Rush has uploaded a new change for review. (
https://gerrit.wikimedia.org/r/376531 )
Change subject: openstack: cleanup keystone references in old module
......................................................................
openstack: cleanup keystone references in old module
Bug: T171494
Change-Id: Ibebb0e4ee6186d642d9ea63e54f04ad624385333
---
D modules/openstack/files/keystone-admin-uwsgi.logrotate
D modules/openstack/files/keystone-public-uwsgi.logrotate
D modules/openstack/files/liberty/keystone/keystone-paste.ini
D modules/openstack/files/liberty/keystone/logging.conf
D modules/openstack/files/liberty/keystone/policy.json
D
modules/openstack/files/liberty/keystone/wmfkeystoneauth.egg-info/entry_points.txt
D modules/openstack/files/liberty/keystone/wmfkeystoneauth/__init__.py
D modules/openstack/files/liberty/keystone/wmfkeystoneauth/password_whitelist.py
D modules/openstack/files/liberty/keystone/wmfkeystoneauth/wikitechclient.py
D modules/openstack/files/liberty/keystone/wmfkeystoneauth/wmtotp.py
D modules/openstack/files/liberty/keystoneclient/__init__.py
D modules/openstack/files/liberty/keystoneclient/wmtotp.py
D modules/openstack/manifests/keystone/hooks.pp
D modules/openstack/manifests/keystone/service.pp
D modules/openstack/templates/liberty/keystone/keystone.conf.erb
R
modules/openstack2/files/liberty/keystone/wmfkeystonehooks.egg-info/entry_points.txt
R modules/openstack2/files/liberty/keystone/wmfkeystonehooks/__init__.py
R modules/openstack2/files/liberty/keystone/wmfkeystonehooks/ldapgroups.py
R modules/openstack2/files/liberty/keystone/wmfkeystonehooks/pageeditor.py
R modules/openstack2/files/liberty/keystone/wmfkeystonehooks/wmfkeystonehooks.py
R modules/openstack2/files/monitor/keystone/check_keystone_projects.py
R modules/openstack2/files/monitor/keystone/check_keystone_roles.py
M modules/openstack2/manifests/keystone/hooks.pp
M modules/openstack2/manifests/keystone/monitor.pp
M modules/openstack2/manifests/keystone/service.pp
D modules/role/manifests/labs/openstack/keystone/server.pp
26 files changed, 4 insertions(+), 1,427 deletions(-)
git pull ssh://gerrit.wikimedia.org:29418/operations/puppet
refs/changes/31/376531/1
diff --git a/modules/openstack/files/keystone-admin-uwsgi.logrotate
b/modules/openstack/files/keystone-admin-uwsgi.logrotate
deleted file mode 100644
index ad9a1b4..0000000
--- a/modules/openstack/files/keystone-admin-uwsgi.logrotate
+++ /dev/null
@@ -1,8 +0,0 @@
-/var/log/designate/keystone-admin-uwsgi.log {
- daily
- missingok
- compress
- delaycompress
- notifempty
- copytruncate
-}
diff --git a/modules/openstack/files/keystone-public-uwsgi.logrotate
b/modules/openstack/files/keystone-public-uwsgi.logrotate
deleted file mode 100644
index 7766a2b..0000000
--- a/modules/openstack/files/keystone-public-uwsgi.logrotate
+++ /dev/null
@@ -1,8 +0,0 @@
-/var/log/designate/keystone-public-uwsgi.log {
- daily
- missingok
- compress
- delaycompress
- notifempty
- copytruncate
-}
diff --git a/modules/openstack/files/liberty/keystone/keystone-paste.ini
b/modules/openstack/files/liberty/keystone/keystone-paste.ini
deleted file mode 100644
index 0792f42..0000000
--- a/modules/openstack/files/liberty/keystone/keystone-paste.ini
+++ /dev/null
@@ -1,103 +0,0 @@
-# Keystone PasteDeploy configuration file.
-
-[filter:debug]
-use = egg:keystone#debug
-
-[filter:request_id]
-use = egg:keystone#request_id
-
-[filter:build_auth_context]
-use = egg:keystone#build_auth_context
-
-[filter:token_auth]
-use = egg:keystone#token_auth
-
-[filter:admin_token_auth]
-use = egg:keystone#admin_token_auth
-
-[filter:json_body]
-use = egg:keystone#json_body
-
-[filter:user_crud_extension]
-use = egg:keystone#user_crud_extension
-
-[filter:crud_extension]
-use = egg:keystone#crud_extension
-
-[filter:ec2_extension]
-use = egg:keystone#ec2_extension
-
-[filter:ec2_extension_v3]
-use = egg:keystone#ec2_extension_v3
-
-[filter:federation_extension]
-use = egg:keystone#federation_extension
-
-[filter:oauth1_extension]
-use = egg:keystone#oauth1_extension
-
-[filter:s3_extension]
-use = egg:keystone#s3_extension
-
-[filter:endpoint_filter_extension]
-use = egg:keystone#endpoint_filter_extension
-
-[filter:simple_cert_extension]
-use = egg:keystone#simple_cert_extension
-
-[filter:revoke_extension]
-use = egg:keystone#revoke_extension
-
-[filter:url_normalize]
-use = egg:keystone#url_normalize
-
-[filter:sizelimit]
-use = egg:keystone#sizelimit
-
-[app:public_service]
-use = egg:keystone#public_service
-
-[app:service_v3]
-use = egg:keystone#service_v3
-
-[app:admin_service]
-use = egg:keystone#admin_service
-
-[pipeline:public_api]
-# The last item in this pipeline must be public_service or an equivalent
-# application. It cannot be a filter.
-pipeline = sizelimit url_normalize request_id build_auth_context token_auth
json_body ec2_extension user_crud_extension public_service
-
-[pipeline:admin_api]
-# The last item in this pipeline must be admin_service or an equivalent
-# application. It cannot be a filter.
-pipeline = sizelimit url_normalize request_id build_auth_context token_auth
json_body ec2_extension s3_extension crud_extension admin_service
-
-[pipeline:api_v3]
-# The last item in this pipeline must be service_v3 or an equivalent
-# application. It cannot be a filter.
-pipeline = sizelimit url_normalize request_id build_auth_context token_auth
json_body ec2_extension_v3 s3_extension simple_cert_extension revoke_extension
federation_extension oauth1_extension endpoint_filter_extension service_v3
-
-[app:public_version_service]
-use = egg:keystone#public_version_service
-
-[app:admin_version_service]
-use = egg:keystone#admin_version_service
-
-[pipeline:public_version_api]
-pipeline = sizelimit url_normalize public_version_service
-
-[pipeline:admin_version_api]
-pipeline = sizelimit url_normalize admin_version_service
-
-[composite:main]
-use = egg:Paste#urlmap
-/v2.0 = public_api
-/v3 = api_v3
-/ = public_version_api
-
-[composite:admin]
-use = egg:Paste#urlmap
-/v2.0 = admin_api
-/v3 = api_v3
-/ = admin_version_api
diff --git a/modules/openstack/files/liberty/keystone/logging.conf
b/modules/openstack/files/liberty/keystone/logging.conf
deleted file mode 100644
index 59df5f0..0000000
--- a/modules/openstack/files/liberty/keystone/logging.conf
+++ /dev/null
@@ -1,39 +0,0 @@
-[loggers]
-keys=root
-
-[formatters]
-keys=normal,normal_with_name,debug
-
-[handlers]
-keys=production,file,devel
-
-[logger_root]
-level=WARNING
-handlers=file
-
-[handler_production]
-class=handlers.SysLogHandler
-level=WARNING
-formatter=normal_with_name
-args=(('localhost', handlers.SYSLOG_UDP_PORT), handlers.SysLogHandler.LOG_USER)
-
-[handler_file]
-class=FileHandler
-level=WARNING
-formatter=normal_with_name
-args=('/var/log/keystone/keystone.log', 'a')
-
-[handler_devel]
-class=StreamHandler
-level=WARNING
-formatter=debug
-args=(sys.stdout,)
-
-[formatter_normal]
-format=%(asctime)s %(levelname)s %(message)s
-
-[formatter_normal_with_name]
-format=(%(name)s): %(asctime)s %(levelname)s %(message)s
-
-[formatter_debug]
-format=(%(name)s): %(asctime)s %(levelname)s %(module)s %(funcName)s
%(message)s
diff --git a/modules/openstack/files/liberty/keystone/policy.json
b/modules/openstack/files/liberty/keystone/policy.json
deleted file mode 100644
index 2ed289c..0000000
--- a/modules/openstack/files/liberty/keystone/policy.json
+++ /dev/null
@@ -1,183 +0,0 @@
-{
- "admin_required": "role:admin or is_admin:1",
- "service_role": "role:service",
- "service_or_admin": "rule:admin_required or rule:service_role",
- "owner" : "user_id:%(user_id)s",
- "admin_or_owner": "rule:admin_required or rule:owner",
- "token_subject": "user_id:%(target.token.user_id)s",
- "admin_or_token_subject": "rule:admin_required or rule:token_subject",
-
- "default": "rule:admin_required",
-
- "identity:get_region": "",
- "identity:list_regions": "rule:admin_required",
- "identity:create_region": "rule:admin_required",
- "identity:update_region": "rule:admin_required",
- "identity:delete_region": "rule:admin_required",
-
- "identity:get_service": "",
- "identity:list_services": "",
- "identity:create_service": "rule:admin_required",
- "identity:update_service": "rule:admin_required",
- "identity:delete_service": "rule:admin_required",
-
- "identity:get_endpoint": "",
- "identity:list_endpoints": "",
- "identity:create_endpoint": "rule:admin_required",
- "identity:update_endpoint": "rule:admin_required",
- "identity:delete_endpoint": "rule:admin_required",
-
- "identity:get_domain": "rule:admin_required",
- "identity:list_domains": "rule:admin_required",
- "identity:create_domain": "rule:admin_required",
- "identity:update_domain": "rule:admin_required",
- "identity:delete_domain": "rule:admin_required",
-
- "identity:get_project": "rule:admin_required",
- "identity:list_projects": "",
- "identity:list_user_projects": "",
- "identity:create_project": "rule:admin_required",
- "identity:update_project": "rule:admin_required",
- "identity:delete_project": "rule:admin_required",
-
- "identity:get_user": "",
- "identity:list_users": "",
- "identity:create_user": "rule:admin_required",
- "identity:update_user": "rule:admin_required",
- "identity:delete_user": "rule:admin_required",
- "identity:change_password": "rule:admin_or_owner",
-
- "identity:get_group": "rule:admin_required",
- "identity:list_groups": "rule:admin_required",
- "identity:list_groups_for_user": "rule:admin_or_owner",
- "identity:create_group": "rule:admin_required",
- "identity:update_group": "rule:admin_required",
- "identity:delete_group": "rule:admin_required",
- "identity:list_users_in_group": "rule:admin_required",
- "identity:remove_user_from_group": "rule:admin_required",
- "identity:check_user_in_group": "rule:admin_required",
- "identity:add_user_to_group": "rule:admin_required",
-
- "identity:get_credential": "rule:admin_required",
- "identity:list_credentials": "rule:admin_required",
- "identity:create_credential": "rule:admin_required",
- "identity:update_credential": "rule:admin_required",
- "identity:delete_credential": "rule:admin_required",
-
- "identity:ec2_get_credential": "rule:admin_required or (rule:owner and
user_id:%(target.credential.user_id)s)",
- "identity:ec2_list_credentials": "rule:admin_or_owner",
- "identity:ec2_create_credential": "rule:admin_or_owner",
- "identity:ec2_delete_credential": "rule:admin_required or (rule:owner and
user_id:%(target.credential.user_id)s)",
-
- "identity:get_role": "",
- "identity:list_roles": "",
- "identity:create_role": "rule:admin_required",
- "identity:update_role": "rule:admin_required",
- "identity:delete_role": "rule:admin_required",
-
- "identity:check_grant": "rule:admin_required",
- "identity:list_grants": "rule:admin_required",
- "identity:create_grant": "rule:admin_required",
- "identity:revoke_grant": "rule:admin_required",
-
- "identity:list_role_assignments": "",
-
- "identity:get_policy": "rule:admin_required",
- "identity:list_policies": "rule:admin_required",
- "identity:create_policy": "rule:admin_required",
- "identity:update_policy": "rule:admin_required",
- "identity:delete_policy": "rule:admin_required",
-
- "identity:check_token": "rule:admin_or_token_subject",
- "identity:validate_token": "rule:service_admin_or_token_subject",
- "identity:validate_token_head": "rule:service_or_admin",
- "identity:revocation_list": "rule:service_or_admin",
- "identity:revoke_token": "rule:admin_or_token_subject",
-
- "identity:create_trust": "user_id:%(trust.trustor_user_id)s",
- "identity:list_trusts": "rule:admin_required",
- "identity:list_roles_for_trust": "",
- "identity:get_role_for_trust": "",
- "identity:delete_trust": "",
-
- "identity:create_consumer": "rule:admin_required",
- "identity:get_consumer": "rule:admin_required",
- "identity:list_consumers": "rule:admin_required",
- "identity:delete_consumer": "rule:admin_required",
- "identity:update_consumer": "rule:admin_required",
-
- "identity:authorize_request_token": "rule:admin_required",
- "identity:list_access_token_roles": "rule:admin_required",
- "identity:get_access_token_role": "rule:admin_required",
- "identity:list_access_tokens": "rule:admin_required",
- "identity:get_access_token": "rule:admin_required",
- "identity:delete_access_token": "rule:admin_required",
-
- "identity:list_projects_for_endpoint": "rule:admin_required",
- "identity:add_endpoint_to_project": "rule:admin_required",
- "identity:check_endpoint_in_project": "rule:admin_required",
- "identity:list_endpoints_for_project": "rule:admin_required",
- "identity:remove_endpoint_from_project": "rule:admin_required",
-
- "identity:create_endpoint_group": "rule:admin_required",
- "identity:list_endpoint_groups": "rule:admin_required",
- "identity:get_endpoint_group": "rule:admin_required",
- "identity:update_endpoint_group": "rule:admin_required",
- "identity:delete_endpoint_group": "rule:admin_required",
- "identity:list_projects_associated_with_endpoint_group":
"rule:admin_required",
- "identity:list_endpoints_associated_with_endpoint_group":
"rule:admin_required",
- "identity:get_endpoint_group_in_project": "rule:admin_required",
- "identity:list_endpoint_groups_for_project": "rule:admin_required",
- "identity:add_endpoint_group_to_project": "rule:admin_required",
- "identity:remove_endpoint_group_from_project": "rule:admin_required",
-
- "identity:create_identity_provider": "rule:admin_required",
- "identity:list_identity_providers": "rule:admin_required",
- "identity:get_identity_providers": "rule:admin_required",
- "identity:update_identity_provider": "rule:admin_required",
- "identity:delete_identity_provider": "rule:admin_required",
-
- "identity:create_protocol": "rule:admin_required",
- "identity:update_protocol": "rule:admin_required",
- "identity:get_protocol": "rule:admin_required",
- "identity:list_protocols": "rule:admin_required",
- "identity:delete_protocol": "rule:admin_required",
-
- "identity:create_mapping": "rule:admin_required",
- "identity:get_mapping": "rule:admin_required",
- "identity:list_mappings": "rule:admin_required",
- "identity:delete_mapping": "rule:admin_required",
- "identity:update_mapping": "rule:admin_required",
-
- "identity:create_service_provider": "rule:admin_required",
- "identity:list_service_providers": "rule:admin_required",
- "identity:get_service_provider": "rule:admin_required",
- "identity:update_service_provider": "rule:admin_required",
- "identity:delete_service_provider": "rule:admin_required",
-
- "identity:get_auth_catalog": "",
- "identity:get_auth_projects": "",
- "identity:get_auth_domains": "",
-
- "identity:list_projects_for_groups": "",
- "identity:list_domains_for_groups": "",
-
- "identity:list_revoke_events": "",
-
- "identity:create_policy_association_for_endpoint": "rule:admin_required",
- "identity:check_policy_association_for_endpoint": "rule:admin_required",
- "identity:delete_policy_association_for_endpoint": "rule:admin_required",
- "identity:create_policy_association_for_service": "rule:admin_required",
- "identity:check_policy_association_for_service": "rule:admin_required",
- "identity:delete_policy_association_for_service": "rule:admin_required",
- "identity:create_policy_association_for_region_and_service":
"rule:admin_required",
- "identity:check_policy_association_for_region_and_service":
"rule:admin_required",
- "identity:delete_policy_association_for_region_and_service":
"rule:admin_required",
- "identity:get_policy_for_endpoint": "rule:admin_required",
- "identity:list_endpoints_for_policy": "rule:admin_required",
-
- "identity:create_domain_config": "rule:admin_required",
- "identity:get_domain_config": "rule:admin_required",
- "identity:update_domain_config": "rule:admin_required",
- "identity:delete_domain_config": "rule:admin_required"
-}
diff --git
a/modules/openstack/files/liberty/keystone/wmfkeystoneauth.egg-info/entry_points.txt
b/modules/openstack/files/liberty/keystone/wmfkeystoneauth.egg-info/entry_points.txt
deleted file mode 100644
index 5ab1073..0000000
---
a/modules/openstack/files/liberty/keystone/wmfkeystoneauth.egg-info/entry_points.txt
+++ /dev/null
@@ -1,5 +0,0 @@
-[keystone.auth.wmtotp]
-default = wmfkeystoneauth.wmtotp:Wmtotp
-
-[keystone.auth.password]
-whitelist = wmfkeystoneauth.password_whitelist:PasswordWhitelist
diff --git
a/modules/openstack/files/liberty/keystone/wmfkeystoneauth/__init__.py
b/modules/openstack/files/liberty/keystone/wmfkeystoneauth/__init__.py
deleted file mode 100644
index e69de29..0000000
--- a/modules/openstack/files/liberty/keystone/wmfkeystoneauth/__init__.py
+++ /dev/null
diff --git
a/modules/openstack/files/liberty/keystone/wmfkeystoneauth/password_whitelist.py
b/modules/openstack/files/liberty/keystone/wmfkeystoneauth/password_whitelist.py
deleted file mode 100644
index 2a1d4ed..0000000
---
a/modules/openstack/files/liberty/keystone/wmfkeystoneauth/password_whitelist.py
+++ /dev/null
@@ -1,72 +0,0 @@
-# Copyright 2016 Andrew Bogott for the Wikimedia Foundation
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License. You may obtain
-# a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
-# License for the specific language governing permissions and limitations
-# under the License.
-
-from netaddr import IPNetwork, IPAddress
-
-from oslo_log import log
-from oslo_config import cfg
-
-from keystone.auth import plugins as auth_plugins
-from keystone.auth.plugins import password
-from keystone import exception
-from keystone.i18n import _
-
-METHOD_NAME = 'password'
-
-LOG = log.getLogger(__name__)
-
-whitelist_ops = [
- cfg.MultiStrOpt('password_whitelist',
- default=[],
- help='user:ip range permitted to use password auth.'
- 'also supports a simple one-character * wildcard'
- 'for user.'),
-]
-
-CONF = cfg.CONF
-CONF.register_opts(whitelist_ops, group='auth')
-
-
-def check_whitelist(user_id, remote_addr):
- """Return True if the user_id/remote_addr combination is in our whitelist.
- Otherwise, return raise Unauthorized"""
- LOG.debug("Auth request for user %s from %s" % (user_id,
- remote_addr))
-
- for entry in CONF.auth.password_whitelist:
- user, subnet = entry.split(':', 1)
- if user == "*" or user_id == user:
- if IPAddress(remote_addr) in IPNetwork(subnet):
- return True
-
- LOG.warn('Password auth not allowed for %s from %s' % (user_id,
- remote_addr))
-
- msg = _('Password auth not allowed for this username from this ip.')
- raise exception.Unauthorized(msg)
-
-
-class PasswordWhitelist(password.Password):
-
- def authenticate(self, context, auth_payload, auth_context):
- """Verify username and password but only allow access for configured
- accounts and from configured IP ranges."""
-
- user_info = auth_plugins.UserAuthInfo.create(auth_payload, METHOD_NAME)
- check_whitelist(user_info.user_id,
- context['environment']['REMOTE_ADDR'])
-
- return super(PasswordWhitelist, self).authenticate(context,
- auth_payload,
- auth_context)
diff --git
a/modules/openstack/files/liberty/keystone/wmfkeystoneauth/wikitechclient.py
b/modules/openstack/files/liberty/keystone/wmfkeystoneauth/wikitechclient.py
deleted file mode 100644
index 33527a1..0000000
--- a/modules/openstack/files/liberty/keystone/wmfkeystoneauth/wikitechclient.py
+++ /dev/null
@@ -1,61 +0,0 @@
-# Copyright 2016 Wikimedia Foundation
-#
-# This is part of a custom Keystone auth extension specific to Wikimedia Labs.
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License. You may obtain
-# a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
-# License for the specific language governing permissions and limitations
-# under the License.
-
-import mwclient
-
-from oslo_log import log
-
-LOG = log.getLogger(__name__)
-
-
-class WikitechClient(object):
- """MediaWiki client, used for checking oath creds against Wikitech"""
-
- def __init__(
- self, host,
- consumer_token, consumer_secret,
- access_token, access_secret
- ):
- self.site = self._site_for_host(
- host, consumer_token,
- consumer_secret, access_token, access_secret)
-
- @classmethod
- def _site_for_host(
- cls, host,
- consumer_token, consumer_secret,
- access_token, access_secret
- ):
- return mwclient.Site(
- host,
- consumer_token=consumer_token,
- consumer_secret=consumer_secret,
- access_token=access_token,
- access_secret=access_secret,
- clients_useragent='Keystone',
- force_login=True
- )
-
- # Returns a dict with two members: 'valid' and 'enabled'.
- def oathvalidate(self, username, totp):
- token = self.site.get_token('csrf', force=True)
- result = self.site.api(
- 'oathvalidate', formatversion=2,
- user=username,
- totp=totp,
- token=token
- )
- return result['oathvalidate']
diff --git a/modules/openstack/files/liberty/keystone/wmfkeystoneauth/wmtotp.py
b/modules/openstack/files/liberty/keystone/wmfkeystoneauth/wmtotp.py
deleted file mode 100644
index 370a0be..0000000
--- a/modules/openstack/files/liberty/keystone/wmfkeystoneauth/wmtotp.py
+++ /dev/null
@@ -1,118 +0,0 @@
-# Copyright 2016 Wikimedia Foundation
-#
-# (this is a custom hack local to the Wikimedia Labs deployment)
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License. You may obtain
-# a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
-# License for the specific language governing permissions and limitations
-# under the License.
-
-from oslo_log import log
-from oslo_config import cfg
-
-from keystone import auth
-from keystone.auth import plugins as auth_plugins
-import password_whitelist
-from keystone.common import dependency
-from keystone import exception
-from keystone.i18n import _
-
-import wikitechclient
-
-METHOD_NAME = 'wmtotp'
-
-LOG = log.getLogger(__name__)
-CONF = cfg.CONF
-
-oathoptions = [
- cfg.StrOpt('dbuser',
- default='wiki_user',
- help='Database user for retrieving OATH secret.'),
- cfg.StrOpt('dbpass',
- default='12345',
- help='Database password for retrieving OATH secret.'),
- cfg.StrOpt('dbhost',
- default='localhost',
- help='Database host for retrieving OATH secret.'),
- cfg.StrOpt('dbname',
- default='labswiki',
- help='Database name for retrieving OATH secret.'),
- cfg.StrOpt('wikitech_host',
- default='wikitech.wikimedia.org',
- help='fqdn for the mediawiki host that supports the oath api'),
- cfg.StrOpt('wikitech_consumer_token'),
- cfg.StrOpt('wikitech_consumer_secret'),
- cfg.StrOpt('wikitech_access_token'),
- cfg.StrOpt('wikitech_access_secret'),
-]
-
-for option in oathoptions:
- CONF.register_opt(option, group='oath')
-
-
-@dependency.requires('identity_api')
-class Wmtotp(auth.AuthMethodHandler):
-
- method = METHOD_NAME
-
- def authenticate(self, context, auth_payload, auth_context):
- """Try to authenticate against the identity backend."""
- user_info = auth_plugins.UserAuthInfo.create(auth_payload, self.method)
-
- # Before we do anything else, make sure that this user is allowed
- # access from their source IP
- password_whitelist.check_whitelist(user_info.user_id,
-
context['environment']['REMOTE_ADDR'])
-
- # FIXME(gyee): identity.authenticate() can use some refactoring since
- # all we care is password matches
- try:
- self.identity_api.authenticate(
- context,
- user_id=user_info.user_id,
- password=user_info.password)
- except AssertionError:
- # authentication failed because of invalid username or password
- msg = _('Invalid username or password')
- raise exception.Unauthorized(msg)
-
- # Password auth succeeded, check two-factor
- # LOG.debug("OATH: Doing 2FA for user_info " +
- # ( "%s(%r)" % (user_info.__class__, user_info.__dict__) ) )
- # LOG.debug("OATH: Doing 2FA for auth_payload " +
- # ( "%s(%r)" % (auth_payload.__class__, auth_payload) ) )
- if 'totp' not in auth_payload['user']:
- LOG.debug("OATH: 2FA failed, missing totp param")
- msg = _('Missing two-factor token')
- raise exception.Unauthorized(msg)
-
- wtclient = wikitechclient.WikitechClient(
- CONF.oath.wikitech_host,
- CONF.oath.wikitech_consumer_token,
- CONF.oath.wikitech_consumer_secret,
- CONF.oath.wikitech_access_token,
- CONF.oath.wikitech_access_secret)
- valid = wtclient.oathvalidate(user_info.user_ref['name'],
- auth_payload['user']['totp'])
-
- if valid['enabled']:
- if valid['valid']:
- LOG.debug("OATH: 2FA passed")
- else:
- LOG.debug("OATH: 2FA failed")
- msg = _('Invalid two-factor token')
- raise exception.Unauthorized(msg)
- else:
- LOG.debug("OATH: user '%s' does not have 2FA enabled.",
- user_info.user_ref['name'])
- msg = _('2FA is not enabled; login forbidden')
- raise exception.Unauthorized(msg)
-
- auth_context['user_id'] = user_info.user_id
diff --git a/modules/openstack/files/liberty/keystoneclient/__init__.py
b/modules/openstack/files/liberty/keystoneclient/__init__.py
deleted file mode 100644
index c9ecd12..0000000
--- a/modules/openstack/files/liberty/keystoneclient/__init__.py
+++ /dev/null
@@ -1,34 +0,0 @@
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License. You may obtain
-# a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
-# License for the specific language governing permissions and limitations
-# under the License.
-
-from keystoneclient.auth.identity.v3.base import * # noqa
-from keystoneclient.auth.identity.v3.federated import * # noqa
-from keystoneclient.auth.identity.v3.password import * # noqa
-from keystoneclient.auth.identity.v3.token import * # noqa
-from keystoneclient.auth.identity.v3.wmtotp import * # noqa
-
-
-__all__ = ['Auth',
- 'AuthConstructor',
- 'AuthMethod',
- 'BaseAuth',
-
- 'FederatedBaseAuth',
-
- 'Password',
- 'PasswordMethod',
-
- 'Mwtotp',
- 'MwtotpMethod',
-
- 'Token',
- 'TokenMethod']
diff --git a/modules/openstack/files/liberty/keystoneclient/wmtotp.py
b/modules/openstack/files/liberty/keystoneclient/wmtotp.py
deleted file mode 100644
index c911801..0000000
--- a/modules/openstack/files/liberty/keystoneclient/wmtotp.py
+++ /dev/null
@@ -1,113 +0,0 @@
-#
-# Custom addition for Wikimedia Labs to add a totp plugin to keystoneclient
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License. You may obtain
-# a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
-# License for the specific language governing permissions and limitations
-# under the License.
-
-import getpass
-import sys
-
-from oslo_config import cfg
-
-from keystoneclient.auth.identity.v3 import base
-from keystoneclient import utils
-
-__all__ = ['WmtotpMethod', 'Wmtotp']
-
-
-class WmtotpMethod(base.AuthMethod):
- """Construct a User/Password/totp based authentication method.
-
- :param string password: Password for authentication.
- :param string totp: 2FA (TOTP) token for authentication.
- :param string username: Username for authentication.
- :param string user_id: User ID for authentication.
- :param string user_domain_id: User's domain ID for authentication.
- :param string user_domain_name: User's domain name for authentication.
- """
-
- _method_parameters = ['user_id',
- 'username',
- 'user_domain_id',
- 'user_domain_name',
- 'password',
- 'totp']
-
- def get_auth_data(self, session, auth, headers, **kwargs):
- user = {'password': self.password, 'totp': self.totp}
-
- if self.user_id:
- user['id'] = self.user_id
- elif self.username:
- user['name'] = self.username
-
- if self.user_domain_id:
- user['domain'] = {'id': self.user_domain_id}
- elif self.user_domain_name:
- user['domain'] = {'name': self.user_domain_name}
-
- return 'wmtotp', {'user': user}
-
-
-class Wmtotp(base.AuthConstructor):
- """A plugin for authenticating with a username, password, totp token
-
- :param string auth_url: Identity service endpoint for authentication.
- :param string password: Password for authentication.
- :param string totp: totp token for authentication
- :param string username: Username for authentication.
- :param string user_id: User ID for authentication.
- :param string user_domain_id: User's domain ID for authentication.
- :param string user_domain_name: User's domain name for authentication.
- :param string trust_id: Trust ID for trust scoping.
- :param string domain_id: Domain ID for domain scoping.
- :param string domain_name: Domain name for domain scoping.
- :param string project_id: Project ID for project scoping.
- :param string project_name: Project name for project scoping.
- :param string project_domain_id: Project's domain ID for project.
- :param string project_domain_name: Project's domain name for project.
- :param bool reauthenticate: Allow fetching a new token if the current one
- is going to expire. (optional) default True
- """
-
- _auth_method_class = WmtotpMethod
-
- @classmethod
- def get_options(cls):
- options = super(Wmtotp, cls).get_options()
-
- options.extend([
- cfg.StrOpt('user-id', help='User ID'),
- cfg.StrOpt('user-name', dest='username', help='Username',
- deprecated_name='username'),
- cfg.StrOpt('user-domain-id', help="User's domain id"),
- cfg.StrOpt('user-domain-name', help="User's domain name"),
- cfg.StrOpt('password', secret=True, help="User's password"),
- cfg.StrOpt('totp', secret=True, help="2FA (TOTP) token"),
- ])
-
- return options
-
- @classmethod
- def load_from_argparse_arguments(cls, namespace, **kwargs):
- if not (kwargs.get('password') or namespace.os_password):
- kwargs['password'] = utils.prompt_user_password()
-
- if not kwargs.get('totp') and (hasattr(sys.stdin, 'isatty') and
- sys.stdin.isatty()):
- try:
- kwargs['totp'] = getpass.getpass('2FA (TOTP) token: ')
- except EOFError:
- pass
-
- return super(Wmtotp, cls).load_from_argparse_arguments(namespace,
- **kwargs)
diff --git a/modules/openstack/manifests/keystone/hooks.pp
b/modules/openstack/manifests/keystone/hooks.pp
deleted file mode 100644
index 5b7cd74..0000000
--- a/modules/openstack/manifests/keystone/hooks.pp
+++ /dev/null
@@ -1,23 +0,0 @@
-# Hook keystone notification events for custom
-# project swizzling
-class openstack::keystone::hooks(
- $openstack_version = $::openstack::version)
-{
- file { '/usr/lib/python2.7/dist-packages/wmfkeystonehooks':
- source =>
"puppet:///modules/openstack/${openstack_version}/keystone/wmfkeystonehooks",
- owner => 'root',
- group => 'root',
- mode => '0644',
- notify => Service['keystone'],
- recurse => true,
- }
- file { '/usr/lib/python2.7/dist-packages/wmfkeystonehooks.egg-info':
- source =>
"puppet:///modules/openstack/${openstack_version}/keystone/wmfkeystonehooks.egg-info",
- owner => 'root',
- group => 'root',
- mode => '0644',
- notify => Service['keystone'],
- recurse => true,
- }
-}
-
diff --git a/modules/openstack/manifests/keystone/service.pp
b/modules/openstack/manifests/keystone/service.pp
deleted file mode 100644
index d6ae287..0000000
--- a/modules/openstack/manifests/keystone/service.pp
+++ /dev/null
@@ -1,230 +0,0 @@
-# keystone is the identity service of openstack
-# http://docs.openstack.org/developer/keystone/
-class openstack::keystone::service($keystoneconfig,
$openstack_version=$::openstack::version) {
- include ::openstack::keystone::hooks
-
- package { 'keystone':
- ensure => present,
- }
- package { 'python-oath':
- ensure => present,
- }
- package { 'python-mysql.connector':
- ensure => present,
- }
-
- if $keystoneconfig['token_driver'] == 'redis' {
- package { 'python-keystone-redis':
- ensure => present;
- }
- }
-
- $labs_osm_host = hiera('labs_osm_host')
-
- include ::network::constants
- $prod_networks = $network::constants::production_networks
- $labs_networks = $network::constants::labs_networks
-
- file {
- '/var/log/keystone':
- ensure => directory,
- owner => 'keystone',
- group => 'www-data',
- mode => '0775';
- '/var/log/keystone/uwsgi':
- ensure => directory,
- owner => 'www-data',
- group => 'www-data',
- mode => '0755';
- '/etc/keystone':
- ensure => directory,
- owner => 'keystone',
- group => 'keystone',
- mode => '0755';
- '/etc/keystone/keystone.conf':
- content =>
template("openstack/${openstack_version}/keystone/keystone.conf.erb"),
- owner => 'keystone',
- group => 'keystone',
- notify => Service['uwsgi-keystone-admin',
'uwsgi-keystone-public'],
- require => Package['keystone'],
- mode => '0444';
- '/etc/keystone/keystone-paste.ini':
- source =>
"puppet:///modules/openstack/${openstack_version}/keystone/keystone-paste.ini",
- mode => '0644',
- owner => 'root',
- group => 'root',
- notify => Service['uwsgi-keystone-admin',
'uwsgi-keystone-public'],
- require => Package['keystone'];
- '/etc/keystone/policy.json':
- source =>
"puppet:///modules/openstack/${openstack_version}/keystone/policy.json",
- mode => '0644',
- owner => 'root',
- group => 'root',
- notify => Service['uwsgi-keystone-admin',
'uwsgi-keystone-public'],
- require => Package['keystone'];
- '/etc/keystone/logging.conf':
- source =>
"puppet:///modules/openstack/${openstack_version}/keystone/logging.conf",
- mode => '0644',
- owner => 'root',
- group => 'root',
- notify => Service['uwsgi-keystone-admin',
'uwsgi-keystone-public'],
- require => Package['keystone'];
- '/usr/lib/python2.7/dist-packages/wmfkeystoneauth':
- source =>
"puppet:///modules/openstack/${openstack_version}/keystone/wmfkeystoneauth",
- owner => 'root',
- group => 'root',
- mode => '0644',
- notify => Service['uwsgi-keystone-admin',
'uwsgi-keystone-public'],
- recurse => true;
- '/usr/lib/python2.7/dist-packages/wmfkeystoneauth.egg-info':
- source =>
"puppet:///modules/openstack/${openstack_version}/keystone/wmfkeystoneauth.egg-info",
- owner => 'root',
- group => 'root',
- mode => '0644',
- notify => Service['uwsgi-keystone-admin',
'uwsgi-keystone-public'],
- recurse => true;
- }
-
- logrotate::conf { 'keystone-public-uwsgi':
- ensure => present,
- source =>
'puppet:///modules/openstack/keystone-public-uwsgi.logrotate',
- }
-
- logrotate::conf { 'keystone-admin-uwsgi':
- ensure => present,
- source => 'puppet:///modules/openstack/keystone-admin-uwsgi.logrotate',
- }
-
- if $::fqdn == hiera('labs_nova_controller') {
- # Clean up expired keystone tokens, because otherwise keystone leaves
them
- # around forever.
- cron {
- 'cleanup_expired_keystone_tokens':
- ensure => present,
- user => 'root',
- minute => 20,
- command => '/usr/bin/keystone-manage token_flush > /dev/null
2>&1',
- }
-
- # Clean up service user tokens. These tend to pile up
- # quickly, and are never used for Horizon sessions.
- # so, don't wait for them to expire, just delete them
- # after a few hours.
- #
- # Tokens only know when they expire and not when they
- # were created. Since token lifespan is 7.1
- # days (613440 seconds), any token that expires
- # less than 7 days from now is already at least
- # 2 hours old.
- $keystone_db_name = $keystoneconfig['db_name']
- $keystone_db_user = $keystoneconfig['db_user']
- $keystone_db_pass = $keystoneconfig['db_pass']
- $keystone_db_host = $keystoneconfig['db_host']
- cron {
- 'cleanup_novaobserver_keystone_tokens':
- ensure => present,
- user => 'root',
- minute => 30,
- command => "/usr/bin/mysql ${keystone_db_name}
-h${keystone_db_host} -u${keystone_db_user} -p${keystone_db_pass} -e 'DELETE
FROM token WHERE user_id=\"novaobserver\" AND NOW() + INTERVAL 7 day > expires
LIMIT 10000;'",
- }
- cron {
- 'cleanup_novaadmin_keystone_tokens':
- ensure => present,
- user => 'root',
- minute => 40,
- command => "/usr/bin/mysql ${keystone_db_name}
-h${keystone_db_host} -u${keystone_db_user} -p${keystone_db_pass} -e 'DELETE
FROM token WHERE user_id=\"novaadmin\" AND NOW() + INTERVAL 7 day > expires
LIMIT 10000;'",
- }
-
- monitoring::service { 'keystone-http-35357':
- description => 'keystone admin endpoint',
- check_command => 'check_http_on_port!35357',
- }
- monitoring::service { 'keystone-http-5000': # v2 api is limited here
- description => 'keystone public endoint',
- check_command => 'check_http_on_port!5000',
- }
-
- if ($openstack_version == 'liberty') {
- # Keystone says that you should run it with uwsgi in Liberty,
- # but it's actually buggy and terrible in that config. So, use
eventlet
- # ('keystone' service) on liberty, and we'll try uwsgi again on
mitaka.
- $enable_uwsgi = false
-
- service { 'keystone':
- ensure => running,
- subscribe => File['/etc/keystone/keystone.conf'],
- require => Package['keystone'];
- }
- service { 'uwsgi-keystone-admin':
- ensure => stopped,
- }
- service { 'uwsgi-keystone-public':
- ensure => stopped,
- }
- } else {
- $enable_uwsgi = true
-
- # stop the keystone process itself; this will be handled
- # by uwsgi
- service { 'keystone':
- ensure => stopped,
- require => Package['keystone'];
- }
- file {'/etc/init/keystone.conf':
- ensure => 'absent';
- }
- }
- } else {
- $enable_uwsgi = false
-
- # Because of the enabled => false, the uwsgi::app
- # declarations below don't actually define
- # services for the keystone processes. We need
- # to define them here (even though they're stopped)
- # so we can refer to them elsewhere.
- service { 'uwsgi-keystone-admin':
- ensure => stopped,
- }
- service { 'uwsgi-keystone-public':
- ensure => stopped,
- }
- service { 'keystone':
- ensure => stopped,
- require => Package['keystone'];
- }
- }
-
- # Set up uwsgi services
-
- # Keystone admin API
- uwsgi::app { 'keystone-admin':
- enabled => $enable_uwsgi,
- settings => {
- uwsgi => {
- die-on-term => true,
- http => "0.0.0.0:${keystoneconfig['auth_port']}",
- logger =>
'file:/var/log/keystone/uwsgi/keystone-admin-uwsgi.log',
- master => true,
- name => 'keystone',
- plugins => 'python, python3, logfile',
- processes => '20',
- wsgi-file => '/usr/bin/keystone-wsgi-admin',
- },
- },
- }
- uwsgi::app { 'keystone-public':
- enabled => $enable_uwsgi,
- settings => {
- uwsgi => {
- die-on-term => true,
- http => "0.0.0.0:${keystoneconfig['public_port']}",
- logger =>
'file:/var/log/keystone/uwsgi/keystone-public-uwsgi.log',
- master => true,
- name => 'keystone',
- plugins => 'python, python3, logfile',
- processes => '20',
- wsgi-file => '/usr/bin/keystone-wsgi-public',
- },
- },
- }
-}
diff --git a/modules/openstack/templates/liberty/keystone/keystone.conf.erb
b/modules/openstack/templates/liberty/keystone/keystone.conf.erb
deleted file mode 100644
index 6b0e116..0000000
--- a/modules/openstack/templates/liberty/keystone/keystone.conf.erb
+++ /dev/null
@@ -1,414 +0,0 @@
-[DEFAULT]
-
-#
-# From keystone
-#
-
-# A "shared secret" that can be used to bootstrap Keystone. This "token" does
-# not represent a user, and carries no explicit authorization. To disable in
-# production (highly recommended), remove AdminTokenAuthMiddleware from your
-# paste application pipelines (for example, in keystone-paste.ini). (string
-# value)
-#admin_token = <None>
-
-# The base public endpoint URL for Keystone that is advertised to clients
-# (NOTE: this does NOT affect how Keystone listens for connections). Defaults
-# to the base host URL of the request. E.g. a request to
-# http://server:5000/v3/users will default to http://server:5000. You should
-# only need to set this value if the base URL contains a path (e.g. /prefix/v3)
-# or the endpoint should be found on a different server. (string value)
-#public_endpoint = <None>
-
-# The base admin endpoint URL for Keystone that is advertised to clients (NOTE:
-# this does NOT affect how Keystone listens for connections). Defaults to the
-# base host URL of the request. E.g. a request to http://server:35357/v3/users
-# will default to http://server:35357. You should only need to set this value
-# if the base URL contains a path (e.g. /prefix/v3) or the endpoint should be
-# found on a different server. (string value)
-#admin_endpoint = <None>
-
-# Maximum depth of the project hierarchy. WARNING: setting it to a large value
-# may adversely impact performance. (integer value)
-#max_project_tree_depth = 5
-
-# Limit the sizes of user & project ID/names. (integer value)
-#max_param_size = 64
-
-# Similar to max_param_size, but provides an exception for token values.
-# (integer value)
-#max_token_size = 8192
-
-# Similar to the member_role_name option, this represents the default role ID
-# used to associate users with their default projects in the v2 API. This will
-# be used as the explicit role where one is not specified by the v2 API.
-# (string value)
-#member_role_id = 9fe2ff9ee4384b1894a90878d3e92bab
-
-# This is the role name used in combination with the member_role_id option; see
-# that option for more detail. (string value)
-member_role_name = user
-
-# The value passed as the keyword "rounds" to passlib's encrypt method.
-# (integer value)
-# Minimum value: 1000
-# Maximum value: 100000
-#crypt_strength = 10000
-
-# The maximum number of entities that will be returned in a collection, with no
-# limit set by default. This global limit may be then overridden for a specific
-# driver, by specifying a list_limit in the appropriate section (e.g.
-# [assignment]). (integer value)
-#list_limit = <None>
-
-# Set this to false if you want to enable the ability for user, group and
-# project entities to be moved between domains by updating their domain_id.
-# Allowing such movement is not recommended if the scope of a domain admin is
-# being restricted by use of an appropriate policy file (see
-# policy.v3cloudsample as an example). (boolean value)
-#domain_id_immutable = true
-
-# If set to true, strict password length checking is performed for password
-# manipulation. If a password exceeds the maximum length, the operation will
-# fail with an HTTP 403 Forbidden error. If set to false, passwords are
-# automatically truncated to the maximum length. (boolean value)
-#strict_password_check = false
-
-# The HTTP header used to determine the scheme for the original request, even
-# if it was removed by an SSL terminating proxy. Typical value is
-# "HTTP_X_FORWARDED_PROTO". (string value)
-#secure_proxy_ssl_header = <None>
-
-#
-# From keystone.notifications
-#
-
-# Default publisher_id for outgoing notifications (string value)
-#default_publisher_id = <None>
-
-# Define the notification format for Identity Service events. A "basic"
-# notification has information about the resource being operated on. A "cadf"
-# notification has the same information, as well as information about the
-# initiator of the event. (string value)
-# Allowed values: basic, cadf
-#notification_format = basic
-
-#
-# From oslo.log
-#
-
-# Print debugging output (set logging level to DEBUG instead of default INFO
-# level). (boolean value)
-debug = false
-
-# If set to false, will disable INFO logging level, making WARNING the default.
-# (boolean value)
-# This option is deprecated for removal.
-# Its value may be silently ignored in the future.
-verbose = false
-
-# The name of a logging configuration file. This file is appended to any
-# existing logging configuration files. For details about logging configuration
-# files, see the Python logging module documentation. (string value)
-# Deprecated group/name - [DEFAULT]/log_config
-log_config_append = /etc/keystone/logging.conf
-
-# DEPRECATED. A logging.Formatter log message format string which may use any
-# of the available logging.LogRecord attributes. This option is deprecated.
-# Please use logging_context_format_string and logging_default_format_string
-# instead. (string value)
-#log_format = <None>
-
-# Format string for %%(asctime)s in log records. Default: %(default)s . (string
-# value)
-#log_date_format = %Y-%m-%d %H:%M:%S
-
-# (Optional) Name of log file to output to. If no default is set, logging will
-# go to stdout. (string value)
-# Deprecated group/name - [DEFAULT]/logfile
-log_file = keystone.log
-
-# (Optional) The base directory used for relative --log-file paths. (string
-# value)
-# Deprecated group/name - [DEFAULT]/logdir
-log_dir = /var/log/keystone
-
-# Use syslog for logging. Existing syslog format is DEPRECATED and will be
-# changed later to honor RFC5424. (boolean value)
-#use_syslog = false
-
-# (Optional) Enables or disables syslog rfc5424 format for logging. If enabled,
-# prefixes the MSG part of the syslog message with APP-NAME (RFC5424). The
-# format without the APP-NAME is deprecated in Kilo, and will be removed in
-# Mitaka, along with this option. (boolean value)
-# This option is deprecated for removal.
-# Its value may be silently ignored in the future.
-#use_syslog_rfc_format = true
-
-# Syslog facility to receive log lines. (string value)
-#syslog_log_facility = LOG_USER
-
-# Log output to standard error. (boolean value)
-#use_stderr = true
-
-# Format string to use for log messages with context. (string value)
-#logging_context_format_string = %(asctime)s.%(msecs)03d %(process)d
%(levelname)s %(name)s [%(request_id)s %(user_identity)s]
%(instance)s%(message)s
-
-# Format string to use for log messages without context. (string value)
-#logging_default_format_string = %(asctime)s.%(msecs)03d %(process)d
%(levelname)s %(name)s [-] %(instance)s%(message)s
-
-# Data to append to log format when level is DEBUG. (string value)
-#logging_debug_format_suffix = %(funcName)s %(pathname)s:%(lineno)d
-
-# Prefix each line of exception output with this format. (string value)
-#logging_exception_prefix = %(asctime)s.%(msecs)03d %(process)d ERROR %(name)s
%(instance)s
-
-# List of logger=LEVEL pairs. (list value)
-#default_log_levels =
amqp=WARN,amqplib=WARN,boto=WARN,qpid=WARN,sqlalchemy=WARN,suds=INFO,oslo.messaging=INFO,iso8601=WARN,requests.packages.urllib3.connectionpool=WARN,urllib3.connectionpool=WARN,websocket=WARN,requests.packages.urllib3.util.retry=WARN,urllib3.util.retry=WARN,keystonemiddleware=WARN,routes.middleware=WARN,stevedore=WARN,taskflow=WARN
-
-# Enables or disables publication of error events. (boolean value)
-#publish_errors = false
-
-# The format for an instance that is passed with the log message. (string
-# value)
-#instance_format = "[instance: %(uuid)s] "
-
-# The format for an instance UUID that is passed with the log message. (string
-# value)
-#instance_uuid_format = "[instance: %(uuid)s] "
-
-# Enables or disables fatal status of deprecations. (boolean value)
-#fatal_deprecations = false
-
-#
-# From oslo.messaging
-#
-
-# Size of RPC connection pool. (integer value)
-# Deprecated group/name - [DEFAULT]/rpc_conn_pool_size
-#rpc_conn_pool_size = 30
-
-# ZeroMQ bind address. Should be a wildcard (*), an ethernet interface, or IP.
-# The "host" option should point or resolve to this address. (string value)
-#rpc_zmq_bind_address = *
-
-# MatchMaker driver. (string value)
-#rpc_zmq_matchmaker = local
-
-# ZeroMQ receiver listening port. (integer value)
-#rpc_zmq_port = 9501
-
-# Number of ZeroMQ contexts, defaults to 1. (integer value)
-#rpc_zmq_contexts = 1
-
-# Maximum number of ingress messages to locally buffer per topic. Default is
-# unlimited. (integer value)
-#rpc_zmq_topic_backlog = <None>
-
-# Directory for holding IPC sockets. (string value)
-#rpc_zmq_ipc_dir = /var/run/openstack
-
-# Name of this node. Must be a valid hostname, FQDN, or IP address. Must match
-# "host" option, if running Nova. (string value)
-#rpc_zmq_host = localhost
-
-# Seconds to wait before a cast expires (TTL). Only supported by impl_zmq.
-# (integer value)
-#rpc_cast_timeout = 30
-
-# Heartbeat frequency. (integer value)
-#matchmaker_heartbeat_freq = 300
-
-# Heartbeat time-to-live. (integer value)
-#matchmaker_heartbeat_ttl = 600
-
-# Size of executor thread pool. (integer value)
-# Deprecated group/name - [DEFAULT]/rpc_thread_pool_size
-#executor_thread_pool_size = 64
-
-# The Drivers(s) to handle sending notifications. Possible values are
-# messaging, messagingv2, routing, log, test, noop (multi valued)
-notification_driver = wmfkeystonehooks
-
-# Login info for wikitech, for project page updates
-wiki_host=<%= @wikitechstatusconfig["host"] %>
-wiki_page_prefix=<%= @wikitechstatusconfig["page_prefix"] %>
-wiki_consumer_token=<%=
@wikitechstatusconfig["wikitech_status_consumer_token"] %>
-wiki_consumer_secret=<%=
@wikitechstatusconfig["wikitech_status_consumer_secret"] %>
-wiki_access_token=<%= @wikitechstatusconfig["wikitech_status_access_token"] %>
-wiki_access_secret=<%= @wikitechstatusconfig["wikitech_status_access_secret"]
%>
-
-# AMQP topic used for OpenStack notifications. (list value)
-# Deprecated group/name - [rpc_notifier2]/topics
-#notification_topics = notifications
-
-# Seconds to wait for a response from a call. (integer value)
-#rpc_response_timeout = 60
-
-# A URL representing the messaging driver to use and its full configuration. If
-# not set, we fall back to the rpc_backend option and driver specific
-# configuration. (string value)
-#transport_url = <None>
-
-# The messaging driver to use, defaults to rabbit. Other drivers include qpid
-# and zmq. (string value)
-#rpc_backend = rabbit
-
-# The default exchange under which topics are scoped. May be overridden by an
-# exchange name specified in the transport_url option. (string value)
-#control_exchange = keystone
-
-#
-# From oslo.service.service
-#
-
-# Enables or disables logging values of all registered options when starting a
-# service (at DEBUG level). (boolean value)
-#log_options = true
-
-[assignment]
-driver = sql
-
-[sql]
-# the timeout before idle sql connections are reaped
-# idle_timeout = 200
-
-[database]
-# The SQLAlchemy connection string used to connect to the database
-connection = mysql://<%= @keystoneconfig["db_user"] %>:<%=
@keystoneconfig["db_pass"] %>@<%= @keystoneconfig["db_host"] %>/<%=
@keystoneconfig["db_name"] %>
-
-[identity]
-driver = ldap
-
-[cache]
-
-#
-# From keystone
-#
-
-# Prefix for building the configuration dictionary for the cache region. This
-# should not need to be changed unless there is another dogpile.cache region
-# with the same configuration name. (string value)
-#config_prefix = cache.keystone
-
-# Default TTL, in seconds, for any cached item in the dogpile.cache region.
-# This applies to any cached method that doesn't have an explicit cache
-# expiration time defined for it. (integer value)
-#expiration_time = 600
-
-# Dogpile.cache backend module. It is recommended that Memcache with pooling
-# (keystone.cache.memcache_pool) or Redis (dogpile.cache.redis) be used in
-# production deployments. Small workloads (single process) like devstack can
-# use the dogpile.cache.memory backend. (string value)
-#backend = keystone.common.cache.noop
-
-# Arguments supplied to the backend module. Specify this option once per
-# argument to be passed to the dogpile.cache backend. Example format:
-# "<argname>:<value>". (multi valued)
-#backend_argument =
-
-# Proxy classes to import that will affect the way the dogpile.cache backend
-# functions. See the dogpile.cache documentation on changing-backend-behavior.
-# (list value)
-#proxies =
-
-# Global toggle for all caching using the should_cache_fn mechanism. (boolean
-# value)
-#enabled = false
-
-# Extra debugging from the cache backend (cache keys, get/set/delete/etc
-# calls). This is only really useful if you need to see the specific cache-
-# backend get/set/delete calls with the keys/values. Typically this should be
-# left set to false. (boolean value)
-#debug_cache_backend = false
-
-# Memcache servers in the format of "host:port". (dogpile.cache.memcache and
-# keystone.cache.memcache_pool backends only). (list value)
-#memcache_servers = localhost:11211
-
-# Number of seconds memcached server is considered dead before it is tried
-# again. (dogpile.cache.memcache and keystone.cache.memcache_pool backends
-# only). (integer value)
-#memcache_dead_retry = 300
-
-# Timeout in seconds for every call to a server. (dogpile.cache.memcache and
-# keystone.cache.memcache_pool backends only). (integer value)
-#memcache_socket_timeout = 3
-
-# Max total number of open connections to every memcached server.
-# (keystone.cache.memcache_pool backend only). (integer value)
-#memcache_pool_maxsize = 10
-
-# Number of seconds a connection to memcached is held unused in the pool before
-# it is closed. (keystone.cache.memcache_pool backend only). (integer value)
-#memcache_pool_unused_timeout = 60
-
-# Number of seconds that an operation will wait to get a memcache client
-# connection. (integer value)
-#memcache_pool_connection_get_timeout = 10
-
-[catalog]
-# dynamic, sql-based backend (supports API/CLI-based management commands)
-driver = sql
-
-# static, file-based backend (does *NOT* support any management commands)
-# driver = keystone.catalog.backends.templated.TemplatedCatalog
-
-# template_file = default_catalog.templates
-
-[token]
-provider = uuid
-driver = sql
-
-# Amount of time a token should remain valid (in seconds)
-# Using 7.1 days, as we'll set MediaWiki to 7 days
-expiration = 613440
-
-[policy]
-driver = rules
-
-[signing]
-#provider = uuid
-#certfile = /etc/keystone/ssl/certs/signing_cert.pem
-#keyfile = /etc/keystone/ssl/private/signing_key.pem
-#ca_certs = /etc/keystone/ssl/certs/ca.pem
-#key_size = 1024
-#valid_days = 3650
-#ca_password = None
-#token_format = PKI
-
-[ldap]
-url = <% @keystoneconfig['ldap_hosts'].each do |ldap_host| %>ldap://<%=
ldap_host %>,<% end %>
-tree_dn = <%= @keystoneconfig["ldap_base_dn"] %>
-user_tree_dn = ou=people,<%= @keystoneconfig["ldap_base_dn"] %>
-user_id_attribute = <%= @keystoneconfig["ldap_user_id_attribute"] %>
-user_name_attribute = <%= @keystoneconfig["ldap_user_name_attribute"] %>
-user = <%= @keystoneconfig["ldap_user_dn"] %>
-password = <%= @keystoneconfig["ldap_user_pass"] %>
-
-[auth]
-methods = external,password,token,wmtotp
-
-# Override the default password plugin with a custom
-# one that checks source IPs.
-password = whitelist
-
-<% @labs_networks.each do |subnet| -%>
-password_whitelist = novaobserver:<%=subnet%>
-<% end -%>
-<% @prod_networks.each do |subnet| -%>
-password_whitelist = *:<%=subnet%>
-<% end -%>
-
-[oath]
-
-wikitech_host = <%=@labs_osm_host%>
-wikitech_consumer_token = <%= @keystoneconfig["wikitech_consumer_token"] %>
-wikitech_consumer_secret = <%= @keystoneconfig["wikitech_consumer_secret"] %>
-wikitech_access_token = <%= @keystoneconfig["wikitech_access_token"] %>
-wikitech_access_secret = <%= @keystoneconfig["wikitech_access_secret"] %>
-
-[wmfhooks]
-
-admin_pass = <%= @keystoneconfig["ldap_user_pass"] %>
-auth_url = <%= @keystoneconfig["auth_protocol"] %>://<%= @fqdn %>:<%=
@keystoneconfig["auth_port"] %>/v3
-
diff --git
a/modules/openstack/files/liberty/keystone/wmfkeystonehooks.egg-info/entry_points.txt
b/modules/openstack2/files/liberty/keystone/wmfkeystonehooks.egg-info/entry_points.txt
similarity index 100%
rename from
modules/openstack/files/liberty/keystone/wmfkeystonehooks.egg-info/entry_points.txt
rename to
modules/openstack2/files/liberty/keystone/wmfkeystonehooks.egg-info/entry_points.txt
diff --git
a/modules/openstack/files/liberty/keystone/wmfkeystonehooks/__init__.py
b/modules/openstack2/files/liberty/keystone/wmfkeystonehooks/__init__.py
similarity index 100%
rename from
modules/openstack/files/liberty/keystone/wmfkeystonehooks/__init__.py
rename to modules/openstack2/files/liberty/keystone/wmfkeystonehooks/__init__.py
diff --git
a/modules/openstack/files/liberty/keystone/wmfkeystonehooks/ldapgroups.py
b/modules/openstack2/files/liberty/keystone/wmfkeystonehooks/ldapgroups.py
similarity index 100%
rename from
modules/openstack/files/liberty/keystone/wmfkeystonehooks/ldapgroups.py
rename to
modules/openstack2/files/liberty/keystone/wmfkeystonehooks/ldapgroups.py
diff --git
a/modules/openstack/files/liberty/keystone/wmfkeystonehooks/pageeditor.py
b/modules/openstack2/files/liberty/keystone/wmfkeystonehooks/pageeditor.py
similarity index 100%
rename from
modules/openstack/files/liberty/keystone/wmfkeystonehooks/pageeditor.py
rename to
modules/openstack2/files/liberty/keystone/wmfkeystonehooks/pageeditor.py
diff --git
a/modules/openstack/files/liberty/keystone/wmfkeystonehooks/wmfkeystonehooks.py
b/modules/openstack2/files/liberty/keystone/wmfkeystonehooks/wmfkeystonehooks.py
similarity index 100%
rename from
modules/openstack/files/liberty/keystone/wmfkeystonehooks/wmfkeystonehooks.py
rename to
modules/openstack2/files/liberty/keystone/wmfkeystonehooks/wmfkeystonehooks.py
diff --git a/modules/openstack/files/check_keystone_projects.py
b/modules/openstack2/files/monitor/keystone/check_keystone_projects.py
similarity index 100%
rename from modules/openstack/files/check_keystone_projects.py
rename to modules/openstack2/files/monitor/keystone/check_keystone_projects.py
diff --git a/modules/openstack/files/check_keystone_roles.py
b/modules/openstack2/files/monitor/keystone/check_keystone_roles.py
similarity index 100%
rename from modules/openstack/files/check_keystone_roles.py
rename to modules/openstack2/files/monitor/keystone/check_keystone_roles.py
diff --git a/modules/openstack2/manifests/keystone/hooks.pp
b/modules/openstack2/manifests/keystone/hooks.pp
index a99fef0..9670263 100644
--- a/modules/openstack2/manifests/keystone/hooks.pp
+++ b/modules/openstack2/manifests/keystone/hooks.pp
@@ -6,7 +6,7 @@
include openstack2::keystone::service
file { '/usr/lib/python2.7/dist-packages/wmfkeystonehooks':
- source =>
"puppet:///modules/openstack/${version}/keystone/wmfkeystonehooks",
+ source =>
"puppet:///modules/openstack2/${version}/keystone/wmfkeystonehooks",
owner => 'root',
group => 'root',
mode => '0644',
@@ -15,7 +15,7 @@
}
file { '/usr/lib/python2.7/dist-packages/wmfkeystonehooks.egg-info':
- source =>
"puppet:///modules/openstack/${version}/keystone/wmfkeystonehooks.egg-info",
+ source =>
"puppet:///modules/openstack2/${version}/keystone/wmfkeystonehooks.egg-info",
owner => 'root',
group => 'root',
mode => '0644',
diff --git a/modules/openstack2/manifests/keystone/monitor.pp
b/modules/openstack2/manifests/keystone/monitor.pp
index 86073af..055ef0a 100644
--- a/modules/openstack2/manifests/keystone/monitor.pp
+++ b/modules/openstack2/manifests/keystone/monitor.pp
@@ -60,7 +60,7 @@
owner => 'root',
group => 'root',
mode => '0755',
- source => 'puppet:///modules/openstack/check_keystone_roles.py',
+ source =>
'puppet:///modules/openstack2/monitor/keystone/check_keystone_roles.py',
}
# Script to make sure that service projects e.g. 'admin' exists
@@ -69,7 +69,7 @@
owner => 'root',
group => 'root',
mode => '0755',
- source => 'puppet:///modules/openstack/check_keystone_projects.py',
+ source =>
'puppet:///modules/openstack2/monitor/keystone/check_keystone_projects.py',
}
}
diff --git a/modules/openstack2/manifests/keystone/service.pp
b/modules/openstack2/manifests/keystone/service.pp
index 3de83e4..b81cdfc 100644
--- a/modules/openstack2/manifests/keystone/service.pp
+++ b/modules/openstack2/manifests/keystone/service.pp
@@ -30,7 +30,6 @@
$wiki_access_secret,
) {
- #include ::openstack::keystone::hooks
include ::network::constants
$prod_networks = $network::constants::production_networks
$labs_networks = $network::constants::labs_networks
diff --git a/modules/role/manifests/labs/openstack/keystone/server.pp
b/modules/role/manifests/labs/openstack/keystone/server.pp
deleted file mode 100644
index b8e44fc..0000000
--- a/modules/role/manifests/labs/openstack/keystone/server.pp
+++ /dev/null
@@ -1,11 +0,0 @@
-class role::labs::openstack::keystone::server {
-
- system::role { $name: }
- $nova_controller = hiera('labs_nova_controller')
- $keystoneconfig = hiera_hash('keystoneconfig', {})
- $wikitechstatusconfig = hiera_hash('wikitechstatusconfig', {})
-
- class { 'openstack::keystone::service':
- keystoneconfig => $keystoneconfig,
- }
-}
--
To view, visit https://gerrit.wikimedia.org/r/376531
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: Ibebb0e4ee6186d642d9ea63e54f04ad624385333
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Rush <r...@wikimedia.org>
_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
