diff options
| author |   Cyril Lopez <cylopez@redhat.com> | 2017-03-30 15:48:14 +0200 |
|---|---|---|
| committer |   Juan Antonio Osorio Robles <jaosorior@redhat.com> | 2017-04-07 10:25:47 +0300 |
| commit | 4db1c9f8e4b82e9430e76b1d02542dd6d6b65ef5 (patch) | |
| tree | cf1879b66f3857a76f4b5dae266131750d574383 | |
| parent | 40dbbd408ebd1582a3dd07efe7d0a953cab180a7 (diff) | |
Add trigger to setup a LDAP backend as keystone domaine
It is using a trigger tripleo::profile::base::keystone::ldap_backend_enable in puppet-tripleo
who will call a define in puppet-keysone ldap_backend.pp.
Given the following environment:
parameter_defaults:
KeystoneLDAPDomainEnable: true
KeystoneLDAPBackendConfigs:
tripleoldap:
url: ldap://192.0.2.250
user: cn=openstack,ou=Users,dc=redhat,dc=example,dc=com
password: Secrete
suffix: dc=redhat,dc=example,dc=com
user_tree_dn: ou=Users,dc=redhat,dc=example,dc=com
user_filter: "(memberOf=cn=OSuser,ou=Groups,dc=redhat,dc=example,dc=com)"
user_objectclass: person
user_id_attribute: cn
user_allow_create: false
user_allow_update: false
user_allow_delete: false
ControllerExtraConfig:
nova::keystone::authtoken::auth_version: v3
cinder::keystone::authtoken::auth_version: v3
It would then create a domain called tripleoldap with an LDAP
configuration as defined by the hash. The parameters from the
hash are defined by the keystone::ldap_backend resource in
puppet-keystone.
More backends can be added as more entries to that hash.
This also enables multi-domain support for horizon.
Conflicts:
puppet/services/keystone.yaml
Closes-Bug: 1677603
Co-Authored-By: Juan Antonio Osorio Robles <jaosorior@redhat.com>
Depends-On: I1593c6a33ed1a0ea51feda9dfb6e1690eaeac5db
Change-Id: I6c815e4596d595bfa2a018127beaf21249a10643
Signed-off-by: Cyril Lopez <cylopez@redhat.com>
(cherry picked from commit 347f5434b3e3793b9fdf2a94f49ab7734c5d923b)
| -rw-r--r-- | environments/services/keystone_domain_specific_ldap_backend.yaml | 18 | ||||
| -rw-r--r-- | puppet/services/keystone.yaml | 27 | ||||
| -rw-r--r-- | releasenotes/notes/add-ldap-backend-0bda702fb0aa24bf.yaml | 5 |
3 files changed, 50 insertions, 0 deletions
diff --git a/environments/services/keystone_domain_specific_ldap_backend.yaml b/environments/services/keystone_domain_specific_ldap_backend.yaml new file mode 100644 index 00000000..40b02fc5 --- /dev/null +++ b/environments/services/keystone_domain_specific_ldap_backend.yaml @@ -0,0 +1,18 @@ +# This is an example template on how to configure keystone domain specific LDAP +# backends. This will configure a domain called tripleoldap will the attributes +# specified. +parameter_defaults: + KeystoneLDAPDomainEnable: true + KeystoneLDAPBackendConfigs: + tripleoldap: + url: ldap://192.0.2.250 + user: cn=openstack,ou=Users,dc=tripleo,dc=example,dc=com + password: Secrete + suffix: dc=tripleo,dc=example,dc=com + user_tree_dn: ou=Users,dc=tripleo,dc=example,dc=com + user_filter: "(memberOf=cn=OSuser,ou=Groups,dc=tripleo,dc=example,dc=com)" + user_objectclass: person + user_id_attribute: cn + user_allow_create: false + user_allow_update: false + user_allow_delete: false diff --git a/puppet/services/keystone.yaml b/puppet/services/keystone.yaml index f40c8d99..f69c087b 100644 --- a/puppet/services/keystone.yaml +++ b/puppet/services/keystone.yaml @@ -158,6 +158,16 @@ parameters: description: > Cron to purge expired tokens - User default: 'keystone' + KeystoneLDAPDomainEnable: + description: Trigger to call ldap_backend puppet keystone define. + type: boolean + default: False + KeystoneLDAPBackendConfigs: + description: Hash containing the configurations for the LDAP backends + configured in keystone. + type: json + default: {} + hidden: true resources: @@ -171,6 +181,7 @@ resources: conditions: keystone_fernet_tokens: {equals: [{get_param: KeystoneTokenProvider}, "fernet"]} + keystone_ldap_domain_enabled: {equals: [{get_param: KeystoneLDAPDomainEnable}, True]} outputs: role_data: @@ -293,6 +304,15 @@ outputs: keystone::cron::token_flush::maxdelay: {get_param: KeystoneCronTokenFlushMaxDelay} keystone::cron::token_flush::destination: {get_param: KeystoneCronTokenFlushDestination} keystone::cron::token_flush::user: {get_param: KeystoneCronTokenFlushUser} + - + if: + - keystone_ldap_domain_enabled + - + tripleo::profile::base::keystone::ldap_backend_enable: True + keystone::using_domain_config: True + tripleo::profile::base::keystone::ldap_backends_config: + get_param: KeystoneLDAPBackendConfigs + - {} step_config: | include ::tripleo::profile::base::keystone @@ -305,6 +325,13 @@ outputs: keystone::db::mysql::allowed_hosts: - '%' - "%{hiera('mysql_bind_host')}" + horizon: + if: + - keystone_ldap_domain_enabled + - + horizon::keystone_multidomain_support: true + horizon::keystone_default_domain: 'Default' + - {} # Ansible tasks to handle upgrade upgrade_tasks: - name: Stop keystone service (running under httpd) diff --git a/releasenotes/notes/add-ldap-backend-0bda702fb0aa24bf.yaml b/releasenotes/notes/add-ldap-backend-0bda702fb0aa24bf.yaml new file mode 100644 index 00000000..19452f27 --- /dev/null +++ b/releasenotes/notes/add-ldap-backend-0bda702fb0aa24bf.yaml @@ -0,0 +1,5 @@ +--- +features: + - Add capabilities to configure LDAP backends as for keystone domains. + This can be done by using the KeystoneLDAPDomainEnable and + KeystoneLDAPBackendConfigs parameters. |