OpenStack-Ansible Keystone

Ansible role that installs and configures OpenStack Keystone. Keystone is installed behind the Apache webserver listening on port 5000 and port 35357 by default.

Default Variables

## Verbosity Options
debug: False
verbose: True

# These variables are used in 'developer mode' in order to allow the role
# to build an environment directly from a git source without the presence
# of an OpenStack-Ansible repo_server.
keystone_git_repo: https://git.openstack.org/openstack/keystone
keystone_git_install_branch: stable/mitaka
keystone_requirements_git_repo: https://git.openstack.org/openstack/requirements
keystone_requirements_git_install_branch: stable/mitaka
keystone_developer_mode: false
keystone_developer_constraints:
  - "git+{{ keystone_git_repo }}@{{ keystone_git_install_branch }}#egg=keystone"

# Name of the virtual env to deploy into
keystone_venv_tag: untagged
keystone_venv_bin: "/openstack/venvs/keystone-{{ keystone_venv_tag }}/bin"

# Set this to enable or disable installing in a venv
keystone_venv_enabled: true

# The bin path defaults to the venv path however if installation in a
#  venv is disabled the bin path will be dynamically set based on the
#  system path used when the installing.
keystone_bin: "{{ keystone_venv_bin }}"

keystone_venv_download_url: http://127.0.0.1/venvs/untagged/ubuntu/keystone.tgz

keystone_fatal_deprecations: False

## System info
keystone_system_user_name: keystone
keystone_system_group_name: keystone
keystone_system_additional_groups:
  - ssl_cert
keystone_system_service_name: apache2
keystone_system_shell: /bin/bash
keystone_system_comment: keystone system user
keystone_system_user_home: "/var/lib/{{ keystone_system_user_name }}"

keystone_rpc_backend: rabbit

## Drivers
keystone_auth_methods: "password,token"
keystone_identity_driver: sql
# For a sql backed token storage use: "sql"
keystone_token_driver: memcache
keystone_token_provider: fernet
keystone_token_expiration: 43200
keystone_token_cache_time: 3600

# Set the revocation driver used within keystone.
keystone_revocation_driver: sql
keystone_revocation_cache_time: 3600
keystone_revocation_expiration_buffer: 1800

## Fernet config vars
keystone_fernet_tokens_key_repository: "/etc/keystone/fernet-keys"
keystone_fernet_tokens_max_active_keys: 7
# Any of the following rotation times are valid:
#   reboot, yearly, annually, monthly, weekly, daily, hourly
keystone_fernet_rotation: daily
keystone_fernet_auto_rotation_script: /opt/keystone-fernet-rotate.sh

keystone_assignment_driver: sql

keystone_resource_cache_time: 3600
keystone_resource_driver: sql

keystone_bind_address: 0.0.0.0

## Memcached servers used within keystone.
# String or Comma separated list of servers.
keystone_memcached_servers: 127.0.0.1
keystone_memcached_max_compare_and_set_retry: 16

## DB info
keystone_galera_user: keystone
keystone_galera_database: keystone
# Database tuning
keystone_database_enabled: true
keystone_database_connection_string: mysql+pymysql://{{ keystone_galera_user }}:{{ keystone_container_mysql_password }}@{{ keystone_galera_address }}/{{ keystone_galera_database }}?charset=utf8
keystone_database_idle_timeout: 200
keystone_database_min_pool_size: 5
keystone_database_max_pool_size: 120
keystone_database_pool_timeout: 30

## RabbitMQ info
keystone_messaging_enabled: true
keystone_rabbitmq_port: 5671
keystone_rabbitmq_userid: keystone
keystone_rabbitmq_vhost: /keystone
keystone_rabbitmq_servers: localhost
keystone_rabbitmq_use_ssl: false

## Role info
keystone_role_name: admin
keystone_default_role_name: _member_

## Admin info
keystone_admin_port: 35357
keystone_admin_user_name: admin
keystone_admin_tenant_name: admin
keystone_admin_description: Admin Tenant

## Service Type and Data
keystone_service_setup: true
keystone_service_region: RegionOne
keystone_service_name: keystone
keystone_service_port: 5000
keystone_service_type: identity
keystone_service_description: "Keystone Identity Service"
keystone_service_user_name: keystone
keystone_service_tenant_name: service

keystone_service_proto: http
keystone_service_publicuri_proto: "{{ openstack_service_publicuri_proto | default(keystone_service_proto) }}"
keystone_service_adminuri_proto: "{{ openstack_service_adminuri_proto | default(keystone_service_proto) }}"
keystone_service_internaluri_proto: "{{ openstack_service_internaluri_proto | default(keystone_service_proto) }}"

keystone_service_internaluri_insecure: false
keystone_service_adminuri_insecure: false

keystone_service_publicuri: "{{ keystone_service_publicuri_proto }}://{{ external_lb_vip_address }}:{{ keystone_service_port }}"
keystone_service_internaluri: "{{ keystone_service_internaluri_proto }}://{{ internal_lb_vip_address }}:{{ keystone_service_port }}"
keystone_service_adminuri: "{{ keystone_service_adminuri_proto }}://{{ internal_lb_vip_address }}:{{ keystone_admin_port }}"

keystone_service_publicurl_v2: "{{ keystone_service_publicuri }}/v2.0"
keystone_service_internalurl_v2: "{{ keystone_service_internaluri }}/v2.0"
keystone_service_adminurl_v2: "{{ keystone_service_adminuri }}/v2.0"

keystone_service_publicurl_v3: "{{ keystone_service_publicuri }}/v3"
keystone_service_internalurl_v3: "{{ keystone_service_internaluri }}/v3"
keystone_service_adminurl_v3: "{{ keystone_service_adminuri }}/v3"

keystone_service_publicurl: "{{ keystone_service_publicurl_v3 }}"
keystone_service_internalurl: "{{ keystone_service_internalurl_v3 }}"
keystone_service_adminurl: "{{ keystone_service_adminurl_v3 }}"


## Set this value to override the "public_endpoint" keystone.conf variable
#keystone_public_endpoint: "{{ keystone_service_publicuri }}"

## Apache setup
keystone_apache_log_level: info
keystone_apache_custom_log_format: combined
keystone_apache_servertokens: "Prod"
keystone_apache_serversignature: "Off"
keystone_wsgi_threads: 1
keystone_wsgi_processes: "{{ ansible_processor_vcpus | default (1) * 2 }}"

## Apache MPM tunables
keystone_httpd_mpm_backend: event
keystone_httpd_mpm_start_servers: 2
keystone_httpd_mpm_min_spare_threads: 25
keystone_httpd_mpm_max_spare_threads: 75
keystone_httpd_mpm_thread_limit: 64
keystone_httpd_mpm_thread_child: 25
keystone_httpd_mpm_max_requests: 150
keystone_httpd_mpm_max_conn_child: 0

# set keystone_ssl to true to enable SSL configuration on the keystone containers
keystone_ssl: false
keystone_ssl_cert: /etc/ssl/certs/keystone.pem
keystone_ssl_key: /etc/ssl/private/keystone.key
keystone_ssl_ca_cert: /etc/ssl/certs/keystone-ca.pem
keystone_ssl_protocol: "{{ ssl_protocol|default('ALL -SSLv2 -SSLv3') }}"
keystone_ssl_cipher_suite: "{{ ssl_cipher_suite|default('ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS') }}"

# if using a self-signed certificate, set this to true to regenerate it
keystone_ssl_self_signed_regen: false
keystone_ssl_self_signed_subject: "/C=US/ST=Texas/L=San Antonio/O=IT/CN={{ internal_lb_vip_address }}/subjectAltName=IP.1={{ external_lb_vip_address }}"

# Set these variables to deploy custom certificates
#keystone_user_ssl_cert: <path to cert on ansible deployment host>
#keystone_user_ssl_key: <path to cert on ansible deployment host>
#keystone_user_ssl_ca_cert: <path to cert on ansible deployment host>

# Set to true when terminating SSL/TLS at a load balancer
keystone_external_ssl: false

# External SSL forwarding proto
keystone_secure_proxy_ssl_header: HTTP_X_FORWARDED_PROTO

## Caching
# If set this will enable dog pile cache for keystone.
# keystone_cache_backend_argument: url:127.0.0.1:11211

## LDAP Section
# Define Keystone LDAP domain configuration here.
# This may be used to add configuration for a LDAP identity back-end.
# See the http://docs.openstack.org/admin-guide-cloud/keystone_integrate_with_ldap.html
#
# Each top-level entry is a domain name. Each entry below that are key: value pairs for
# the ldap section in the domain-specific configuraiton file.
#
# (EXAMPLE LAYOUT)
# keystone_ldap:
#   Users:
#     url: "ldap://127.0.0.1"
#     user: "root"
#     password: "secrete"
#     ...

keystone_ldap: {}
keystone_ldap_domain_config_dir: /etc/keystone/domains


# If you want to regenerate the keystone users SSH keys, on each run, set this var to True
# Otherwise keys will be generated on the first run and not regenerated each run.
keystone_recreate_keys: False

## Policy vars
# Provide a list of access controls to update the default policy.json with. These changes will be merged
# with the access controls in the default policy.json. E.g.
#keystone_policy_overrides:
#  identity:create_region: "rule:admin_required"
#  identity:update_region: "rule:admin_required"

## Federation

# Enable the following section on the Keystone IdP
#keystone_idp:
#  certfile: "/etc/keystone/ssl/idp_signing_cert.pem"
#  keyfile: "/etc/keystone/ssl/idp_signing_key.pem"
#  self_signed_cert_subject: "/C=US/ST=Texas/L=San Antonio/O=IT/CN={{ external_lb_vip_address }}"
#  regen_cert: false
#  idp_entity_id: "{{ keystone_service_publicurl_v3 }}/OS-FEDERATION/saml2/idp"
#  idp_sso_endpoint: "{{ keystone_service_publicurl_v3 }}/OS-FEDERATION/saml2/sso"
#  idp_metadata_path: /etc/keystone/saml2_idp_metadata.xml
#  service_providers:
#    - id: "sp_1"
#      auth_url: https://example.com:5000/v3/OS-FEDERATION/identity_providers/idp/protocols/saml2/auth
#      sp_url: https://example.com:5000/Shibboleth.sso/SAML2/ECP
#  # the following settings are optional
#  organization_name: example_company
#  organization_display_name: Example Corp.
#  organization_url: example.com
#  contact_company: example_company
#  contact_name: John
#  contact_surname: Smith
#  contact_email: jsmith@example.com
#  contact_telephone: 555-55-5555
#  contact_type: technical

# Enable the following section in order to install and configure
# Keystone as a Resource Service Provider (SP) and to configure
# trusts with specific Identity Providers (IdP).
#keystone_sp:
#  cert_duration_years: 5
#  trusted_dashboard_list:
#    - "https://{{ external_lb_vip_address }}/auth/websso/"
#    - "https://{{ horizon_server_name }}/auth/websso/"
#  trusted_idp_list:
#    note that only one of these is supported at any one time for now
#    - name: "keystone-idp"
#      entity_ids:
#         - 'https://keystone-idp:5000/v3/OS-FEDERATION/saml2/idp'
#      metadata_uri: 'https://keystone-idp:5000/v3/OS-FEDERATION/saml2/metadata'
#      metadata_file: 'metadata-keystone-idp.xml'
#      metadata_reload: 1800
#      federated_identities:
#        - domain: Default
#          project: fedproject
#          group: fedgroup
#          role: _member_
#      protocols:
#        - name: saml2
#          mapping:
#            name: keystone-idp-mapping
#            rules:
#              - remote:
#                  - type: openstack_user
#                local:
#                  - group:
#                      name: fedgroup
#                      domain:
#                        name: Default
#                    user:
#                      name: '{0}'
#          attributes:
#            - name: openstack_user
#              id: openstack_user
#            - name: openstack_roles
#              id: openstack_roles
#            - name: openstack_project
#              id: openstack_project
#            - name: openstack_user_domain
#              id: openstack_user_domain
#            - name: openstack_project_domain
#              id: openstack_project_domain
#
#    - name: 'testshib-idp'
#      entity_ids:
#        - 'https://idp.testshib.org/idp/shibboleth'
#      metadata_uri: 'http://www.testshib.org/metadata/testshib-providers.xml'
#      metadata_file: 'metadata-testshib-idp.xml'
#      metadata_reload: 1800
#      federated_identities:
#        - domain: Default
#          project: fedproject
#          group: fedgroup
#          role: _member_
#      protocols:
#        - name: saml2
#          mapping:
#            name: testshib-idp-mapping
#            rules:
#              - remote:
#                  - type: eppn
#                local:
#                  - group:
#                      name: fedgroup
#                      domain:
#                        name: Default
#                  - user:
#                      name: '{0}'
#
#    - name: 'adfs-idp'
#      entity_ids:
#       - 'http://adfs.contoso.com/adfs/services/trust'
#      metadata_uri: 'https://adfs.contoso.com/FederationMetadata/2007-06/FederationMetadata.xml'
#      metadata_file: 'metadata-adfs-idp.xml'
#      metadata_reload: 1800
#      federated_identities:
#        - domain: Default
#          project: fedproject
#          group: fedgroup
#          role: _member_
#      protocols:
#        - name: saml2
#          mapping:
#            name: adfs-idp-mapping
#            rules:
#              - remote:
#                  - type: upn
#                local:
#                  - group:
#                      name: fedgroup
#                      domain:
#                        name: Default
#                  - user:
#                      name: '{0}'
#          attributes:
#            - name: 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn'
#              id: upn

keystone_service_in_ldap: false

# Keystone Federation SP Packages
keystone_sp_apt_packages:
  - libapache2-mod-shib2

# Keystone notification settings
keystone_ceilometer_enabled: false

# Keystone packages that must be installed before anything else
keystone_requires_pip_packages:
  - virtualenv
  - virtualenv-tools
  - python-keystoneclient # Keystoneclient needed to OSA keystone lib
  - httplib2

# Common pip packages
keystone_pip_packages:
  - argparse
  - keystone
  - keystonemiddleware
  - ldappool
  - lxml
  - PyMySQL
  - oslo.log
  - oslo.middleware
  - pbr
  - pycrypto
  - pysaml2
  - python-keystoneclient
  - python-ldap
  - python-memcached
  - python-openstackclient
  - repoze.lru

## Tunable overrides
keystone_keystone_conf_overrides: {}
keystone_keystone_default_conf_overrides: {}
keystone_keystone_paste_ini_overrides: {}
keystone_policy_overrides: {}

Required Variables

This list is not exhaustive at present. See role internals for further details.

# hostname or IP of load balancer providing external network
# access to Keystone
external_lb_vip_address: 10.100.100.102

# hostname or IP of load balancer providing internal network
# access to Keystone
internal_lb_vip_address: 10.100.100.102

# password used by the keystone service to interact with Galera
keystone_container_mysql_password: "YourPassword"

keystone_auth_admin_password: "SuperSecretePassword"
keystone_service_password: "secrete"
keystone_rabbitmq_password: "secrete"
keystone_container_mysql_password: "SuperSecrete"

Example Playbook

- name: Installation and setup of Keystone
  hosts: keystone_all
  user: root
  roles:
    - { role: "os_keystone", tags: [ "os-keystone" ] }
  vars:
    external_lb_vip_address: 10.100.100.102
    internal_lb_vip_address: 10.100.100.102
    keystone_galera_address: 10.100.100.101
    keystone_galera_database: keystone
    keystone_venv_tag: "testing"
    keystone_developer_mode: true
    keystone_git_install_branch: stable/mitaka
    keystone_auth_admin_password: "SuperSecretePassword"
    keystone_service_password: "secrete"
    keystone_rabbitmq_password: "secrete"
    keystone_container_mysql_password: "SuperSecrete"
    keystone_rabbitmq_port: 5671
    keystone_rabbitmq_userid: keystone
    keystone_rabbitmq_vhost: /keystone
    keystone_rabbitmq_servers: 10.100.100.101
    keystone_rabbitmq_use_ssl: true
    galera_client_drop_config_file: false

Table Of Contents

Project Source

This Page