From 819912d0379f6cd2b2693c2968576f7514a117c5 Mon Sep 17 00:00:00 2001 From: liyuenan Date: Mon, 19 Dec 2016 11:06:36 +0800 Subject: master only support newton JIRA: COMPASS-513 Remove other roles and ppa, master only support newton. Change-Id: I47ddb16baa25902c3e05cc7f9d0d6430f5dc7e00 Signed-off-by: liyuenan --- .../roles/moon/templates/admin-openrc.sh | 15 - .../roles/moon/templates/api-paste.ini | 106 --- .../roles/moon/templates/demo-openrc.sh | 13 - .../roles/moon/templates/keystone-paste.ini | 96 --- .../roles/moon/templates/keystone.conf | 59 -- .../roles/moon/templates/proxy-server.conf | 775 --------------------- .../roles/moon/templates/wsgi-keystone.conf.j2 | 46 -- 7 files changed, 1110 deletions(-) delete mode 100644 deploy/adapters/ansible/openstack_newton_xenial/roles/moon/templates/admin-openrc.sh delete mode 100644 deploy/adapters/ansible/openstack_newton_xenial/roles/moon/templates/api-paste.ini delete mode 100644 deploy/adapters/ansible/openstack_newton_xenial/roles/moon/templates/demo-openrc.sh delete mode 100644 deploy/adapters/ansible/openstack_newton_xenial/roles/moon/templates/keystone-paste.ini delete mode 100644 deploy/adapters/ansible/openstack_newton_xenial/roles/moon/templates/keystone.conf delete mode 100644 deploy/adapters/ansible/openstack_newton_xenial/roles/moon/templates/proxy-server.conf delete mode 100644 deploy/adapters/ansible/openstack_newton_xenial/roles/moon/templates/wsgi-keystone.conf.j2 (limited to 'deploy/adapters/ansible/openstack_newton_xenial/roles/moon/templates') diff --git a/deploy/adapters/ansible/openstack_newton_xenial/roles/moon/templates/admin-openrc.sh b/deploy/adapters/ansible/openstack_newton_xenial/roles/moon/templates/admin-openrc.sh deleted file mode 100644 index 6ba620ff..00000000 --- a/deploy/adapters/ansible/openstack_newton_xenial/roles/moon/templates/admin-openrc.sh +++ /dev/null @@ -1,15 +0,0 @@ -############################################################################## -# Copyright (c) 2016 HUAWEI TECHNOLOGIES CO.,LTD and others. -# -# All rights reserved. This program and the accompanying materials -# are made available under the terms of the Apache License, Version 2.0 -# which accompanies this distribution, and is available at -# http://www.apache.org/licenses/LICENSE-2.0 -############################################################################## -# Verify the Identity Service installation -export OS_PASSWORD={{ ADMIN_PASS }} -export OS_TENANT_NAME=admin -export OS_AUTH_URL=http://{{ internal_vip.ip }}:35357/v2.0 -export OS_USERNAME=admin -export OS_VOLUME_API_VERSION=2 - diff --git a/deploy/adapters/ansible/openstack_newton_xenial/roles/moon/templates/api-paste.ini b/deploy/adapters/ansible/openstack_newton_xenial/roles/moon/templates/api-paste.ini deleted file mode 100644 index f99689b7..00000000 --- a/deploy/adapters/ansible/openstack_newton_xenial/roles/moon/templates/api-paste.ini +++ /dev/null @@ -1,106 +0,0 @@ -############ -# Metadata # -############ -[composite:metadata] -use = egg:Paste#urlmap -/: meta - -[pipeline:meta] -pipeline = cors metaapp - -[app:metaapp] -paste.app_factory = nova.api.metadata.handler:MetadataRequestHandler.factory - -############# -# OpenStack # -############# - -[composite:osapi_compute] -use = call:nova.api.openstack.urlmap:urlmap_factory -/: oscomputeversions -# starting in Liberty the v21 implementation replaces the v2 -# implementation and is suggested that you use it as the default. If -# this causes issues with your clients you can rollback to the -# *frozen* v2 api by commenting out the above stanza and using the -# following instead:: -# /v2: openstack_compute_api_legacy_v2 -# if rolling back to v2 fixes your issue please file a critical bug -# at - https://bugs.launchpad.net/nova/+bugs -# -# v21 is an exactly feature match for v2, except it has more stringent -# input validation on the wsgi surface (prevents fuzzing early on the -# API). It also provides new features via API microversions which are -# opt into for clients. Unaware clients will receive the same frozen -# v2 API feature set, but with some relaxed validation -/v2: openstack_compute_api_v21_legacy_v2_compatible -/v2.1: openstack_compute_api_v21 - -# NOTE: this is deprecated in favor of openstack_compute_api_v21_legacy_v2_compatible -[composite:openstack_compute_api_legacy_v2] -use = call:nova.api.auth:pipeline_factory -noauth2 = cors compute_req_id faultwrap sizelimit noauth2 legacy_ratelimit osapi_compute_app_legacy_v2 -keystone = cors compute_req_id faultwrap sizelimit authtoken keystonecontext moon legacy_ratelimit osapi_compute_app_legacy_v2 -keystone_nolimit = cors compute_req_id faultwrap sizelimit authtoken keystonecontext osapi_compute_app_legacy_v2 - -[composite:openstack_compute_api_v21] -use = call:nova.api.auth:pipeline_factory_v21 -noauth2 = cors compute_req_id faultwrap sizelimit noauth2 osapi_compute_app_v21 -keystone = cors compute_req_id faultwrap sizelimit authtoken keystonecontext osapi_compute_app_v21 - -[composite:openstack_compute_api_v21_legacy_v2_compatible] -use = call:nova.api.auth:pipeline_factory_v21 -noauth2 = cors compute_req_id faultwrap sizelimit noauth2 legacy_v2_compatible osapi_compute_app_v21 -keystone = cors compute_req_id faultwrap sizelimit authtoken keystonecontext legacy_v2_compatible osapi_compute_app_v21 - -[filter:request_id] -paste.filter_factory = oslo_middleware:RequestId.factory - -[filter:compute_req_id] -paste.filter_factory = nova.api.compute_req_id:ComputeReqIdMiddleware.factory - -[filter:faultwrap] -paste.filter_factory = nova.api.openstack:FaultWrapper.factory - -[filter:noauth2] -paste.filter_factory = nova.api.openstack.auth:NoAuthMiddleware.factory - -[filter:legacy_ratelimit] -paste.filter_factory = nova.api.openstack.compute.limits:RateLimitingMiddleware.factory - -[filter:sizelimit] -paste.filter_factory = oslo_middleware:RequestBodySizeLimiter.factory - -[filter:legacy_v2_compatible] -paste.filter_factory = nova.api.openstack:LegacyV2CompatibleWrapper.factory - -[app:osapi_compute_app_legacy_v2] -paste.app_factory = nova.api.openstack.compute:APIRouter.factory - -[app:osapi_compute_app_v21] -paste.app_factory = nova.api.openstack.compute:APIRouterV21.factory - -[pipeline:oscomputeversions] -pipeline = faultwrap oscomputeversionapp - -[app:oscomputeversionapp] -paste.app_factory = nova.api.openstack.compute.versions:Versions.factory - -########## -# Shared # -########## - -[filter:cors] -paste.filter_factory = oslo_middleware.cors:filter_factory -oslo_config_project = nova - -[filter:keystonecontext] -paste.filter_factory = nova.api.auth:NovaKeystoneContext.factory - -[filter:authtoken] -paste.filter_factory = keystonemiddleware.auth_token:filter_factory - -[filter:moon] -paste.filter_factory = keystonemiddleware.moon_agent:filter_factory -authz_login=admin -authz_password=password -logfile=/var/log/moon/keystonemiddleware.log diff --git a/deploy/adapters/ansible/openstack_newton_xenial/roles/moon/templates/demo-openrc.sh b/deploy/adapters/ansible/openstack_newton_xenial/roles/moon/templates/demo-openrc.sh deleted file mode 100644 index 5807e868..00000000 --- a/deploy/adapters/ansible/openstack_newton_xenial/roles/moon/templates/demo-openrc.sh +++ /dev/null @@ -1,13 +0,0 @@ -############################################################################## -# Copyright (c) 2016 HUAWEI TECHNOLOGIES CO.,LTD and others. -# -# All rights reserved. This program and the accompanying materials -# are made available under the terms of the Apache License, Version 2.0 -# which accompanies this distribution, and is available at -# http://www.apache.org/licenses/LICENSE-2.0 -############################################################################## -export OS_USERNAME=demo -export OS_PASSWORD={{ DEMO_PASS }} -export OS_TENANT_NAME=demo -export OS_AUTH_URL=http://{{ internal_vip.ip }}:35357/v2.0 - diff --git a/deploy/adapters/ansible/openstack_newton_xenial/roles/moon/templates/keystone-paste.ini b/deploy/adapters/ansible/openstack_newton_xenial/roles/moon/templates/keystone-paste.ini deleted file mode 100644 index cd9ebede..00000000 --- a/deploy/adapters/ansible/openstack_newton_xenial/roles/moon/templates/keystone-paste.ini +++ /dev/null @@ -1,96 +0,0 @@ -# Keystone PasteDeploy configuration file. - -[pipeline:moon_pipeline] -pipeline = sizelimit url_normalize request_id build_auth_context token_auth admin_token_auth json_body ec2_extension_v3 s3_extension moon_service - -[app:moon_service] -use = egg:keystone#moon_service - -[filter:debug] -use = egg:oslo.middleware#debug - -[filter:request_id] -use = egg:oslo.middleware#request_id - -[filter:build_auth_context] -use = egg:keystone#build_auth_context - -[filter:token_auth] -use = egg:keystone#token_auth - -[filter:admin_token_auth] -# This is deprecated in the M release and will be removed in the O release. -# Use `keystone-manage bootstrap` and remove this from the pipelines below. -use = egg:keystone#admin_token_auth - -[filter:json_body] -use = egg:keystone#json_body - -[filter:cors] -use = egg:oslo.middleware#cors -oslo_config_project = keystone - -[filter:ec2_extension] -use = egg:keystone#ec2_extension - -[filter:ec2_extension_v3] -use = egg:keystone#ec2_extension_v3 - -[filter:s3_extension] -use = egg:keystone#s3_extension - -[filter:url_normalize] -use = egg:keystone#url_normalize - -[filter:sizelimit] -use = egg:oslo.middleware#sizelimit - -[app:public_service] -use = egg:keystone#public_service - -[app:service_v3] -use = egg:keystone#service_v3 - -[app:admin_service] -use = egg:keystone#admin_service - -[pipeline:public_api] -# The last item in this pipeline must be public_service or an equivalent -# application. It cannot be a filter. -pipeline = cors sizelimit url_normalize request_id admin_token_auth build_auth_context token_auth json_body ec2_extension public_service - -[pipeline:admin_api] -# The last item in this pipeline must be admin_service or an equivalent -# application. It cannot be a filter. -pipeline = cors sizelimit url_normalize request_id admin_token_auth build_auth_context token_auth json_body ec2_extension s3_extension admin_service - -[pipeline:api_v3] -# The last item in this pipeline must be service_v3 or an equivalent -# application. It cannot be a filter. -pipeline = cors sizelimit url_normalize request_id admin_token_auth build_auth_context token_auth json_body ec2_extension_v3 s3_extension service_v3 - -[app:public_version_service] -use = egg:keystone#public_version_service - -[app:admin_version_service] -use = egg:keystone#admin_version_service - -[pipeline:public_version_api] -pipeline = cors sizelimit url_normalize public_version_service - -[pipeline:admin_version_api] -pipeline = cors sizelimit url_normalize admin_version_service - -[composite:main] -use = egg:Paste#urlmap -/moon = moon_pipeline -/v2.0 = public_api -/v3 = api_v3 -/ = public_version_api - -[composite:admin] -use = egg:Paste#urlmap -/moon = moon_pipeline -/v2.0 = admin_api -/v3 = api_v3 -/ = admin_version_api diff --git a/deploy/adapters/ansible/openstack_newton_xenial/roles/moon/templates/keystone.conf b/deploy/adapters/ansible/openstack_newton_xenial/roles/moon/templates/keystone.conf deleted file mode 100644 index 649fc32c..00000000 --- a/deploy/adapters/ansible/openstack_newton_xenial/roles/moon/templates/keystone.conf +++ /dev/null @@ -1,59 +0,0 @@ -{% set memcached_servers = [] %} -{% set rabbitmq_servers = [] %} -{% for host in haproxy_hosts.values() %} -{% set _ = memcached_servers.append('%s:11211'% host) %} -{% set _ = rabbitmq_servers.append('%s:5672'% host) %} -{% endfor %} -{% set memcached_servers = memcached_servers|join(',') %} -{% set rabbitmq_servers = rabbitmq_servers|join(',') %} -[DEFAULT] -admin_token={{ ADMIN_TOKEN }} -debug={{ DEBUG }} -log_dir = /var/log/keystone - -[cache] -backend=keystone.cache.memcache_pool -memcache_servers={{ memcached_servers}} -enabled=true - -[revoke] -driver=sql -expiration_buffer=3600 -caching=true - -[database] -connection = mysql://keystone:{{ KEYSTONE_DBPASS }}@{{ db_host }}/keystone?charset=utf8 -idle_timeout=30 -min_pool_size=5 -max_pool_size=120 -pool_timeout=30 - - -[identity] -default_domain_id=default -driver=sql - -[assignment] -driver=sql - -[resource] -driver=sql -caching=true -cache_time=3600 - -[token] -enforce_token_bind=permissive -expiration=43200 -provider=uuid -driver=sql -caching=true -cache_time=3600 - -[eventlet_server] -public_bind_host= {{ identity_host }} -admin_bind_host= {{ identity_host }} - -[oslo_messaging_rabbit] -rabbit_userid = {{ RABBIT_USER }} -rabbit_password = {{ RABBIT_PASS }} -rabbit_hosts = {{ rabbitmq_servers }} diff --git a/deploy/adapters/ansible/openstack_newton_xenial/roles/moon/templates/proxy-server.conf b/deploy/adapters/ansible/openstack_newton_xenial/roles/moon/templates/proxy-server.conf deleted file mode 100644 index 9bea7a8e..00000000 --- a/deploy/adapters/ansible/openstack_newton_xenial/roles/moon/templates/proxy-server.conf +++ /dev/null @@ -1,775 +0,0 @@ -{% set memcached_servers = [] %} -{% for host in haproxy_hosts.values() %} -{% set _ = memcached_servers.append('%s:11211'% host) %} -{% endfor %} -{% set memcached_servers = memcached_servers|join(',') %} -[DEFAULT] -bind_ip = {{ internal_ip }} -bind_port = 8080 -# bind_timeout = 30 -# backlog = 4096 -swift_dir = /etc/swift -user = swift - -# Enables exposing configuration settings via HTTP GET /info. -# expose_info = true - -# Key to use for admin calls that are HMAC signed. Default is empty, -# which will disable admin calls to /info. -# admin_key = secret_admin_key -# -# Allows the ability to withhold sections from showing up in the public calls -# to /info. You can withhold subsections by separating the dict level with a -# ".". The following would cause the sections 'container_quotas' and 'tempurl' -# to not be listed, and the key max_failed_deletes would be removed from -# bulk_delete. Default value is 'swift.valid_api_versions' which allows all -# registered features to be listed via HTTP GET /info except -# swift.valid_api_versions information -# disallowed_sections = swift.valid_api_versions, container_quotas, tempurl - -# Use an integer to override the number of pre-forked processes that will -# accept connections. Should default to the number of effective cpu -# cores in the system. It's worth noting that individual workers will -# use many eventlet co-routines to service multiple concurrent requests. -# workers = auto -# -# Maximum concurrent requests per worker -# max_clients = 1024 -# -# Set the following two lines to enable SSL. This is for testing only. -# cert_file = /etc/swift/proxy.crt -# key_file = /etc/swift/proxy.key -# -# expiring_objects_container_divisor = 86400 -# expiring_objects_account_name = expiring_objects -# -# You can specify default log routing here if you want: -# log_name = swift -# log_facility = LOG_LOCAL0 -# log_level = INFO -# log_headers = false -# log_address = /dev/log -# The following caps the length of log lines to the value given; no limit if -# set to 0, the default. -# log_max_line_length = 0 -# -# This optional suffix (default is empty) that would be appended to the swift transaction -# id allows one to easily figure out from which cluster that X-Trans-Id belongs to. -# This is very useful when one is managing more than one swift cluster. -# trans_id_suffix = -# -# comma separated list of functions to call to setup custom log handlers. -# functions get passed: conf, name, log_to_console, log_route, fmt, logger, -# adapted_logger -# log_custom_handlers = -# -# If set, log_udp_host will override log_address -# log_udp_host = -# log_udp_port = 514 -# -# You can enable StatsD logging here: -# log_statsd_host = -# log_statsd_port = 8125 -# log_statsd_default_sample_rate = 1.0 -# log_statsd_sample_rate_factor = 1.0 -# log_statsd_metric_prefix = -# -# Use a comma separated list of full url (http://foo.bar:1234,https://foo.bar) -# cors_allow_origin = -# strict_cors_mode = True -# -# client_timeout = 60 -# eventlet_debug = false - -[pipeline:main] -# This sample pipeline uses tempauth and is used for SAIO dev work and -# testing. See below for a pipeline using keystone. -#pipeline = catch_errors gatekeeper healthcheck proxy-logging cache container_sync bulk tempurl ratelimit tempauth container-quotas account-quotas slo dlo versioned_writes proxy-logging proxy-server -pipeline = catch_errors gatekeeper healthcheck proxy-logging cache container_sync bulk ratelimit authtoken keystoneauth container-quotas account-quotas slo dlo versioned_writes proxy-logging moon proxy-server - -# The following pipeline shows keystone integration. Comment out the one -# above and uncomment this one. Additional steps for integrating keystone are -# covered further below in the filter sections for authtoken and keystoneauth. -#pipeline = catch_errors gatekeeper healthcheck proxy-logging cache container_sync bulk tempurl ratelimit authtoken keystoneauth container-quotas account-quotas slo dlo versioned_writes proxy-logging proxy-server - -[app:proxy-server] -use = egg:swift#proxy -account_autocreate = True -# You can override the default log routing for this app here: -# set log_name = proxy-server -# set log_facility = LOG_LOCAL0 -# set log_level = INFO -# set log_address = /dev/log -# -# log_handoffs = true -# recheck_account_existence = 60 -# recheck_container_existence = 60 -# object_chunk_size = 65536 -# client_chunk_size = 65536 -# -# How long the proxy server will wait on responses from the a/c/o servers. -# node_timeout = 10 -# -# How long the proxy server will wait for an initial response and to read a -# chunk of data from the object servers while serving GET / HEAD requests. -# Timeouts from these requests can be recovered from so setting this to -# something lower than node_timeout would provide quicker error recovery -# while allowing for a longer timeout for non-recoverable requests (PUTs). -# Defaults to node_timeout, should be overriden if node_timeout is set to a -# high number to prevent client timeouts from firing before the proxy server -# has a chance to retry. -# recoverable_node_timeout = node_timeout -# -# conn_timeout = 0.5 -# -# How long to wait for requests to finish after a quorum has been established. -# post_quorum_timeout = 0.5 -# -# How long without an error before a node's error count is reset. This will -# also be how long before a node is reenabled after suppression is triggered. -# error_suppression_interval = 60 -# -# How many errors can accumulate before a node is temporarily ignored. -# error_suppression_limit = 10 -# -# If set to 'true' any authorized user may create and delete accounts; if -# 'false' no one, even authorized, can. -# allow_account_management = false -# -# Set object_post_as_copy = false to turn on fast posts where only the metadata -# changes are stored anew and the original data file is kept in place. This -# makes for quicker posts. -# object_post_as_copy = true -# -# If set to 'true' authorized accounts that do not yet exist within the Swift -# cluster will be automatically created. -# account_autocreate = false -# -# If set to a positive value, trying to create a container when the account -# already has at least this maximum containers will result in a 403 Forbidden. -# Note: This is a soft limit, meaning a user might exceed the cap for -# recheck_account_existence before the 403s kick in. -# max_containers_per_account = 0 -# -# This is a comma separated list of account hashes that ignore the -# max_containers_per_account cap. -# max_containers_whitelist = -# -# Comma separated list of Host headers to which the proxy will deny requests. -# deny_host_headers = -# -# Prefix used when automatically creating accounts. -# auto_create_account_prefix = . -# -# Depth of the proxy put queue. -# put_queue_depth = 10 -# -# Storage nodes can be chosen at random (shuffle), by using timing -# measurements (timing), or by using an explicit match (affinity). -# Using timing measurements may allow for lower overall latency, while -# using affinity allows for finer control. In both the timing and -# affinity cases, equally-sorting nodes are still randomly chosen to -# spread load. -# The valid values for sorting_method are "affinity", "shuffle", or "timing". -# sorting_method = shuffle -# -# If the "timing" sorting_method is used, the timings will only be valid for -# the number of seconds configured by timing_expiry. -# timing_expiry = 300 -# -# By default on a GET/HEAD swift will connect to a storage node one at a time -# in a single thread. There is smarts in the order they are hit however. If you -# turn on concurrent_gets below, then replica count threads will be used. -# With addition of the concurrency_timeout option this will allow swift to send -# out GET/HEAD requests to the storage nodes concurrently and answer with the -# first to respond. With an EC policy the parameter only affects HEAD requests. -# concurrent_gets = off -# -# This parameter controls how long to wait before firing off the next -# concurrent_get thread. A value of 0 would be fully concurrent, any other -# number will stagger the firing of the threads. This number should be -# between 0 and node_timeout. The default is what ever you set for the -# conn_timeout parameter. -# concurrency_timeout = 0.5 -# -# Set to the number of nodes to contact for a normal request. You can use -# '* replicas' at the end to have it use the number given times the number of -# replicas for the ring being used for the request. -# request_node_count = 2 * replicas -# -# Which backend servers to prefer on reads. Format is r for region -# N or rz for region N, zone M. The value after the equals is -# the priority; lower numbers are higher priority. -# -# Example: first read from region 1 zone 1, then region 1 zone 2, then -# anything in region 2, then everything else: -# read_affinity = r1z1=100, r1z2=200, r2=300 -# Default is empty, meaning no preference. -# read_affinity = -# -# Which backend servers to prefer on writes. Format is r for region -# N or rz for region N, zone M. If this is set, then when -# handling an object PUT request, some number (see setting -# write_affinity_node_count) of local backend servers will be tried -# before any nonlocal ones. -# -# Example: try to write to regions 1 and 2 before writing to any other -# nodes: -# write_affinity = r1, r2 -# Default is empty, meaning no preference. -# write_affinity = -# -# The number of local (as governed by the write_affinity setting) -# nodes to attempt to contact first, before any non-local ones. You -# can use '* replicas' at the end to have it use the number given -# times the number of replicas for the ring being used for the -# request. -# write_affinity_node_count = 2 * replicas -# -# These are the headers whose values will only be shown to swift_owners. The -# exact definition of a swift_owner is up to the auth system in use, but -# usually indicates administrative responsibilities. -# swift_owner_headers = x-container-read, x-container-write, x-container-sync-key, x-container-sync-to, x-account-meta-temp-url-key, x-account-meta-temp-url-key-2, x-container-meta-temp-url-key, x-container-meta-temp-url-key-2, x-account-access-control - -[filter:tempauth] -use = egg:swift#tempauth -# You can override the default log routing for this filter here: -# set log_name = tempauth -# set log_facility = LOG_LOCAL0 -# set log_level = INFO -# set log_headers = false -# set log_address = /dev/log -# -# The reseller prefix will verify a token begins with this prefix before even -# attempting to validate it. Also, with authorization, only Swift storage -# accounts with this prefix will be authorized by this middleware. Useful if -# multiple auth systems are in use for one Swift cluster. -# The reseller_prefix may contain a comma separated list of items. The first -# item is used for the token as mentioned above. If second and subsequent -# items exist, the middleware will handle authorization for an account with -# that prefix. For example, for prefixes "AUTH, SERVICE", a path of -# /v1/SERVICE_account is handled the same as /v1/AUTH_account. If an empty -# (blank) reseller prefix is required, it must be first in the list. Two -# single quote characters indicates an empty (blank) reseller prefix. -# reseller_prefix = AUTH - -# -# The require_group parameter names a group that must be presented by -# either X-Auth-Token or X-Service-Token. Usually this parameter is -# used only with multiple reseller prefixes (e.g., SERVICE_require_group=blah). -# By default, no group is needed. Do not use .admin. -# require_group = - -# The auth prefix will cause requests beginning with this prefix to be routed -# to the auth subsystem, for granting tokens, etc. -# auth_prefix = /auth/ -# token_life = 86400 -# -# This allows middleware higher in the WSGI pipeline to override auth -# processing, useful for middleware such as tempurl and formpost. If you know -# you're not going to use such middleware and you want a bit of extra security, -# you can set this to false. -# allow_overrides = true -# -# This specifies what scheme to return with storage urls: -# http, https, or default (chooses based on what the server is running as) -# This can be useful with an SSL load balancer in front of a non-SSL server. -# storage_url_scheme = default -# -# Lastly, you need to list all the accounts/users you want here. The format is: -# user__ = [group] [group] [...] [storage_url] -# or if you want underscores in or , you can base64 encode them -# (with no equal signs) and use this format: -# user64__ = [group] [group] [...] [storage_url] -# There are special groups of: -# .reseller_admin = can do anything to any account for this auth -# .admin = can do anything within the account -# If neither of these groups are specified, the user can only access containers -# that have been explicitly allowed for them by a .admin or .reseller_admin. -# The trailing optional storage_url allows you to specify an alternate url to -# hand back to the user upon authentication. If not specified, this defaults to -# $HOST/v1/_ where $HOST will do its best to resolve -# to what the requester would need to use to reach this host. -# Here are example entries, required for running the tests: -user_admin_admin = admin .admin .reseller_admin -user_test_tester = testing .admin -user_test2_tester2 = testing2 .admin -user_test_tester3 = testing3 -user_test5_tester5 = testing5 service - -# To enable Keystone authentication you need to have the auth token -# middleware first to be configured. Here is an example below, please -# refer to the keystone's documentation for details about the -# different settings. -# -# You'll also need to have the keystoneauth middleware enabled and have it in -# your main pipeline, as show in the sample pipeline at the top of this file. -# -# Following parameters are known to work with keystonemiddleware v2.3.0 -# (above v2.0.0), but checking the latest information in the wiki page[1] -# is recommended. -# 1. http://docs.openstack.org/developer/keystonemiddleware/middlewarearchitecture.html#configuration -# -[filter:authtoken] -paste.filter_factory = keystonemiddleware.auth_token:filter_factory -auth_uri = http://{{ internal_vip.ip }}:5000 -auth_url = http://{{ internal_vip.ip }}:35357 -identity_uri = http://{{ internal_vip.ip }}:35357 -memcached_servers = {{ memcached_servers }} -#auth_plugin = password -auth_type = password -project_domain_id = default -user_domain_id = default -project_name = service -username = swift -password = {{ CINDER_PASS }} -delay_auth_decision = True -admin_user=admin -admin_password={{ ADMIN_PASS }} -admin_token={{ ADMIN_TOKEN }} -# -# delay_auth_decision defaults to False, but leaving it as false will -# prevent other auth systems, staticweb, tempurl, formpost, and ACLs from -# working. This value must be explicitly set to True. -# delay_auth_decision = False -# -# cache = swift.cache -# include_service_catalog = False -# -[filter:keystoneauth] -use = egg:swift#keystoneauth -operator_roles = admin,user -# The reseller_prefix option lists account namespaces that this middleware is -# responsible for. The prefix is placed before the Keystone project id. -# For example, for project 12345678, and prefix AUTH, the account is -# named AUTH_12345678 (i.e., path is /v1/AUTH_12345678/...). -# Several prefixes are allowed by specifying a comma-separated list -# as in: "reseller_prefix = AUTH, SERVICE". The empty string indicates a -# single blank/empty prefix. If an empty prefix is required in a list of -# prefixes, a value of '' (two single quote characters) indicates a -# blank/empty prefix. Except for the blank/empty prefix, an underscore ('_') -# character is appended to the value unless already present. -# reseller_prefix = AUTH -# -# The user must have at least one role named by operator_roles on a -# project in order to create, delete and modify containers and objects -# and to set and read privileged headers such as ACLs. -# If there are several reseller prefix items, you can prefix the -# parameter so it applies only to those accounts (for example -# the parameter SERVICE_operator_roles applies to the /v1/SERVICE_ -# path). If you omit the prefix, the option applies to all reseller -# prefix items. For the blank/empty prefix, prefix with '' (do not put -# underscore after the two single quote characters). -# operator_roles = admin, swiftoperator -# -# The reseller admin role has the ability to create and delete accounts -# reseller_admin_role = ResellerAdmin -# -# This allows middleware higher in the WSGI pipeline to override auth -# processing, useful for middleware such as tempurl and formpost. If you know -# you're not going to use such middleware and you want a bit of extra security, -# you can set this to false. -# allow_overrides = true -# -# If the service_roles parameter is present, an X-Service-Token must be -# present in the request that when validated, grants at least one role listed -# in the parameter. The X-Service-Token may be scoped to any project. -# If there are several reseller prefix items, you can prefix the -# parameter so it applies only to those accounts (for example -# the parameter SERVICE_service_roles applies to the /v1/SERVICE_ -# path). If you omit the prefix, the option applies to all reseller -# prefix items. For the blank/empty prefix, prefix with '' (do not put -# underscore after the two single quote characters). -# By default, no service_roles are required. -# service_roles = -# -# For backwards compatibility, keystoneauth will match names in cross-tenant -# access control lists (ACLs) when both the requesting user and the tenant -# are in the default domain i.e the domain to which existing tenants are -# migrated. The default_domain_id value configured here should be the same as -# the value used during migration of tenants to keystone domains. -# default_domain_id = default -# -# For a new installation, or an installation in which keystone projects may -# move between domains, you should disable backwards compatible name matching -# in ACLs by setting allow_names_in_acls to false: -# allow_names_in_acls = true - -[filter:healthcheck] -use = egg:swift#healthcheck -# An optional filesystem path, which if present, will cause the healthcheck -# URL to return "503 Service Unavailable" with a body of "DISABLED BY FILE". -# This facility may be used to temporarily remove a Swift node from a load -# balancer pool during maintenance or upgrade (remove the file to allow the -# node back into the load balancer pool). -# disable_path = - -[filter:cache] -use = egg:swift#memcache -memcache_servers = {{ memcached_servers }} -# You can override the default log routing for this filter here: -# set log_name = cache -# set log_facility = LOG_LOCAL0 -# set log_level = INFO -# set log_headers = false -# set log_address = /dev/log -# -# If not set here, the value for memcache_servers will be read from -# memcache.conf (see memcache.conf-sample) or lacking that file, it will -# default to the value below. You can specify multiple servers separated with -# commas, as in: 10.1.2.3:11211,10.1.2.4:11211 (IPv6 addresses must -# follow rfc3986 section-3.2.2, i.e. [::1]:11211) -# memcache_servers = 127.0.0.1:11211 -# -# Sets how memcache values are serialized and deserialized: -# 0 = older, insecure pickle serialization -# 1 = json serialization but pickles can still be read (still insecure) -# 2 = json serialization only (secure and the default) -# If not set here, the value for memcache_serialization_support will be read -# from /etc/swift/memcache.conf (see memcache.conf-sample). -# To avoid an instant full cache flush, existing installations should -# upgrade with 0, then set to 1 and reload, then after some time (24 hours) -# set to 2 and reload. -# In the future, the ability to use pickle serialization will be removed. -# memcache_serialization_support = 2 -# -# Sets the maximum number of connections to each memcached server per worker -# memcache_max_connections = 2 -# -# More options documented in memcache.conf-sample - -[filter:ratelimit] -use = egg:swift#ratelimit -# You can override the default log routing for this filter here: -# set log_name = ratelimit -# set log_facility = LOG_LOCAL0 -# set log_level = INFO -# set log_headers = false -# set log_address = /dev/log -# -# clock_accuracy should represent how accurate the proxy servers' system clocks -# are with each other. 1000 means that all the proxies' clock are accurate to -# each other within 1 millisecond. No ratelimit should be higher than the -# clock accuracy. -# clock_accuracy = 1000 -# -# max_sleep_time_seconds = 60 -# -# log_sleep_time_seconds of 0 means disabled -# log_sleep_time_seconds = 0 -# -# allows for slow rates (e.g. running up to 5 sec's behind) to catch up. -# rate_buffer_seconds = 5 -# -# account_ratelimit of 0 means disabled -# account_ratelimit = 0 - -# DEPRECATED- these will continue to work but will be replaced -# by the X-Account-Sysmeta-Global-Write-Ratelimit flag. -# Please see ratelimiting docs for details. -# these are comma separated lists of account names -# account_whitelist = a,b -# account_blacklist = c,d - -# with container_limit_x = r -# for containers of size x limit write requests per second to r. The container -# rate will be linearly interpolated from the values given. With the values -# below, a container of size 5 will get a rate of 75. -# container_ratelimit_0 = 100 -# container_ratelimit_10 = 50 -# container_ratelimit_50 = 20 - -# Similarly to the above container-level write limits, the following will limit -# container GET (listing) requests. -# container_listing_ratelimit_0 = 100 -# container_listing_ratelimit_10 = 50 -# container_listing_ratelimit_50 = 20 - -[filter:domain_remap] -use = egg:swift#domain_remap -# You can override the default log routing for this filter here: -# set log_name = domain_remap -# set log_facility = LOG_LOCAL0 -# set log_level = INFO -# set log_headers = false -# set log_address = /dev/log -# -# storage_domain = example.com -# path_root = v1 - -# Browsers can convert a host header to lowercase, so check that reseller -# prefix on the account is the correct case. This is done by comparing the -# items in the reseller_prefixes config option to the found prefix. If they -# match except for case, the item from reseller_prefixes will be used -# instead of the found reseller prefix. When none match, the default reseller -# prefix is used. When no default reseller prefix is configured, any request -# with an account prefix not in that list will be ignored by this middleware. -# reseller_prefixes = AUTH -# default_reseller_prefix = - -[filter:catch_errors] -use = egg:swift#catch_errors -# You can override the default log routing for this filter here: -# set log_name = catch_errors -# set log_facility = LOG_LOCAL0 -# set log_level = INFO -# set log_headers = false -# set log_address = /dev/log - -[filter:cname_lookup] -# Note: this middleware requires python-dnspython -use = egg:swift#cname_lookup -# You can override the default log routing for this filter here: -# set log_name = cname_lookup -# set log_facility = LOG_LOCAL0 -# set log_level = INFO -# set log_headers = false -# set log_address = /dev/log -# -# Specify the storage_domain that match your cloud, multiple domains -# can be specified separated by a comma -# storage_domain = example.com -# -# lookup_depth = 1 - -# Note: Put staticweb just after your auth filter(s) in the pipeline -[filter:staticweb] -use = egg:swift#staticweb -# You can override the default log routing for this filter here: -# set log_name = staticweb -# set log_facility = LOG_LOCAL0 -# set log_level = INFO -# set log_headers = false -# set log_address = /dev/log - -# Note: Put tempurl before dlo, slo and your auth filter(s) in the pipeline -[filter:tempurl] -use = egg:swift#tempurl -# The methods allowed with Temp URLs. -# methods = GET HEAD PUT POST DELETE -# -# The headers to remove from incoming requests. Simply a whitespace delimited -# list of header names and names can optionally end with '*' to indicate a -# prefix match. incoming_allow_headers is a list of exceptions to these -# removals. -# incoming_remove_headers = x-timestamp -# -# The headers allowed as exceptions to incoming_remove_headers. Simply a -# whitespace delimited list of header names and names can optionally end with -# '*' to indicate a prefix match. -# incoming_allow_headers = -# -# The headers to remove from outgoing responses. Simply a whitespace delimited -# list of header names and names can optionally end with '*' to indicate a -# prefix match. outgoing_allow_headers is a list of exceptions to these -# removals. -# outgoing_remove_headers = x-object-meta-* -# -# The headers allowed as exceptions to outgoing_remove_headers. Simply a -# whitespace delimited list of header names and names can optionally end with -# '*' to indicate a prefix match. -# outgoing_allow_headers = x-object-meta-public-* - -# Note: Put formpost just before your auth filter(s) in the pipeline -[filter:formpost] -use = egg:swift#formpost - -# Note: Just needs to be placed before the proxy-server in the pipeline. -[filter:name_check] -use = egg:swift#name_check -# forbidden_chars = '"`<> -# maximum_length = 255 -# forbidden_regexp = /\./|/\.\./|/\.$|/\.\.$ - -[filter:list-endpoints] -use = egg:swift#list_endpoints -# list_endpoints_path = /endpoints/ - -[filter:proxy-logging] -use = egg:swift#proxy_logging -# If not set, logging directives from [DEFAULT] without "access_" will be used -# access_log_name = swift -# access_log_facility = LOG_LOCAL0 -# access_log_level = INFO -# access_log_address = /dev/log -# -# If set, access_log_udp_host will override access_log_address -# access_log_udp_host = -# access_log_udp_port = 514 -# -# You can use log_statsd_* from [DEFAULT] or override them here: -# access_log_statsd_host = -# access_log_statsd_port = 8125 -# access_log_statsd_default_sample_rate = 1.0 -# access_log_statsd_sample_rate_factor = 1.0 -# access_log_statsd_metric_prefix = -# access_log_headers = false -# -# If access_log_headers is True and access_log_headers_only is set only -# these headers are logged. Multiple headers can be defined as comma separated -# list like this: access_log_headers_only = Host, X-Object-Meta-Mtime -# access_log_headers_only = -# -# By default, the X-Auth-Token is logged. To obscure the value, -# set reveal_sensitive_prefix to the number of characters to log. -# For example, if set to 12, only the first 12 characters of the -# token appear in the log. An unauthorized access of the log file -# won't allow unauthorized usage of the token. However, the first -# 12 or so characters is unique enough that you can trace/debug -# token usage. Set to 0 to suppress the token completely (replaced -# by '...' in the log). -# Note: reveal_sensitive_prefix will not affect the value -# logged with access_log_headers=True. -# reveal_sensitive_prefix = 16 -# -# What HTTP methods are allowed for StatsD logging (comma-sep); request methods -# not in this list will have "BAD_METHOD" for the portion of the metric. -# log_statsd_valid_http_methods = GET,HEAD,POST,PUT,DELETE,COPY,OPTIONS -# -# Note: The double proxy-logging in the pipeline is not a mistake. The -# left-most proxy-logging is there to log requests that were handled in -# middleware and never made it through to the right-most middleware (and -# proxy server). Double logging is prevented for normal requests. See -# proxy-logging docs. - -# Note: Put before both ratelimit and auth in the pipeline. -[filter:bulk] -use = egg:swift#bulk -# max_containers_per_extraction = 10000 -# max_failed_extractions = 1000 -# max_deletes_per_request = 10000 -# max_failed_deletes = 1000 - -# In order to keep a connection active during a potentially long bulk request, -# Swift may return whitespace prepended to the actual response body. This -# whitespace will be yielded no more than every yield_frequency seconds. -# yield_frequency = 10 - -# Note: The following parameter is used during a bulk delete of objects and -# their container. This would frequently fail because it is very likely -# that all replicated objects have not been deleted by the time the middleware got a -# successful response. It can be configured the number of retries. And the -# number of seconds to wait between each retry will be 1.5**retry - -# delete_container_retry_count = 0 - -# Note: Put after auth and staticweb in the pipeline. -[filter:slo] -use = egg:swift#slo -# max_manifest_segments = 1000 -# max_manifest_size = 2097152 -# -# Rate limiting applies only to segments smaller than this size (bytes). -# rate_limit_under_size = 1048576 -# -# Start rate-limiting SLO segment serving after the Nth small segment of a -# segmented object. -# rate_limit_after_segment = 10 -# -# Once segment rate-limiting kicks in for an object, limit segments served -# to N per second. 0 means no rate-limiting. -# rate_limit_segments_per_sec = 1 -# -# Time limit on GET requests (seconds) -# max_get_time = 86400 - -# Note: Put after auth and staticweb in the pipeline. -# If you don't put it in the pipeline, it will be inserted for you. -[filter:dlo] -use = egg:swift#dlo -# Start rate-limiting DLO segment serving after the Nth segment of a -# segmented object. -# rate_limit_after_segment = 10 -# -# Once segment rate-limiting kicks in for an object, limit segments served -# to N per second. 0 means no rate-limiting. -# rate_limit_segments_per_sec = 1 -# -# Time limit on GET requests (seconds) -# max_get_time = 86400 - -# Note: Put after auth in the pipeline. -[filter:container-quotas] -use = egg:swift#container_quotas - -# Note: Put after auth in the pipeline. -[filter:account-quotas] -use = egg:swift#account_quotas - -[filter:gatekeeper] -use = egg:swift#gatekeeper -# Set this to false if you want to allow clients to set arbitrary X-Timestamps -# on uploaded objects. This may be used to preserve timestamps when migrating -# from a previous storage system, but risks allowing users to upload -# difficult-to-delete data. -# shunt_inbound_x_timestamp = true -# -# You can override the default log routing for this filter here: -# set log_name = gatekeeper -# set log_facility = LOG_LOCAL0 -# set log_level = INFO -# set log_headers = false -# set log_address = /dev/log - -[filter:container_sync] -use = egg:swift#container_sync -# Set this to false if you want to disallow any full url values to be set for -# any new X-Container-Sync-To headers. This will keep any new full urls from -# coming in, but won't change any existing values already in the cluster. -# Updating those will have to be done manually, as knowing what the true realm -# endpoint should be cannot always be guessed. -# allow_full_urls = true -# Set this to specify this clusters //realm/cluster as "current" in /info -# current = //REALM/CLUSTER - -# Note: Put it at the beginning of the pipeline to profile all middleware. But -# it is safer to put this after catch_errors, gatekeeper and healthcheck. -[filter:xprofile] -use = egg:swift#xprofile -# This option enable you to switch profilers which should inherit from python -# standard profiler. Currently the supported value can be 'cProfile', -# 'eventlet.green.profile' etc. -# profile_module = eventlet.green.profile -# -# This prefix will be used to combine process ID and timestamp to name the -# profile data file. Make sure the executing user has permission to write -# into this path (missing path segments will be created, if necessary). -# If you enable profiling in more than one type of daemon, you must override -# it with an unique value like: /var/log/swift/profile/proxy.profile -# log_filename_prefix = /tmp/log/swift/profile/default.profile -# -# the profile data will be dumped to local disk based on above naming rule -# in this interval. -# dump_interval = 5.0 -# -# Be careful, this option will enable profiler to dump data into the file with -# time stamp which means there will be lots of files piled up in the directory. -# dump_timestamp = false -# -# This is the path of the URL to access the mini web UI. -# path = /__profile__ -# -# Clear the data when the wsgi server shutdown. -# flush_at_shutdown = false -# -# unwind the iterator of applications -# unwind = false - -# Note: Put after slo, dlo in the pipeline. -# If you don't put it in the pipeline, it will be inserted automatically. -[filter:versioned_writes] -use = egg:swift#versioned_writes -# Enables using versioned writes middleware and exposing configuration -# settings via HTTP GET /info. -# WARNING: Setting this option bypasses the "allow_versions" option -# in the container configuration file, which will be eventually -# deprecated. See documentation for more details. -# allow_versioned_writes = false - - -[filter:moon] -paste.filter_factory = keystonemiddleware.moon_agent:filter_factory -authz_login=admin -authz_password={{ ADMIN_PASS }} -auth_host = {{ internal_vip.ip }} -logfile=/var/log/moon/keystonemiddleware.log diff --git a/deploy/adapters/ansible/openstack_newton_xenial/roles/moon/templates/wsgi-keystone.conf.j2 b/deploy/adapters/ansible/openstack_newton_xenial/roles/moon/templates/wsgi-keystone.conf.j2 deleted file mode 100644 index 64d864af..00000000 --- a/deploy/adapters/ansible/openstack_newton_xenial/roles/moon/templates/wsgi-keystone.conf.j2 +++ /dev/null @@ -1,46 +0,0 @@ - {% set work_threads = (ansible_processor_vcpus + 1) // 2 %} - - WSGIDaemonProcess keystone-public processes={{ work_threads }} threads={{ work_threads }} user=keystone group=keystone display-name=%{GROUP} - WSGIProcessGroup keystone-public - WSGIScriptAlias / /usr/bin/keystone-wsgi-public - WSGIApplicationGroup %{GLOBAL} - WSGIPassAuthorization On - = 2.4> - ErrorLogFormat "%{cu}t %M" - - ErrorLog /var/log/{{ http_service_name }}/keystone.log - CustomLog /var/log/{{ http_service_name }}/keystone_access.log combined - - - = 2.4> - Require all granted - - - Order allow,deny - Allow from all - - - - - - WSGIDaemonProcess keystone-admin processes={{ work_threads }} threads={{ work_threads }} user=keystone group=keystone display-name=%{GROUP} - WSGIProcessGroup keystone-admin - WSGIScriptAlias / /usr/bin/keystone-wsgi-admin - WSGIApplicationGroup %{GLOBAL} - WSGIPassAuthorization On - = 2.4> - ErrorLogFormat "%{cu}t %M" - - ErrorLog /var/log/{{ http_service_name }}/keystone.log - CustomLog /var/log/{{ http_service_name }}/keystone_access.log combined - - - = 2.4> - Require all granted - - - Order allow,deny - Allow from all - - - -- cgit 1.2.3-korg