Rush has submitted this change and it was merged. ( https://gerrit.wikimedia.org/r/376531 )
Change subject: openstack: cleanup keystone references in old module ...................................................................... openstack: cleanup keystone references in old module Bug: T171494 Change-Id: Ibebb0e4ee6186d642d9ea63e54f04ad624385333 --- D modules/openstack/files/keystone-admin-uwsgi.logrotate D modules/openstack/files/keystone-public-uwsgi.logrotate D modules/openstack/files/liberty/keystone/keystone-paste.ini D modules/openstack/files/liberty/keystone/logging.conf D modules/openstack/files/liberty/keystone/policy.json D modules/openstack/files/liberty/keystone/wmfkeystoneauth.egg-info/entry_points.txt D modules/openstack/files/liberty/keystone/wmfkeystoneauth/__init__.py D modules/openstack/files/liberty/keystone/wmfkeystoneauth/password_whitelist.py D modules/openstack/files/liberty/keystone/wmfkeystoneauth/wikitechclient.py D modules/openstack/files/liberty/keystone/wmfkeystoneauth/wmtotp.py D modules/openstack/files/liberty/keystoneclient/__init__.py D modules/openstack/files/liberty/keystoneclient/wmtotp.py D modules/openstack/manifests/keystone/hooks.pp D modules/openstack/manifests/keystone/service.pp D modules/openstack/templates/liberty/keystone/keystone.conf.erb R modules/openstack2/files/liberty/keystone/wmfkeystonehooks.egg-info/entry_points.txt R modules/openstack2/files/liberty/keystone/wmfkeystonehooks/__init__.py R modules/openstack2/files/liberty/keystone/wmfkeystonehooks/ldapgroups.py R modules/openstack2/files/liberty/keystone/wmfkeystonehooks/pageeditor.py R modules/openstack2/files/liberty/keystone/wmfkeystonehooks/wmfkeystonehooks.py R modules/openstack2/files/monitor/keystone/check_keystone_projects.py R modules/openstack2/files/monitor/keystone/check_keystone_roles.py M modules/openstack2/manifests/keystone/hooks.pp M modules/openstack2/manifests/keystone/monitor.pp M modules/openstack2/manifests/keystone/service.pp D modules/role/manifests/labs/openstack/keystone/server.pp 26 files changed, 4 insertions(+), 1,427 deletions(-) Approvals: Andrew Bogott: Looks good to me, but someone else must approve Rush: Looks good to me, approved jenkins-bot: Verified diff --git a/modules/openstack/files/keystone-admin-uwsgi.logrotate b/modules/openstack/files/keystone-admin-uwsgi.logrotate deleted file mode 100644 index ad9a1b4..0000000 --- a/modules/openstack/files/keystone-admin-uwsgi.logrotate +++ /dev/null @@ -1,8 +0,0 @@ -/var/log/designate/keystone-admin-uwsgi.log { - daily - missingok - compress - delaycompress - notifempty - copytruncate -} diff --git a/modules/openstack/files/keystone-public-uwsgi.logrotate b/modules/openstack/files/keystone-public-uwsgi.logrotate deleted file mode 100644 index 7766a2b..0000000 --- a/modules/openstack/files/keystone-public-uwsgi.logrotate +++ /dev/null @@ -1,8 +0,0 @@ -/var/log/designate/keystone-public-uwsgi.log { - daily - missingok - compress - delaycompress - notifempty - copytruncate -} diff --git a/modules/openstack/files/liberty/keystone/keystone-paste.ini b/modules/openstack/files/liberty/keystone/keystone-paste.ini deleted file mode 100644 index 0792f42..0000000 --- a/modules/openstack/files/liberty/keystone/keystone-paste.ini +++ /dev/null @@ -1,103 +0,0 @@ -# Keystone PasteDeploy configuration file. - -[filter:debug] -use = egg:keystone#debug - -[filter:request_id] -use = egg:keystone#request_id - -[filter:build_auth_context] -use = egg:keystone#build_auth_context - -[filter:token_auth] -use = egg:keystone#token_auth - -[filter:admin_token_auth] -use = egg:keystone#admin_token_auth - -[filter:json_body] -use = egg:keystone#json_body - -[filter:user_crud_extension] -use = egg:keystone#user_crud_extension - -[filter:crud_extension] -use = egg:keystone#crud_extension - -[filter:ec2_extension] -use = egg:keystone#ec2_extension - -[filter:ec2_extension_v3] -use = egg:keystone#ec2_extension_v3 - -[filter:federation_extension] -use = egg:keystone#federation_extension - -[filter:oauth1_extension] -use = egg:keystone#oauth1_extension - -[filter:s3_extension] -use = egg:keystone#s3_extension - -[filter:endpoint_filter_extension] -use = egg:keystone#endpoint_filter_extension - -[filter:simple_cert_extension] -use = egg:keystone#simple_cert_extension - -[filter:revoke_extension] -use = egg:keystone#revoke_extension - -[filter:url_normalize] -use = egg:keystone#url_normalize - -[filter:sizelimit] -use = egg:keystone#sizelimit - -[app:public_service] -use = egg:keystone#public_service - -[app:service_v3] -use = egg:keystone#service_v3 - -[app:admin_service] -use = egg:keystone#admin_service - -[pipeline:public_api] -# The last item in this pipeline must be public_service or an equivalent -# application. It cannot be a filter. -pipeline = sizelimit url_normalize request_id build_auth_context token_auth json_body ec2_extension user_crud_extension public_service - -[pipeline:admin_api] -# The last item in this pipeline must be admin_service or an equivalent -# application. It cannot be a filter. -pipeline = sizelimit url_normalize request_id build_auth_context token_auth json_body ec2_extension s3_extension crud_extension admin_service - -[pipeline:api_v3] -# The last item in this pipeline must be service_v3 or an equivalent -# application. It cannot be a filter. -pipeline = sizelimit url_normalize request_id build_auth_context token_auth json_body ec2_extension_v3 s3_extension simple_cert_extension revoke_extension federation_extension oauth1_extension endpoint_filter_extension service_v3 - -[app:public_version_service] -use = egg:keystone#public_version_service - -[app:admin_version_service] -use = egg:keystone#admin_version_service - -[pipeline:public_version_api] -pipeline = sizelimit url_normalize public_version_service - -[pipeline:admin_version_api] -pipeline = sizelimit url_normalize admin_version_service - -[composite:main] -use = egg:Paste#urlmap -/v2.0 = public_api -/v3 = api_v3 -/ = public_version_api - -[composite:admin] -use = egg:Paste#urlmap -/v2.0 = admin_api -/v3 = api_v3 -/ = admin_version_api diff --git a/modules/openstack/files/liberty/keystone/logging.conf b/modules/openstack/files/liberty/keystone/logging.conf deleted file mode 100644 index 59df5f0..0000000 --- a/modules/openstack/files/liberty/keystone/logging.conf +++ /dev/null @@ -1,39 +0,0 @@ -[loggers] -keys=root - -[formatters] -keys=normal,normal_with_name,debug - -[handlers] -keys=production,file,devel - -[logger_root] -level=WARNING -handlers=file - -[handler_production] -class=handlers.SysLogHandler -level=WARNING -formatter=normal_with_name -args=(('localhost', handlers.SYSLOG_UDP_PORT), handlers.SysLogHandler.LOG_USER) - -[handler_file] -class=FileHandler -level=WARNING -formatter=normal_with_name -args=('/var/log/keystone/keystone.log', 'a') - -[handler_devel] -class=StreamHandler -level=WARNING -formatter=debug -args=(sys.stdout,) - -[formatter_normal] -format=%(asctime)s %(levelname)s %(message)s - -[formatter_normal_with_name] -format=(%(name)s): %(asctime)s %(levelname)s %(message)s - -[formatter_debug] -format=(%(name)s): %(asctime)s %(levelname)s %(module)s %(funcName)s %(message)s diff --git a/modules/openstack/files/liberty/keystone/policy.json b/modules/openstack/files/liberty/keystone/policy.json deleted file mode 100644 index 2ed289c..0000000 --- a/modules/openstack/files/liberty/keystone/policy.json +++ /dev/null @@ -1,183 +0,0 @@ -{ - "admin_required": "role:admin or is_admin:1", - "service_role": "role:service", - "service_or_admin": "rule:admin_required or rule:service_role", - "owner" : "user_id:%(user_id)s", - "admin_or_owner": "rule:admin_required or rule:owner", - "token_subject": "user_id:%(target.token.user_id)s", - "admin_or_token_subject": "rule:admin_required or rule:token_subject", - - "default": "rule:admin_required", - - "identity:get_region": "", - "identity:list_regions": "rule:admin_required", - "identity:create_region": "rule:admin_required", - "identity:update_region": "rule:admin_required", - "identity:delete_region": "rule:admin_required", - - "identity:get_service": "", - "identity:list_services": "", - "identity:create_service": "rule:admin_required", - "identity:update_service": "rule:admin_required", - "identity:delete_service": "rule:admin_required", - - "identity:get_endpoint": "", - "identity:list_endpoints": "", - "identity:create_endpoint": "rule:admin_required", - "identity:update_endpoint": "rule:admin_required", - "identity:delete_endpoint": "rule:admin_required", - - "identity:get_domain": "rule:admin_required", - "identity:list_domains": "rule:admin_required", - "identity:create_domain": "rule:admin_required", - "identity:update_domain": "rule:admin_required", - "identity:delete_domain": "rule:admin_required", - - "identity:get_project": "rule:admin_required", - "identity:list_projects": "", - "identity:list_user_projects": "", - "identity:create_project": "rule:admin_required", - "identity:update_project": "rule:admin_required", - "identity:delete_project": "rule:admin_required", - - "identity:get_user": "", - "identity:list_users": "", - "identity:create_user": "rule:admin_required", - "identity:update_user": "rule:admin_required", - "identity:delete_user": "rule:admin_required", - "identity:change_password": "rule:admin_or_owner", - - "identity:get_group": "rule:admin_required", - "identity:list_groups": "rule:admin_required", - "identity:list_groups_for_user": "rule:admin_or_owner", - "identity:create_group": "rule:admin_required", - "identity:update_group": "rule:admin_required", - "identity:delete_group": "rule:admin_required", - "identity:list_users_in_group": "rule:admin_required", - "identity:remove_user_from_group": "rule:admin_required", - "identity:check_user_in_group": "rule:admin_required", - "identity:add_user_to_group": "rule:admin_required", - - "identity:get_credential": "rule:admin_required", - "identity:list_credentials": "rule:admin_required", - "identity:create_credential": "rule:admin_required", - "identity:update_credential": "rule:admin_required", - "identity:delete_credential": "rule:admin_required", - - "identity:ec2_get_credential": "rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)", - "identity:ec2_list_credentials": "rule:admin_or_owner", - "identity:ec2_create_credential": "rule:admin_or_owner", - "identity:ec2_delete_credential": "rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)", - - "identity:get_role": "", - "identity:list_roles": "", - "identity:create_role": "rule:admin_required", - "identity:update_role": "rule:admin_required", - "identity:delete_role": "rule:admin_required", - - "identity:check_grant": "rule:admin_required", - "identity:list_grants": "rule:admin_required", - "identity:create_grant": "rule:admin_required", - "identity:revoke_grant": "rule:admin_required", - - "identity:list_role_assignments": "", - - "identity:get_policy": "rule:admin_required", - "identity:list_policies": "rule:admin_required", - "identity:create_policy": "rule:admin_required", - "identity:update_policy": "rule:admin_required", - "identity:delete_policy": "rule:admin_required", - - "identity:check_token": "rule:admin_or_token_subject", - "identity:validate_token": "rule:service_admin_or_token_subject", - "identity:validate_token_head": "rule:service_or_admin", - "identity:revocation_list": "rule:service_or_admin", - "identity:revoke_token": "rule:admin_or_token_subject", - - "identity:create_trust": "user_id:%(trust.trustor_user_id)s", - "identity:list_trusts": "rule:admin_required", - "identity:list_roles_for_trust": "", - "identity:get_role_for_trust": "", - "identity:delete_trust": "", - - "identity:create_consumer": "rule:admin_required", - "identity:get_consumer": "rule:admin_required", - "identity:list_consumers": "rule:admin_required", - "identity:delete_consumer": "rule:admin_required", - "identity:update_consumer": "rule:admin_required", - - "identity:authorize_request_token": "rule:admin_required", - "identity:list_access_token_roles": "rule:admin_required", - "identity:get_access_token_role": "rule:admin_required", - "identity:list_access_tokens": "rule:admin_required", - "identity:get_access_token": "rule:admin_required", - "identity:delete_access_token": "rule:admin_required", - - "identity:list_projects_for_endpoint": "rule:admin_required", - "identity:add_endpoint_to_project": "rule:admin_required", - "identity:check_endpoint_in_project": "rule:admin_required", - "identity:list_endpoints_for_project": "rule:admin_required", - "identity:remove_endpoint_from_project": "rule:admin_required", - - "identity:create_endpoint_group": "rule:admin_required", - "identity:list_endpoint_groups": "rule:admin_required", - "identity:get_endpoint_group": "rule:admin_required", - "identity:update_endpoint_group": "rule:admin_required", - "identity:delete_endpoint_group": "rule:admin_required", - "identity:list_projects_associated_with_endpoint_group": "rule:admin_required", - "identity:list_endpoints_associated_with_endpoint_group": "rule:admin_required", - "identity:get_endpoint_group_in_project": "rule:admin_required", - "identity:list_endpoint_groups_for_project": "rule:admin_required", - "identity:add_endpoint_group_to_project": "rule:admin_required", - "identity:remove_endpoint_group_from_project": "rule:admin_required", - - "identity:create_identity_provider": "rule:admin_required", - "identity:list_identity_providers": "rule:admin_required", - "identity:get_identity_providers": "rule:admin_required", - "identity:update_identity_provider": "rule:admin_required", - "identity:delete_identity_provider": "rule:admin_required", - - "identity:create_protocol": "rule:admin_required", - "identity:update_protocol": "rule:admin_required", - "identity:get_protocol": "rule:admin_required", - "identity:list_protocols": "rule:admin_required", - "identity:delete_protocol": "rule:admin_required", - - "identity:create_mapping": "rule:admin_required", - "identity:get_mapping": "rule:admin_required", - "identity:list_mappings": "rule:admin_required", - "identity:delete_mapping": "rule:admin_required", - "identity:update_mapping": "rule:admin_required", - - "identity:create_service_provider": "rule:admin_required", - "identity:list_service_providers": "rule:admin_required", - "identity:get_service_provider": "rule:admin_required", - "identity:update_service_provider": "rule:admin_required", - "identity:delete_service_provider": "rule:admin_required", - - "identity:get_auth_catalog": "", - "identity:get_auth_projects": "", - "identity:get_auth_domains": "", - - "identity:list_projects_for_groups": "", - "identity:list_domains_for_groups": "", - - "identity:list_revoke_events": "", - - "identity:create_policy_association_for_endpoint": "rule:admin_required", - "identity:check_policy_association_for_endpoint": "rule:admin_required", - "identity:delete_policy_association_for_endpoint": "rule:admin_required", - "identity:create_policy_association_for_service": "rule:admin_required", - "identity:check_policy_association_for_service": "rule:admin_required", - "identity:delete_policy_association_for_service": "rule:admin_required", - "identity:create_policy_association_for_region_and_service": "rule:admin_required", - "identity:check_policy_association_for_region_and_service": "rule:admin_required", - "identity:delete_policy_association_for_region_and_service": "rule:admin_required", - "identity:get_policy_for_endpoint": "rule:admin_required", - "identity:list_endpoints_for_policy": "rule:admin_required", - - "identity:create_domain_config": "rule:admin_required", - "identity:get_domain_config": "rule:admin_required", - "identity:update_domain_config": "rule:admin_required", - "identity:delete_domain_config": "rule:admin_required" -} diff --git a/modules/openstack/files/liberty/keystone/wmfkeystoneauth.egg-info/entry_points.txt b/modules/openstack/files/liberty/keystone/wmfkeystoneauth.egg-info/entry_points.txt deleted file mode 100644 index 5ab1073..0000000 --- a/modules/openstack/files/liberty/keystone/wmfkeystoneauth.egg-info/entry_points.txt +++ /dev/null @@ -1,5 +0,0 @@ -[keystone.auth.wmtotp] -default = wmfkeystoneauth.wmtotp:Wmtotp - -[keystone.auth.password] -whitelist = wmfkeystoneauth.password_whitelist:PasswordWhitelist diff --git a/modules/openstack/files/liberty/keystone/wmfkeystoneauth/__init__.py b/modules/openstack/files/liberty/keystone/wmfkeystoneauth/__init__.py deleted file mode 100644 index e69de29..0000000 --- a/modules/openstack/files/liberty/keystone/wmfkeystoneauth/__init__.py +++ /dev/null diff --git a/modules/openstack/files/liberty/keystone/wmfkeystoneauth/password_whitelist.py b/modules/openstack/files/liberty/keystone/wmfkeystoneauth/password_whitelist.py deleted file mode 100644 index 2a1d4ed..0000000 --- a/modules/openstack/files/liberty/keystone/wmfkeystoneauth/password_whitelist.py +++ /dev/null @@ -1,72 +0,0 @@ -# Copyright 2016 Andrew Bogott for the Wikimedia Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - -from netaddr import IPNetwork, IPAddress - -from oslo_log import log -from oslo_config import cfg - -from keystone.auth import plugins as auth_plugins -from keystone.auth.plugins import password -from keystone import exception -from keystone.i18n import _ - -METHOD_NAME = 'password' - -LOG = log.getLogger(__name__) - -whitelist_ops = [ - cfg.MultiStrOpt('password_whitelist', - default=[], - help='user:ip range permitted to use password auth.' - 'also supports a simple one-character * wildcard' - 'for user.'), -] - -CONF = cfg.CONF -CONF.register_opts(whitelist_ops, group='auth') - - -def check_whitelist(user_id, remote_addr): - """Return True if the user_id/remote_addr combination is in our whitelist. - Otherwise, return raise Unauthorized""" - LOG.debug("Auth request for user %s from %s" % (user_id, - remote_addr)) - - for entry in CONF.auth.password_whitelist: - user, subnet = entry.split(':', 1) - if user == "*" or user_id == user: - if IPAddress(remote_addr) in IPNetwork(subnet): - return True - - LOG.warn('Password auth not allowed for %s from %s' % (user_id, - remote_addr)) - - msg = _('Password auth not allowed for this username from this ip.') - raise exception.Unauthorized(msg) - - -class PasswordWhitelist(password.Password): - - def authenticate(self, context, auth_payload, auth_context): - """Verify username and password but only allow access for configured - accounts and from configured IP ranges.""" - - user_info = auth_plugins.UserAuthInfo.create(auth_payload, METHOD_NAME) - check_whitelist(user_info.user_id, - context['environment']['REMOTE_ADDR']) - - return super(PasswordWhitelist, self).authenticate(context, - auth_payload, - auth_context) diff --git a/modules/openstack/files/liberty/keystone/wmfkeystoneauth/wikitechclient.py b/modules/openstack/files/liberty/keystone/wmfkeystoneauth/wikitechclient.py deleted file mode 100644 index 33527a1..0000000 --- a/modules/openstack/files/liberty/keystone/wmfkeystoneauth/wikitechclient.py +++ /dev/null @@ -1,61 +0,0 @@ -# Copyright 2016 Wikimedia Foundation -# -# This is part of a custom Keystone auth extension specific to Wikimedia Labs. -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - -import mwclient - -from oslo_log import log - -LOG = log.getLogger(__name__) - - -class WikitechClient(object): - """MediaWiki client, used for checking oath creds against Wikitech""" - - def __init__( - self, host, - consumer_token, consumer_secret, - access_token, access_secret - ): - self.site = self._site_for_host( - host, consumer_token, - consumer_secret, access_token, access_secret) - - @classmethod - def _site_for_host( - cls, host, - consumer_token, consumer_secret, - access_token, access_secret - ): - return mwclient.Site( - host, - consumer_token=consumer_token, - consumer_secret=consumer_secret, - access_token=access_token, - access_secret=access_secret, - clients_useragent='Keystone', - force_login=True - ) - - # Returns a dict with two members: 'valid' and 'enabled'. - def oathvalidate(self, username, totp): - token = self.site.get_token('csrf', force=True) - result = self.site.api( - 'oathvalidate', formatversion=2, - user=username, - totp=totp, - token=token - ) - return result['oathvalidate'] diff --git a/modules/openstack/files/liberty/keystone/wmfkeystoneauth/wmtotp.py b/modules/openstack/files/liberty/keystone/wmfkeystoneauth/wmtotp.py deleted file mode 100644 index 370a0be..0000000 --- a/modules/openstack/files/liberty/keystone/wmfkeystoneauth/wmtotp.py +++ /dev/null @@ -1,118 +0,0 @@ -# Copyright 2016 Wikimedia Foundation -# -# (this is a custom hack local to the Wikimedia Labs deployment) -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - -from oslo_log import log -from oslo_config import cfg - -from keystone import auth -from keystone.auth import plugins as auth_plugins -import password_whitelist -from keystone.common import dependency -from keystone import exception -from keystone.i18n import _ - -import wikitechclient - -METHOD_NAME = 'wmtotp' - -LOG = log.getLogger(__name__) -CONF = cfg.CONF - -oathoptions = [ - cfg.StrOpt('dbuser', - default='wiki_user', - help='Database user for retrieving OATH secret.'), - cfg.StrOpt('dbpass', - default='12345', - help='Database password for retrieving OATH secret.'), - cfg.StrOpt('dbhost', - default='localhost', - help='Database host for retrieving OATH secret.'), - cfg.StrOpt('dbname', - default='labswiki', - help='Database name for retrieving OATH secret.'), - cfg.StrOpt('wikitech_host', - default='wikitech.wikimedia.org', - help='fqdn for the mediawiki host that supports the oath api'), - cfg.StrOpt('wikitech_consumer_token'), - cfg.StrOpt('wikitech_consumer_secret'), - cfg.StrOpt('wikitech_access_token'), - cfg.StrOpt('wikitech_access_secret'), -] - -for option in oathoptions: - CONF.register_opt(option, group='oath') - - -@dependency.requires('identity_api') -class Wmtotp(auth.AuthMethodHandler): - - method = METHOD_NAME - - def authenticate(self, context, auth_payload, auth_context): - """Try to authenticate against the identity backend.""" - user_info = auth_plugins.UserAuthInfo.create(auth_payload, self.method) - - # Before we do anything else, make sure that this user is allowed - # access from their source IP - password_whitelist.check_whitelist(user_info.user_id, - context['environment']['REMOTE_ADDR']) - - # FIXME(gyee): identity.authenticate() can use some refactoring since - # all we care is password matches - try: - self.identity_api.authenticate( - context, - user_id=user_info.user_id, - password=user_info.password) - except AssertionError: - # authentication failed because of invalid username or password - msg = _('Invalid username or password') - raise exception.Unauthorized(msg) - - # Password auth succeeded, check two-factor - # LOG.debug("OATH: Doing 2FA for user_info " + - # ( "%s(%r)" % (user_info.__class__, user_info.__dict__) ) ) - # LOG.debug("OATH: Doing 2FA for auth_payload " + - # ( "%s(%r)" % (auth_payload.__class__, auth_payload) ) ) - if 'totp' not in auth_payload['user']: - LOG.debug("OATH: 2FA failed, missing totp param") - msg = _('Missing two-factor token') - raise exception.Unauthorized(msg) - - wtclient = wikitechclient.WikitechClient( - CONF.oath.wikitech_host, - CONF.oath.wikitech_consumer_token, - CONF.oath.wikitech_consumer_secret, - CONF.oath.wikitech_access_token, - CONF.oath.wikitech_access_secret) - valid = wtclient.oathvalidate(user_info.user_ref['name'], - auth_payload['user']['totp']) - - if valid['enabled']: - if valid['valid']: - LOG.debug("OATH: 2FA passed") - else: - LOG.debug("OATH: 2FA failed") - msg = _('Invalid two-factor token') - raise exception.Unauthorized(msg) - else: - LOG.debug("OATH: user '%s' does not have 2FA enabled.", - user_info.user_ref['name']) - msg = _('2FA is not enabled; login forbidden') - raise exception.Unauthorized(msg) - - auth_context['user_id'] = user_info.user_id diff --git a/modules/openstack/files/liberty/keystoneclient/__init__.py b/modules/openstack/files/liberty/keystoneclient/__init__.py deleted file mode 100644 index c9ecd12..0000000 --- a/modules/openstack/files/liberty/keystoneclient/__init__.py +++ /dev/null @@ -1,34 +0,0 @@ -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - -from keystoneclient.auth.identity.v3.base import * # noqa -from keystoneclient.auth.identity.v3.federated import * # noqa -from keystoneclient.auth.identity.v3.password import * # noqa -from keystoneclient.auth.identity.v3.token import * # noqa -from keystoneclient.auth.identity.v3.wmtotp import * # noqa - - -__all__ = ['Auth', - 'AuthConstructor', - 'AuthMethod', - 'BaseAuth', - - 'FederatedBaseAuth', - - 'Password', - 'PasswordMethod', - - 'Mwtotp', - 'MwtotpMethod', - - 'Token', - 'TokenMethod'] diff --git a/modules/openstack/files/liberty/keystoneclient/wmtotp.py b/modules/openstack/files/liberty/keystoneclient/wmtotp.py deleted file mode 100644 index c911801..0000000 --- a/modules/openstack/files/liberty/keystoneclient/wmtotp.py +++ /dev/null @@ -1,113 +0,0 @@ -# -# Custom addition for Wikimedia Labs to add a totp plugin to keystoneclient -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - -import getpass -import sys - -from oslo_config import cfg - -from keystoneclient.auth.identity.v3 import base -from keystoneclient import utils - -__all__ = ['WmtotpMethod', 'Wmtotp'] - - -class WmtotpMethod(base.AuthMethod): - """Construct a User/Password/totp based authentication method. - - :param string password: Password for authentication. - :param string totp: 2FA (TOTP) token for authentication. - :param string username: Username for authentication. - :param string user_id: User ID for authentication. - :param string user_domain_id: User's domain ID for authentication. - :param string user_domain_name: User's domain name for authentication. - """ - - _method_parameters = ['user_id', - 'username', - 'user_domain_id', - 'user_domain_name', - 'password', - 'totp'] - - def get_auth_data(self, session, auth, headers, **kwargs): - user = {'password': self.password, 'totp': self.totp} - - if self.user_id: - user['id'] = self.user_id - elif self.username: - user['name'] = self.username - - if self.user_domain_id: - user['domain'] = {'id': self.user_domain_id} - elif self.user_domain_name: - user['domain'] = {'name': self.user_domain_name} - - return 'wmtotp', {'user': user} - - -class Wmtotp(base.AuthConstructor): - """A plugin for authenticating with a username, password, totp token - - :param string auth_url: Identity service endpoint for authentication. - :param string password: Password for authentication. - :param string totp: totp token for authentication - :param string username: Username for authentication. - :param string user_id: User ID for authentication. - :param string user_domain_id: User's domain ID for authentication. - :param string user_domain_name: User's domain name for authentication. - :param string trust_id: Trust ID for trust scoping. - :param string domain_id: Domain ID for domain scoping. - :param string domain_name: Domain name for domain scoping. - :param string project_id: Project ID for project scoping. - :param string project_name: Project name for project scoping. - :param string project_domain_id: Project's domain ID for project. - :param string project_domain_name: Project's domain name for project. - :param bool reauthenticate: Allow fetching a new token if the current one - is going to expire. (optional) default True - """ - - _auth_method_class = WmtotpMethod - - @classmethod - def get_options(cls): - options = super(Wmtotp, cls).get_options() - - options.extend([ - cfg.StrOpt('user-id', help='User ID'), - cfg.StrOpt('user-name', dest='username', help='Username', - deprecated_name='username'), - cfg.StrOpt('user-domain-id', help="User's domain id"), - cfg.StrOpt('user-domain-name', help="User's domain name"), - cfg.StrOpt('password', secret=True, help="User's password"), - cfg.StrOpt('totp', secret=True, help="2FA (TOTP) token"), - ]) - - return options - - @classmethod - def load_from_argparse_arguments(cls, namespace, **kwargs): - if not (kwargs.get('password') or namespace.os_password): - kwargs['password'] = utils.prompt_user_password() - - if not kwargs.get('totp') and (hasattr(sys.stdin, 'isatty') and - sys.stdin.isatty()): - try: - kwargs['totp'] = getpass.getpass('2FA (TOTP) token: ') - except EOFError: - pass - - return super(Wmtotp, cls).load_from_argparse_arguments(namespace, - **kwargs) diff --git a/modules/openstack/manifests/keystone/hooks.pp b/modules/openstack/manifests/keystone/hooks.pp deleted file mode 100644 index 5b7cd74..0000000 --- a/modules/openstack/manifests/keystone/hooks.pp +++ /dev/null @@ -1,23 +0,0 @@ -# Hook keystone notification events for custom -# project swizzling -class openstack::keystone::hooks( - $openstack_version = $::openstack::version) -{ - file { '/usr/lib/python2.7/dist-packages/wmfkeystonehooks': - source => "puppet:///modules/openstack/${openstack_version}/keystone/wmfkeystonehooks", - owner => 'root', - group => 'root', - mode => '0644', - notify => Service['keystone'], - recurse => true, - } - file { '/usr/lib/python2.7/dist-packages/wmfkeystonehooks.egg-info': - source => "puppet:///modules/openstack/${openstack_version}/keystone/wmfkeystonehooks.egg-info", - owner => 'root', - group => 'root', - mode => '0644', - notify => Service['keystone'], - recurse => true, - } -} - diff --git a/modules/openstack/manifests/keystone/service.pp b/modules/openstack/manifests/keystone/service.pp deleted file mode 100644 index d6ae287..0000000 --- a/modules/openstack/manifests/keystone/service.pp +++ /dev/null @@ -1,230 +0,0 @@ -# keystone is the identity service of openstack -# http://docs.openstack.org/developer/keystone/ -class openstack::keystone::service($keystoneconfig, $openstack_version=$::openstack::version) { - include ::openstack::keystone::hooks - - package { 'keystone': - ensure => present, - } - package { 'python-oath': - ensure => present, - } - package { 'python-mysql.connector': - ensure => present, - } - - if $keystoneconfig['token_driver'] == 'redis' { - package { 'python-keystone-redis': - ensure => present; - } - } - - $labs_osm_host = hiera('labs_osm_host') - - include ::network::constants - $prod_networks = $network::constants::production_networks - $labs_networks = $network::constants::labs_networks - - file { - '/var/log/keystone': - ensure => directory, - owner => 'keystone', - group => 'www-data', - mode => '0775'; - '/var/log/keystone/uwsgi': - ensure => directory, - owner => 'www-data', - group => 'www-data', - mode => '0755'; - '/etc/keystone': - ensure => directory, - owner => 'keystone', - group => 'keystone', - mode => '0755'; - '/etc/keystone/keystone.conf': - content => template("openstack/${openstack_version}/keystone/keystone.conf.erb"), - owner => 'keystone', - group => 'keystone', - notify => Service['uwsgi-keystone-admin', 'uwsgi-keystone-public'], - require => Package['keystone'], - mode => '0444'; - '/etc/keystone/keystone-paste.ini': - source => "puppet:///modules/openstack/${openstack_version}/keystone/keystone-paste.ini", - mode => '0644', - owner => 'root', - group => 'root', - notify => Service['uwsgi-keystone-admin', 'uwsgi-keystone-public'], - require => Package['keystone']; - '/etc/keystone/policy.json': - source => "puppet:///modules/openstack/${openstack_version}/keystone/policy.json", - mode => '0644', - owner => 'root', - group => 'root', - notify => Service['uwsgi-keystone-admin', 'uwsgi-keystone-public'], - require => Package['keystone']; - '/etc/keystone/logging.conf': - source => "puppet:///modules/openstack/${openstack_version}/keystone/logging.conf", - mode => '0644', - owner => 'root', - group => 'root', - notify => Service['uwsgi-keystone-admin', 'uwsgi-keystone-public'], - require => Package['keystone']; - '/usr/lib/python2.7/dist-packages/wmfkeystoneauth': - source => "puppet:///modules/openstack/${openstack_version}/keystone/wmfkeystoneauth", - owner => 'root', - group => 'root', - mode => '0644', - notify => Service['uwsgi-keystone-admin', 'uwsgi-keystone-public'], - recurse => true; - '/usr/lib/python2.7/dist-packages/wmfkeystoneauth.egg-info': - source => "puppet:///modules/openstack/${openstack_version}/keystone/wmfkeystoneauth.egg-info", - owner => 'root', - group => 'root', - mode => '0644', - notify => Service['uwsgi-keystone-admin', 'uwsgi-keystone-public'], - recurse => true; - } - - logrotate::conf { 'keystone-public-uwsgi': - ensure => present, - source => 'puppet:///modules/openstack/keystone-public-uwsgi.logrotate', - } - - logrotate::conf { 'keystone-admin-uwsgi': - ensure => present, - source => 'puppet:///modules/openstack/keystone-admin-uwsgi.logrotate', - } - - if $::fqdn == hiera('labs_nova_controller') { - # Clean up expired keystone tokens, because otherwise keystone leaves them - # around forever. - cron { - 'cleanup_expired_keystone_tokens': - ensure => present, - user => 'root', - minute => 20, - command => '/usr/bin/keystone-manage token_flush > /dev/null 2>&1', - } - - # Clean up service user tokens. These tend to pile up - # quickly, and are never used for Horizon sessions. - # so, don't wait for them to expire, just delete them - # after a few hours. - # - # Tokens only know when they expire and not when they - # were created. Since token lifespan is 7.1 - # days (613440 seconds), any token that expires - # less than 7 days from now is already at least - # 2 hours old. - $keystone_db_name = $keystoneconfig['db_name'] - $keystone_db_user = $keystoneconfig['db_user'] - $keystone_db_pass = $keystoneconfig['db_pass'] - $keystone_db_host = $keystoneconfig['db_host'] - cron { - 'cleanup_novaobserver_keystone_tokens': - ensure => present, - user => 'root', - minute => 30, - command => "/usr/bin/mysql ${keystone_db_name} -h${keystone_db_host} -u${keystone_db_user} -p${keystone_db_pass} -e 'DELETE FROM token WHERE user_id=\"novaobserver\" AND NOW() + INTERVAL 7 day > expires LIMIT 10000;'", - } - cron { - 'cleanup_novaadmin_keystone_tokens': - ensure => present, - user => 'root', - minute => 40, - command => "/usr/bin/mysql ${keystone_db_name} -h${keystone_db_host} -u${keystone_db_user} -p${keystone_db_pass} -e 'DELETE FROM token WHERE user_id=\"novaadmin\" AND NOW() + INTERVAL 7 day > expires LIMIT 10000;'", - } - - monitoring::service { 'keystone-http-35357': - description => 'keystone admin endpoint', - check_command => 'check_http_on_port!35357', - } - monitoring::service { 'keystone-http-5000': # v2 api is limited here - description => 'keystone public endoint', - check_command => 'check_http_on_port!5000', - } - - if ($openstack_version == 'liberty') { - # Keystone says that you should run it with uwsgi in Liberty, - # but it's actually buggy and terrible in that config. So, use eventlet - # ('keystone' service) on liberty, and we'll try uwsgi again on mitaka. - $enable_uwsgi = false - - service { 'keystone': - ensure => running, - subscribe => File['/etc/keystone/keystone.conf'], - require => Package['keystone']; - } - service { 'uwsgi-keystone-admin': - ensure => stopped, - } - service { 'uwsgi-keystone-public': - ensure => stopped, - } - } else { - $enable_uwsgi = true - - # stop the keystone process itself; this will be handled - # by uwsgi - service { 'keystone': - ensure => stopped, - require => Package['keystone']; - } - file {'/etc/init/keystone.conf': - ensure => 'absent'; - } - } - } else { - $enable_uwsgi = false - - # Because of the enabled => false, the uwsgi::app - # declarations below don't actually define - # services for the keystone processes. We need - # to define them here (even though they're stopped) - # so we can refer to them elsewhere. - service { 'uwsgi-keystone-admin': - ensure => stopped, - } - service { 'uwsgi-keystone-public': - ensure => stopped, - } - service { 'keystone': - ensure => stopped, - require => Package['keystone']; - } - } - - # Set up uwsgi services - - # Keystone admin API - uwsgi::app { 'keystone-admin': - enabled => $enable_uwsgi, - settings => { - uwsgi => { - die-on-term => true, - http => "0.0.0.0:${keystoneconfig['auth_port']}", - logger => 'file:/var/log/keystone/uwsgi/keystone-admin-uwsgi.log', - master => true, - name => 'keystone', - plugins => 'python, python3, logfile', - processes => '20', - wsgi-file => '/usr/bin/keystone-wsgi-admin', - }, - }, - } - uwsgi::app { 'keystone-public': - enabled => $enable_uwsgi, - settings => { - uwsgi => { - die-on-term => true, - http => "0.0.0.0:${keystoneconfig['public_port']}", - logger => 'file:/var/log/keystone/uwsgi/keystone-public-uwsgi.log', - master => true, - name => 'keystone', - plugins => 'python, python3, logfile', - processes => '20', - wsgi-file => '/usr/bin/keystone-wsgi-public', - }, - }, - } -} diff --git a/modules/openstack/templates/liberty/keystone/keystone.conf.erb b/modules/openstack/templates/liberty/keystone/keystone.conf.erb deleted file mode 100644 index 6b0e116..0000000 --- a/modules/openstack/templates/liberty/keystone/keystone.conf.erb +++ /dev/null @@ -1,414 +0,0 @@ -[DEFAULT] - -# -# From keystone -# - -# A "shared secret" that can be used to bootstrap Keystone. This "token" does -# not represent a user, and carries no explicit authorization. To disable in -# production (highly recommended), remove AdminTokenAuthMiddleware from your -# paste application pipelines (for example, in keystone-paste.ini). (string -# value) -#admin_token = <None> - -# The base public endpoint URL for Keystone that is advertised to clients -# (NOTE: this does NOT affect how Keystone listens for connections). Defaults -# to the base host URL of the request. E.g. a request to -# http://server:5000/v3/users will default to http://server:5000. You should -# only need to set this value if the base URL contains a path (e.g. /prefix/v3) -# or the endpoint should be found on a different server. (string value) -#public_endpoint = <None> - -# The base admin endpoint URL for Keystone that is advertised to clients (NOTE: -# this does NOT affect how Keystone listens for connections). Defaults to the -# base host URL of the request. E.g. a request to http://server:35357/v3/users -# will default to http://server:35357. You should only need to set this value -# if the base URL contains a path (e.g. /prefix/v3) or the endpoint should be -# found on a different server. (string value) -#admin_endpoint = <None> - -# Maximum depth of the project hierarchy. WARNING: setting it to a large value -# may adversely impact performance. (integer value) -#max_project_tree_depth = 5 - -# Limit the sizes of user & project ID/names. (integer value) -#max_param_size = 64 - -# Similar to max_param_size, but provides an exception for token values. -# (integer value) -#max_token_size = 8192 - -# Similar to the member_role_name option, this represents the default role ID -# used to associate users with their default projects in the v2 API. This will -# be used as the explicit role where one is not specified by the v2 API. -# (string value) -#member_role_id = 9fe2ff9ee4384b1894a90878d3e92bab - -# This is the role name used in combination with the member_role_id option; see -# that option for more detail. (string value) -member_role_name = user - -# The value passed as the keyword "rounds" to passlib's encrypt method. -# (integer value) -# Minimum value: 1000 -# Maximum value: 100000 -#crypt_strength = 10000 - -# The maximum number of entities that will be returned in a collection, with no -# limit set by default. This global limit may be then overridden for a specific -# driver, by specifying a list_limit in the appropriate section (e.g. -# [assignment]). (integer value) -#list_limit = <None> - -# Set this to false if you want to enable the ability for user, group and -# project entities to be moved between domains by updating their domain_id. -# Allowing such movement is not recommended if the scope of a domain admin is -# being restricted by use of an appropriate policy file (see -# policy.v3cloudsample as an example). (boolean value) -#domain_id_immutable = true - -# If set to true, strict password length checking is performed for password -# manipulation. If a password exceeds the maximum length, the operation will -# fail with an HTTP 403 Forbidden error. If set to false, passwords are -# automatically truncated to the maximum length. (boolean value) -#strict_password_check = false - -# The HTTP header used to determine the scheme for the original request, even -# if it was removed by an SSL terminating proxy. Typical value is -# "HTTP_X_FORWARDED_PROTO". (string value) -#secure_proxy_ssl_header = <None> - -# -# From keystone.notifications -# - -# Default publisher_id for outgoing notifications (string value) -#default_publisher_id = <None> - -# Define the notification format for Identity Service events. A "basic" -# notification has information about the resource being operated on. A "cadf" -# notification has the same information, as well as information about the -# initiator of the event. (string value) -# Allowed values: basic, cadf -#notification_format = basic - -# -# From oslo.log -# - -# Print debugging output (set logging level to DEBUG instead of default INFO -# level). (boolean value) -debug = false - -# If set to false, will disable INFO logging level, making WARNING the default. -# (boolean value) -# This option is deprecated for removal. -# Its value may be silently ignored in the future. -verbose = false - -# The name of a logging configuration file. This file is appended to any -# existing logging configuration files. For details about logging configuration -# files, see the Python logging module documentation. (string value) -# Deprecated group/name - [DEFAULT]/log_config -log_config_append = /etc/keystone/logging.conf - -# DEPRECATED. A logging.Formatter log message format string which may use any -# of the available logging.LogRecord attributes. This option is deprecated. -# Please use logging_context_format_string and logging_default_format_string -# instead. (string value) -#log_format = <None> - -# Format string for %%(asctime)s in log records. Default: %(default)s . (string -# value) -#log_date_format = %Y-%m-%d %H:%M:%S - -# (Optional) Name of log file to output to. If no default is set, logging will -# go to stdout. (string value) -# Deprecated group/name - [DEFAULT]/logfile -log_file = keystone.log - -# (Optional) The base directory used for relative --log-file paths. (string -# value) -# Deprecated group/name - [DEFAULT]/logdir -log_dir = /var/log/keystone - -# Use syslog for logging. Existing syslog format is DEPRECATED and will be -# changed later to honor RFC5424. (boolean value) -#use_syslog = false - -# (Optional) Enables or disables syslog rfc5424 format for logging. If enabled, -# prefixes the MSG part of the syslog message with APP-NAME (RFC5424). The -# format without the APP-NAME is deprecated in Kilo, and will be removed in -# Mitaka, along with this option. (boolean value) -# This option is deprecated for removal. -# Its value may be silently ignored in the future. -#use_syslog_rfc_format = true - -# Syslog facility to receive log lines. (string value) -#syslog_log_facility = LOG_USER - -# Log output to standard error. (boolean value) -#use_stderr = true - -# Format string to use for log messages with context. (string value) -#logging_context_format_string = %(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [%(request_id)s %(user_identity)s] %(instance)s%(message)s - -# Format string to use for log messages without context. (string value) -#logging_default_format_string = %(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [-] %(instance)s%(message)s - -# Data to append to log format when level is DEBUG. (string value) -#logging_debug_format_suffix = %(funcName)s %(pathname)s:%(lineno)d - -# Prefix each line of exception output with this format. (string value) -#logging_exception_prefix = %(asctime)s.%(msecs)03d %(process)d ERROR %(name)s %(instance)s - -# List of logger=LEVEL pairs. (list value) -#default_log_levels = amqp=WARN,amqplib=WARN,boto=WARN,qpid=WARN,sqlalchemy=WARN,suds=INFO,oslo.messaging=INFO,iso8601=WARN,requests.packages.urllib3.connectionpool=WARN,urllib3.connectionpool=WARN,websocket=WARN,requests.packages.urllib3.util.retry=WARN,urllib3.util.retry=WARN,keystonemiddleware=WARN,routes.middleware=WARN,stevedore=WARN,taskflow=WARN - -# Enables or disables publication of error events. (boolean value) -#publish_errors = false - -# The format for an instance that is passed with the log message. (string -# value) -#instance_format = "[instance: %(uuid)s] " - -# The format for an instance UUID that is passed with the log message. (string -# value) -#instance_uuid_format = "[instance: %(uuid)s] " - -# Enables or disables fatal status of deprecations. (boolean value) -#fatal_deprecations = false - -# -# From oslo.messaging -# - -# Size of RPC connection pool. (integer value) -# Deprecated group/name - [DEFAULT]/rpc_conn_pool_size -#rpc_conn_pool_size = 30 - -# ZeroMQ bind address. Should be a wildcard (*), an ethernet interface, or IP. -# The "host" option should point or resolve to this address. (string value) -#rpc_zmq_bind_address = * - -# MatchMaker driver. (string value) -#rpc_zmq_matchmaker = local - -# ZeroMQ receiver listening port. (integer value) -#rpc_zmq_port = 9501 - -# Number of ZeroMQ contexts, defaults to 1. (integer value) -#rpc_zmq_contexts = 1 - -# Maximum number of ingress messages to locally buffer per topic. Default is -# unlimited. (integer value) -#rpc_zmq_topic_backlog = <None> - -# Directory for holding IPC sockets. (string value) -#rpc_zmq_ipc_dir = /var/run/openstack - -# Name of this node. Must be a valid hostname, FQDN, or IP address. Must match -# "host" option, if running Nova. (string value) -#rpc_zmq_host = localhost - -# Seconds to wait before a cast expires (TTL). Only supported by impl_zmq. -# (integer value) -#rpc_cast_timeout = 30 - -# Heartbeat frequency. (integer value) -#matchmaker_heartbeat_freq = 300 - -# Heartbeat time-to-live. (integer value) -#matchmaker_heartbeat_ttl = 600 - -# Size of executor thread pool. (integer value) -# Deprecated group/name - [DEFAULT]/rpc_thread_pool_size -#executor_thread_pool_size = 64 - -# The Drivers(s) to handle sending notifications. Possible values are -# messaging, messagingv2, routing, log, test, noop (multi valued) -notification_driver = wmfkeystonehooks - -# Login info for wikitech, for project page updates -wiki_host=<%= @wikitechstatusconfig["host"] %> -wiki_page_prefix=<%= @wikitechstatusconfig["page_prefix"] %> -wiki_consumer_token=<%= @wikitechstatusconfig["wikitech_status_consumer_token"] %> -wiki_consumer_secret=<%= @wikitechstatusconfig["wikitech_status_consumer_secret"] %> -wiki_access_token=<%= @wikitechstatusconfig["wikitech_status_access_token"] %> -wiki_access_secret=<%= @wikitechstatusconfig["wikitech_status_access_secret"] %> - -# AMQP topic used for OpenStack notifications. (list value) -# Deprecated group/name - [rpc_notifier2]/topics -#notification_topics = notifications - -# Seconds to wait for a response from a call. (integer value) -#rpc_response_timeout = 60 - -# A URL representing the messaging driver to use and its full configuration. If -# not set, we fall back to the rpc_backend option and driver specific -# configuration. (string value) -#transport_url = <None> - -# The messaging driver to use, defaults to rabbit. Other drivers include qpid -# and zmq. (string value) -#rpc_backend = rabbit - -# The default exchange under which topics are scoped. May be overridden by an -# exchange name specified in the transport_url option. (string value) -#control_exchange = keystone - -# -# From oslo.service.service -# - -# Enables or disables logging values of all registered options when starting a -# service (at DEBUG level). (boolean value) -#log_options = true - -[assignment] -driver = sql - -[sql] -# the timeout before idle sql connections are reaped -# idle_timeout = 200 - -[database] -# The SQLAlchemy connection string used to connect to the database -connection = mysql://<%= @keystoneconfig["db_user"] %>:<%= @keystoneconfig["db_pass"] %>@<%= @keystoneconfig["db_host"] %>/<%= @keystoneconfig["db_name"] %> - -[identity] -driver = ldap - -[cache] - -# -# From keystone -# - -# Prefix for building the configuration dictionary for the cache region. This -# should not need to be changed unless there is another dogpile.cache region -# with the same configuration name. (string value) -#config_prefix = cache.keystone - -# Default TTL, in seconds, for any cached item in the dogpile.cache region. -# This applies to any cached method that doesn't have an explicit cache -# expiration time defined for it. (integer value) -#expiration_time = 600 - -# Dogpile.cache backend module. It is recommended that Memcache with pooling -# (keystone.cache.memcache_pool) or Redis (dogpile.cache.redis) be used in -# production deployments. Small workloads (single process) like devstack can -# use the dogpile.cache.memory backend. (string value) -#backend = keystone.common.cache.noop - -# Arguments supplied to the backend module. Specify this option once per -# argument to be passed to the dogpile.cache backend. Example format: -# "<argname>:<value>". (multi valued) -#backend_argument = - -# Proxy classes to import that will affect the way the dogpile.cache backend -# functions. See the dogpile.cache documentation on changing-backend-behavior. -# (list value) -#proxies = - -# Global toggle for all caching using the should_cache_fn mechanism. (boolean -# value) -#enabled = false - -# Extra debugging from the cache backend (cache keys, get/set/delete/etc -# calls). This is only really useful if you need to see the specific cache- -# backend get/set/delete calls with the keys/values. Typically this should be -# left set to false. (boolean value) -#debug_cache_backend = false - -# Memcache servers in the format of "host:port". (dogpile.cache.memcache and -# keystone.cache.memcache_pool backends only). (list value) -#memcache_servers = localhost:11211 - -# Number of seconds memcached server is considered dead before it is tried -# again. (dogpile.cache.memcache and keystone.cache.memcache_pool backends -# only). (integer value) -#memcache_dead_retry = 300 - -# Timeout in seconds for every call to a server. (dogpile.cache.memcache and -# keystone.cache.memcache_pool backends only). (integer value) -#memcache_socket_timeout = 3 - -# Max total number of open connections to every memcached server. -# (keystone.cache.memcache_pool backend only). (integer value) -#memcache_pool_maxsize = 10 - -# Number of seconds a connection to memcached is held unused in the pool before -# it is closed. (keystone.cache.memcache_pool backend only). (integer value) -#memcache_pool_unused_timeout = 60 - -# Number of seconds that an operation will wait to get a memcache client -# connection. (integer value) -#memcache_pool_connection_get_timeout = 10 - -[catalog] -# dynamic, sql-based backend (supports API/CLI-based management commands) -driver = sql - -# static, file-based backend (does *NOT* support any management commands) -# driver = keystone.catalog.backends.templated.TemplatedCatalog - -# template_file = default_catalog.templates - -[token] -provider = uuid -driver = sql - -# Amount of time a token should remain valid (in seconds) -# Using 7.1 days, as we'll set MediaWiki to 7 days -expiration = 613440 - -[policy] -driver = rules - -[signing] -#provider = uuid -#certfile = /etc/keystone/ssl/certs/signing_cert.pem -#keyfile = /etc/keystone/ssl/private/signing_key.pem -#ca_certs = /etc/keystone/ssl/certs/ca.pem -#key_size = 1024 -#valid_days = 3650 -#ca_password = None -#token_format = PKI - -[ldap] -url = <% @keystoneconfig['ldap_hosts'].each do |ldap_host| %>ldap://<%= ldap_host %>,<% end %> -tree_dn = <%= @keystoneconfig["ldap_base_dn"] %> -user_tree_dn = ou=people,<%= @keystoneconfig["ldap_base_dn"] %> -user_id_attribute = <%= @keystoneconfig["ldap_user_id_attribute"] %> -user_name_attribute = <%= @keystoneconfig["ldap_user_name_attribute"] %> -user = <%= @keystoneconfig["ldap_user_dn"] %> -password = <%= @keystoneconfig["ldap_user_pass"] %> - -[auth] -methods = external,password,token,wmtotp - -# Override the default password plugin with a custom -# one that checks source IPs. -password = whitelist - -<% @labs_networks.each do |subnet| -%> -password_whitelist = novaobserver:<%=subnet%> -<% end -%> -<% @prod_networks.each do |subnet| -%> -password_whitelist = *:<%=subnet%> -<% end -%> - -[oath] - -wikitech_host = <%=@labs_osm_host%> -wikitech_consumer_token = <%= @keystoneconfig["wikitech_consumer_token"] %> -wikitech_consumer_secret = <%= @keystoneconfig["wikitech_consumer_secret"] %> -wikitech_access_token = <%= @keystoneconfig["wikitech_access_token"] %> -wikitech_access_secret = <%= @keystoneconfig["wikitech_access_secret"] %> - -[wmfhooks] - -admin_pass = <%= @keystoneconfig["ldap_user_pass"] %> -auth_url = <%= @keystoneconfig["auth_protocol"] %>://<%= @fqdn %>:<%= @keystoneconfig["auth_port"] %>/v3 - diff --git a/modules/openstack/files/liberty/keystone/wmfkeystonehooks.egg-info/entry_points.txt b/modules/openstack2/files/liberty/keystone/wmfkeystonehooks.egg-info/entry_points.txt similarity index 100% rename from modules/openstack/files/liberty/keystone/wmfkeystonehooks.egg-info/entry_points.txt rename to modules/openstack2/files/liberty/keystone/wmfkeystonehooks.egg-info/entry_points.txt diff --git a/modules/openstack/files/liberty/keystone/wmfkeystonehooks/__init__.py b/modules/openstack2/files/liberty/keystone/wmfkeystonehooks/__init__.py similarity index 100% rename from modules/openstack/files/liberty/keystone/wmfkeystonehooks/__init__.py rename to modules/openstack2/files/liberty/keystone/wmfkeystonehooks/__init__.py diff --git a/modules/openstack/files/liberty/keystone/wmfkeystonehooks/ldapgroups.py b/modules/openstack2/files/liberty/keystone/wmfkeystonehooks/ldapgroups.py similarity index 100% rename from modules/openstack/files/liberty/keystone/wmfkeystonehooks/ldapgroups.py rename to modules/openstack2/files/liberty/keystone/wmfkeystonehooks/ldapgroups.py diff --git a/modules/openstack/files/liberty/keystone/wmfkeystonehooks/pageeditor.py b/modules/openstack2/files/liberty/keystone/wmfkeystonehooks/pageeditor.py similarity index 100% rename from modules/openstack/files/liberty/keystone/wmfkeystonehooks/pageeditor.py rename to modules/openstack2/files/liberty/keystone/wmfkeystonehooks/pageeditor.py diff --git a/modules/openstack/files/liberty/keystone/wmfkeystonehooks/wmfkeystonehooks.py b/modules/openstack2/files/liberty/keystone/wmfkeystonehooks/wmfkeystonehooks.py similarity index 100% rename from modules/openstack/files/liberty/keystone/wmfkeystonehooks/wmfkeystonehooks.py rename to modules/openstack2/files/liberty/keystone/wmfkeystonehooks/wmfkeystonehooks.py diff --git a/modules/openstack/files/check_keystone_projects.py b/modules/openstack2/files/monitor/keystone/check_keystone_projects.py similarity index 100% rename from modules/openstack/files/check_keystone_projects.py rename to modules/openstack2/files/monitor/keystone/check_keystone_projects.py diff --git a/modules/openstack/files/check_keystone_roles.py b/modules/openstack2/files/monitor/keystone/check_keystone_roles.py similarity index 100% rename from modules/openstack/files/check_keystone_roles.py rename to modules/openstack2/files/monitor/keystone/check_keystone_roles.py diff --git a/modules/openstack2/manifests/keystone/hooks.pp b/modules/openstack2/manifests/keystone/hooks.pp index a99fef0..9670263 100644 --- a/modules/openstack2/manifests/keystone/hooks.pp +++ b/modules/openstack2/manifests/keystone/hooks.pp @@ -6,7 +6,7 @@ include openstack2::keystone::service file { '/usr/lib/python2.7/dist-packages/wmfkeystonehooks': - source => "puppet:///modules/openstack/${version}/keystone/wmfkeystonehooks", + source => "puppet:///modules/openstack2/${version}/keystone/wmfkeystonehooks", owner => 'root', group => 'root', mode => '0644', @@ -15,7 +15,7 @@ } file { '/usr/lib/python2.7/dist-packages/wmfkeystonehooks.egg-info': - source => "puppet:///modules/openstack/${version}/keystone/wmfkeystonehooks.egg-info", + source => "puppet:///modules/openstack2/${version}/keystone/wmfkeystonehooks.egg-info", owner => 'root', group => 'root', mode => '0644', diff --git a/modules/openstack2/manifests/keystone/monitor.pp b/modules/openstack2/manifests/keystone/monitor.pp index 86073af..055ef0a 100644 --- a/modules/openstack2/manifests/keystone/monitor.pp +++ b/modules/openstack2/manifests/keystone/monitor.pp @@ -60,7 +60,7 @@ owner => 'root', group => 'root', mode => '0755', - source => 'puppet:///modules/openstack/check_keystone_roles.py', + source => 'puppet:///modules/openstack2/monitor/keystone/check_keystone_roles.py', } # Script to make sure that service projects e.g. 'admin' exists @@ -69,7 +69,7 @@ owner => 'root', group => 'root', mode => '0755', - source => 'puppet:///modules/openstack/check_keystone_projects.py', + source => 'puppet:///modules/openstack2/monitor/keystone/check_keystone_projects.py', } } diff --git a/modules/openstack2/manifests/keystone/service.pp b/modules/openstack2/manifests/keystone/service.pp index 3de83e4..b81cdfc 100644 --- a/modules/openstack2/manifests/keystone/service.pp +++ b/modules/openstack2/manifests/keystone/service.pp @@ -30,7 +30,6 @@ $wiki_access_secret, ) { - #include ::openstack::keystone::hooks include ::network::constants $prod_networks = $network::constants::production_networks $labs_networks = $network::constants::labs_networks diff --git a/modules/role/manifests/labs/openstack/keystone/server.pp b/modules/role/manifests/labs/openstack/keystone/server.pp deleted file mode 100644 index b8e44fc..0000000 --- a/modules/role/manifests/labs/openstack/keystone/server.pp +++ /dev/null @@ -1,11 +0,0 @@ -class role::labs::openstack::keystone::server { - - system::role { $name: } - $nova_controller = hiera('labs_nova_controller') - $keystoneconfig = hiera_hash('keystoneconfig', {}) - $wikitechstatusconfig = hiera_hash('wikitechstatusconfig', {}) - - class { 'openstack::keystone::service': - keystoneconfig => $keystoneconfig, - } -} -- To view, visit https://gerrit.wikimedia.org/r/376531 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: merged Gerrit-Change-Id: Ibebb0e4ee6186d642d9ea63e54f04ad624385333 Gerrit-PatchSet: 3 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Rush <r...@wikimedia.org> Gerrit-Reviewer: Andrew Bogott <abog...@wikimedia.org> Gerrit-Reviewer: Rush <r...@wikimedia.org> Gerrit-Reviewer: jenkins-bot <> _______________________________________________ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits