted accordingly for Liberty. - keystone_identity_driver - keystone_token_driver - keystone_token_provider - keystone_revocation_driver - keystone_assignment_driver - keystone_resource_driver - keystone_ldap_identity_driver DocImpact UpgradeImpact Implements: blueprint liberty-release Change-Id: Ib6f6c933c5d300057926143c9aa964bac292be08
2015-09-23 19:15:45 +01:00 · 2015-09-23 19:15:45 +01:00 · c411af7b80
commit c411af7b80
parent 3a54cc7484
3 changed files with 36 additions and 38 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -35,15 +35,15 @@ keystone_rpc_backend: rabbit

 ## Drivers
 keystone_auth_methods: "password,token"
-keystone_identity_driver: "keystone.identity.backends.sql.Identity"
-# For a sql backed token storage use: "keystone.token.backends.sql.Token"
-keystone_token_driver: "keystone.token.persistence.backends.memcache.Token"
-keystone_token_provider: "keystone.token.providers.fernet.Provider"
+keystone_identity_driver: sql
+# For a sql backed token storage use: "sql"
+keystone_token_driver: memcache
+keystone_token_provider: fernet
 keystone_token_expiration: 43200
 keystone_token_cache_time: 3600

 # Set the revocation driver used within keystone.
-keystone_revocation_driver: keystone.contrib.revoke.backends.sql.Revoke
+keystone_revocation_driver: sql
 keystone_revocation_cache_time: 3600
 keystone_revocation_expiration_buffer: 1800

@ -57,10 +57,10 @@ keystone_fernet_auto_rotation_script: /opt/keystone-fernet-rotate.sh

 keystone_cache_expiration_time: 5400

-keystone_assignment_driver: keystone.assignment.backends.sql.Assignment
+keystone_assignment_driver: sql

 keystone_resource_cache_time: 3600
-keystone_resource_driver: keystone.resource.backends.sql.Resource
+keystone_resource_driver: sql

 keystone_bind_address: 0.0.0.0

@ -168,7 +168,7 @@ keystone_ssl_self_signed_subject: "/C=US/ST=Texas/L=San Antonio/O=IT/CN={{ inter
 #     password: "secrete"
 #     ...

-keystone_ldap_identity_driver: keystone.identity.backends.ldap.Identity
+keystone_ldap_identity_driver: ldap
 keystone_ldap_domain_config_dir: /etc/keystone/domains

 # If you want to regenerate the keystone users SSH keys, on each run, set this var to True
--- a/templates/keystone-paste.ini.j2
+++ b/templates/keystone-paste.ini.j2
@ -1,70 +1,67 @@
 # Keystone PasteDeploy configuration file.

 [filter:debug]
-paste.filter_factory = keystone.common.wsgi:Debug.factory
+use = egg:keystone#debug

 [filter:request_id]
-paste.filter_factory = oslo_middleware:RequestId.factory
+use = egg:keystone#request_id

 [filter:build_auth_context]
-paste.filter_factory = keystone.middleware:AuthContextMiddleware.factory
+use = egg:keystone#build_auth_context

 [filter:token_auth]
-paste.filter_factory = keystone.middleware:TokenAuthMiddleware.factory
+use = egg:keystone#token_auth

 [filter:admin_token_auth]
-paste.filter_factory = keystone.middleware:AdminTokenAuthMiddleware.factory
+use = egg:keystone#admin_token_auth

 [filter:json_body]
-paste.filter_factory = keystone.middleware:JsonBodyMiddleware.factory
+use = egg:keystone#json_body

 [filter:user_crud_extension]
-paste.filter_factory = keystone.contrib.user_crud:CrudExtension.factory
+use = egg:keystone#user_crud_extension

 [filter:crud_extension]
-paste.filter_factory = keystone.contrib.admin_crud:CrudExtension.factory
+use = egg:keystone#crud_extension

 [filter:ec2_extension]
-paste.filter_factory = keystone.contrib.ec2:Ec2Extension.factory
+use = egg:keystone#ec2_extension

 [filter:ec2_extension_v3]
-paste.filter_factory = keystone.contrib.ec2:Ec2ExtensionV3.factory
+use = egg:keystone#ec2_extension_v3

 [filter:federation_extension]
-paste.filter_factory = keystone.contrib.federation.routers:FederationExtension.factory
+use = egg:keystone#federation_extension

 [filter:oauth1_extension]
-paste.filter_factory = keystone.contrib.oauth1.routers:OAuth1Extension.factory
+use = egg:keystone#oauth1_extension

 [filter:s3_extension]
-paste.filter_factory = keystone.contrib.s3:S3Extension.factory
+use = egg:keystone#s3_extension

 [filter:endpoint_filter_extension]
-paste.filter_factory = keystone.contrib.endpoint_filter.routers:EndpointFilterExtension.factory
-
-[filter:endpoint_policy_extension]
-paste.filter_factory = keystone.contrib.endpoint_policy.routers:EndpointPolicyExtension.factory
+use = egg:keystone#endpoint_filter_extension

 [filter:simple_cert_extension]
-paste.filter_factory = keystone.contrib.simple_cert:SimpleCertExtension.factory
+use = egg:keystone#simple_cert_extension

 [filter:revoke_extension]
-paste.filter_factory = keystone.contrib.revoke.routers:RevokeExtension.factory
+use = egg:keystone#revoke_extension

 [filter:url_normalize]
-paste.filter_factory = keystone.middleware:NormalizingFilter.factory
+use = egg:keystone#url_normalize

 [filter:sizelimit]
-paste.filter_factory = oslo_middleware.sizelimit:RequestBodySizeLimiter.factory
+use = egg:keystone#sizelimit

 [app:public_service]
-paste.app_factory = keystone.service:public_app_factory
+use = egg:keystone#public_service

 [app:service_v3]
-paste.app_factory = keystone.service:v3_app_factory
+use = egg:keystone#service_v3

 [app:admin_service]
-paste.app_factory = keystone.service:admin_app_factory
+use = egg:keystone#admin_service

 [pipeline:public_api]
 # The last item in this pipeline must be public_service or an equivalent
@ -79,13 +76,13 @@ pipeline = sizelimit url_normalize request_id build_auth_context token_auth admi
 [pipeline:api_v3]
 # The last item in this pipeline must be service_v3 or an equivalent
 # application. It cannot be a filter.
-pipeline = sizelimit url_normalize request_id build_auth_context token_auth admin_token_auth json_body ec2_extension_v3 s3_extension simple_cert_extension revoke_extension federation_extension oauth1_extension endpoint_filter_extension endpoint_policy_extension service_v3
+pipeline = sizelimit url_normalize request_id build_auth_context token_auth admin_token_auth json_body ec2_extension_v3 s3_extension simple_cert_extension revoke_extension federation_extension oauth1_extension endpoint_filter_extension service_v3

 [app:public_version_service]
-paste.app_factory = keystone.service:public_version_app_factory
+use = egg:keystone#public_version_service

 [app:admin_version_service]
-paste.app_factory = keystone.service:admin_version_app_factory
+use = egg:keystone#admin_version_service

 [pipeline:public_version_api]
 pipeline = sizelimit url_normalize public_version_service
--- a/templates/policy.json.j2
+++ b/templates/policy.json.j2
@ -6,6 +6,7 @@
    "admin_or_owner": "rule:admin_required or rule:owner",
    "token_subject": "user_id:%(target.token.user_id)s",
    "admin_or_token_subject": "rule:admin_required or rule:token_subject",
+    "service_admin_or_token_subject": "rule:service_or_admin or rule:token_subject",

    "default": "rule:admin_required",

@ -88,14 +89,13 @@
    "identity:update_policy": "rule:admin_required",
    "identity:delete_policy": "rule:admin_required",

-    "identity:check_token": "rule:admin_required",
-    "identity:validate_token": "rule:service_or_admin",
+    "identity:check_token": "rule:admin_or_token_subject",
+    "identity:validate_token": "rule:service_admin_or_token_subject",
    "identity:validate_token_head": "rule:service_or_admin",
    "identity:revocation_list": "rule:service_or_admin",
    "identity:revoke_token": "rule:admin_or_token_subject",

    "identity:create_trust": "user_id:%(trust.trustor_user_id)s",
-    "identity:get_trust": "rule:admin_or_owner",
    "identity:list_trusts": "",
    "identity:list_roles_for_trust": "",
    "identity:get_role_for_trust": "",
@ -128,6 +128,7 @@
    "identity:list_projects_associated_with_endpoint_group": "rule:admin_required",
    "identity:list_endpoints_associated_with_endpoint_group": "rule:admin_required",
    "identity:get_endpoint_group_in_project": "rule:admin_required",
+    "identity:list_endpoint_groups_for_project": "rule:admin_required",
    "identity:add_endpoint_group_to_project": "rule:admin_required",
    "identity:remove_endpoint_group_from_project": "rule:admin_required",