Keystone role for OpenStack-Ansible

Keystone role for OpenStack-Ansible

To clone or view the source code for this repository, visit the role repository for os_keystone.

Default variables

## Verbosity Options
debug: False

# Set the package install state for distribution and pip packages
# Options are 'present' and 'latest'
keystone_package_state: "latest"
keystone_pip_package_state: "latest"

# Role standard API override this option in the OS variable files
keystone_shibboleth_repo: {}

# These variables are used in 'developer mode' in order to allow the role
# to build an environment directly from a git source without the presence
# of an OpenStack-Ansible repo_server.
keystone_git_repo: https://git.openstack.org/openstack/keystone
keystone_git_install_branch: "stable/queens"
keystone_developer_mode: false
keystone_developer_constraints:
  - "git+{{ keystone_git_repo }}@{{ keystone_git_install_branch }}#egg=keystone"

# Name of the virtual env to deploy into
keystone_venv_tag: untagged
keystone_bin: "/openstack/venvs/keystone-{{ keystone_venv_tag }}/bin"

# venv_download, even when true, will use the fallback method of building the
# venv from scratch if the venv download fails.
keystone_venv_download: "{{ not keystone_developer_mode | bool }}"
keystone_venv_download_url: http://127.0.0.1/venvs/untagged/ubuntu/keystone.tgz

keystone_fatal_deprecations: False

## System info
keystone_system_user_name: keystone
keystone_system_group_name: keystone
keystone_system_additional_groups:
  - ssl_cert

keystone_system_shell: /bin/bash
keystone_system_comment: keystone system user
keystone_system_user_home: "/var/lib/{{ keystone_system_user_name }}"

## Drivers
keystone_auth_methods: "password,token"
keystone_identity_driver: sql
keystone_token_provider: fernet
keystone_token_expiration: 43200
keystone_token_cache_time: 3600

# Set the revocation driver used within keystone.
keystone_revocation_driver: sql
keystone_revocation_cache_time: 3600
keystone_revocation_expiration_buffer: 1800

## Fernet config vars
keystone_fernet_tokens_key_repository: "/etc/keystone/fernet-keys"
keystone_fernet_tokens_max_active_keys: 7
# Any of the following rotation times are valid:
#   reboot, yearly, annually, monthly, weekly, daily, hourly
keystone_fernet_rotation: daily
keystone_fernet_auto_rotation_script: /opt/keystone-fernet-rotate.sh

## Credentials config vars
keystone_credential_key_repository: /etc/keystone/credential-keys
# Any of the following rotation times are valid:
#   reboot, yearly, annually, monthly, weekly, daily, hourly
keystone_credential_rotation: weekly
keystone_credential_auto_rotation_script: /opt/keystone-credential-rotate.sh

keystone_assignment_driver: sql

keystone_resource_cache_time: 3600
keystone_resource_driver: sql

keystone_bind_address: 0.0.0.0

## Database info
keystone_database_connection_string: >-
  mysql+pymysql://{{ keystone_galera_user }}:{{ keystone_container_mysql_password }}@{{ keystone_galera_address }}/{{ keystone_galera_database }}?charset=utf8{% if keystone_galera_use_ssl | bool %}&ssl_ca={{ keystone_galera_ssl_ca_cert }}{% endif %}
keystone_galera_user: keystone
keystone_galera_database: keystone
## Database SSL
keystone_galera_use_ssl: "{{ galera_use_ssl | default(False) }}"
keystone_galera_ssl_ca_cert: "{{ galera_ssl_ca_cert | default('/etc/ssl/certs/galera-ca.pem') }}"
# Database tuning
keystone_database_enabled: true
keystone_database_idle_timeout: 200
keystone_database_min_pool_size: 5
keystone_database_max_pool_size: 120
keystone_database_pool_timeout: 30

## RabbitMQ info

## Configuration for RPC communications
keystone_messaging_enabled: true
keystone_rabbitmq_port: 5671
keystone_rabbitmq_userid: keystone
keystone_rabbitmq_vhost: /keystone
keystone_rabbitmq_servers: localhost
keystone_rabbitmq_use_ssl: false

## Configuration for notifications communication, i.e. [oslo_messaging_notifications]
keystone_rabbitmq_telemetry_userid: "{{ keystone_rabbitmq_userid }}"
keystone_rabbitmq_telemetry_password: "{{ keystone_rabbitmq_password }}"
keystone_rabbitmq_telemetry_vhost: "{{ keystone_rabbitmq_vhost }}"
keystone_rabbitmq_telemetry_port: "{{ keystone_rabbitmq_port }}"
keystone_rabbitmq_telemetry_servers: "{{ keystone_rabbitmq_servers }}"
keystone_rabbitmq_telemetry_use_ssl: "{{ keystone_rabbitmq_use_ssl }}"

## Role info
keystone_role_name: admin
keystone_default_role_name: _member_

## Admin info
keystone_admin_port: 35357
keystone_admin_user_name: admin
keystone_admin_tenant_name: admin
keystone_admin_description: Admin Tenant

## Service Type and Data
keystone_service_setup: true
keystone_service_region: RegionOne
keystone_service_name: keystone
keystone_service_port: 5000
keystone_service_type: identity
keystone_service_description: "Keystone Identity Service"
keystone_service_user_name: keystone
keystone_service_tenant_name: service

keystone_service_proto: http
keystone_service_publicuri_proto: "{{ openstack_service_publicuri_proto | default(keystone_service_proto) }}"
keystone_service_adminuri_proto: "{{ openstack_service_adminuri_proto | default(keystone_service_proto) }}"
keystone_service_internaluri_proto: "{{ openstack_service_internaluri_proto | default(keystone_service_proto) }}"

keystone_service_internaluri_insecure: false
keystone_service_adminuri_insecure: false

keystone_service_publicuri: "{{ keystone_service_publicuri_proto }}://{{ external_lb_vip_address }}:{{ keystone_service_port }}"
keystone_service_internaluri: "{{ keystone_service_internaluri_proto }}://{{ internal_lb_vip_address }}:{{ keystone_service_port }}"
keystone_service_adminuri: "{{ keystone_service_adminuri_proto }}://{{ internal_lb_vip_address }}:{{ keystone_admin_port }}"

keystone_service_publicurl_v3: "{{ keystone_service_publicuri }}/v3"
keystone_service_internalurl_v3: "{{ keystone_service_internaluri }}/v3"
keystone_service_adminurl_v3: "{{ keystone_service_adminuri }}/v3"

keystone_service_publicurl: "{{ keystone_service_publicurl_v3 }}"
keystone_service_internalurl: "{{ keystone_service_internalurl_v3 }}"
keystone_service_adminurl: "{{ keystone_service_adminurl_v3 }}"


## Set this value to override the "public_endpoint" keystone.conf variable
#keystone_public_endpoint: "{{ keystone_service_publicuri }}"

# This is the web server that will handle all requests and will act as a
# reverse proxy to uWSGI. If internal TLS/SSL certificates are configured,
# they are implemented in this web server's configuration. Using a web server
# for endpoints is far better for scale and allows the use of additional
# modules to improve performance or security, leaving uWSGI to only have
# to be used for running the service.
#
# Note:
# The default is nginx, but apache will be used if Keystone is configured
# as a Federated Service provider.
# TODO (odyssey4me): Convert the SP implementation to use nginx instead
# so that we do not have to be concerned with multiple web servers.
#
keystone_web_server: "{{ (keystone_sp != {}) | ternary('apache', 'nginx') }}"

## Apache setup
keystone_apache_log_level: info
keystone_apache_custom_log_format: combined
keystone_apache_servertokens: "Prod"
keystone_apache_serversignature: "Off"

## Apache MPM tunables
keystone_httpd_mpm_backend: event
keystone_httpd_mpm_start_servers: 2
keystone_httpd_mpm_min_spare_threads: 25
keystone_httpd_mpm_max_spare_threads: 75
keystone_httpd_mpm_thread_limit: 64
keystone_httpd_mpm_thread_child: 25
keystone_httpd_mpm_max_requests: 150
keystone_httpd_mpm_max_conn_child: 0

## Nginx setup
keystone_nginx_access_log_format_combined: '$remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent"'
keystone_nginx_access_log_format_extras: '$request_time $upstream_response_time'
keystone_nginx_ports:
  keystone-wsgi-public: "{{ keystone_service_port }}"
  keystone-wsgi-admin: "{{ keystone_admin_port }}"
keystone_nginx_extra_conf:
  - keepalive_timeout   70;

## uWSGI setup
keystone_wsgi_threads: 1
## Cap the maximun number of processes when a user value is unspecified.
keystone_wsgi_processes_max: 16
keystone_wsgi_processes: "{{ [[ansible_processor_vcpus|default(1), 1] | max * 2, keystone_wsgi_processes_max] | min }}"
keystone_wsgi_public_program_name: keystone-wsgi-public
keystone_wsgi_admin_program_name: keystone-wsgi-admin
keystone_wsgi_program_names:
  - "{{ keystone_wsgi_public_program_name }}"
  - "{{ keystone_wsgi_admin_program_name }}"
keystone_uwsgi_ports:
  keystone-wsgi-public:
    http: 37358
    socket: 35358
  keystone-wsgi-admin:
    http: 37359
    socket: 5001
keystone_uwsgi_ini_overrides: {}

# set keystone_ssl to true to enable SSL configuration on the keystone containers
keystone_ssl: false
keystone_ssl_cert: /etc/ssl/certs/keystone.pem
keystone_ssl_key: /etc/ssl/private/keystone.key
keystone_ssl_ca_cert: /etc/ssl/certs/keystone-ca.pem
keystone_ssl_protocol: "{{ ssl_protocol | default('ALL -SSLv2 -SSLv3') }}"
keystone_ssl_cipher_suite: "{{ ssl_cipher_suite | default('ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS') }}"

# if using a self-signed certificate, set this to true to regenerate it
keystone_ssl_self_signed_regen: false
keystone_ssl_self_signed_subject: "/C=US/ST=Texas/L=San Antonio/O=IT/CN={{ internal_lb_vip_address }}/subjectAltName=IP.1={{ external_lb_vip_address }}"

# Set these variables to deploy custom certificates
#keystone_user_ssl_cert: <path to cert on ansible deployment host>
#keystone_user_ssl_key: <path to cert on ansible deployment host>
#keystone_user_ssl_ca_cert: <path to cert on ansible deployment host>

# Set to true when terminating SSL/TLS at a load balancer
keystone_external_ssl: false

# External SSL forwarding proto
keystone_secure_proxy_ssl_header: HTTP_X_FORWARDED_PROTO

## Caching
# This is a list of strings, each string contains a cache server's
# information (IP:port for example)
# The cache_servers default backend is memcached, so this variable
# should point to a list of memcached servers.
# If empty, caching is disabled.
keystone_cache_servers: []

## LDAP Section
# Define Keystone LDAP domain configuration here.
# This may be used to add configuration for a LDAP identity back-end.
# See the http://docs.openstack.org/admin-guide/identity-integrate-with-ldap.html
#
# Each top-level entry is a domain name. Each entry below that are key: value pairs for
# the ldap section in the domain-specific configuraiton file.
#
# (EXAMPLE LAYOUT)
# keystone_ldap:
#   Users:
#     url: "ldap://127.0.0.1"
#     user: "root"
#     password: "secrete"
#     ...

keystone_ldap: {}
keystone_ldap_domain_config_dir: /etc/keystone/domains


# If you want to regenerate the keystone users SSH keys, on each run, set this var to True
# Otherwise keys will be generated on the first run and not regenerated each run.
keystone_recreate_keys: False

## Policy vars
# Provide a list of access controls to update the default policy.json with. These changes will be merged
# with the access controls in the default policy.json. E.g.
#keystone_policy_overrides:
#  identity:create_region: "rule:admin_required"
#  identity:update_region: "rule:admin_required"

## Federation

# Enable the following section on the Keystone IdP
keystone_idp: {}
#keystone_idp:
#  certfile: "/etc/keystone/ssl/idp_signing_cert.pem"
#  keyfile: "/etc/keystone/ssl/idp_signing_key.pem"
#  self_signed_cert_subject: "/C=US/ST=Texas/L=San Antonio/O=IT/CN={{ external_lb_vip_address }}"
#  regen_cert: false
#  idp_entity_id: "{{ keystone_service_publicurl_v3 }}/OS-FEDERATION/saml2/idp"
#  idp_sso_endpoint: "{{ keystone_service_publicurl_v3 }}/OS-FEDERATION/saml2/sso"
#  idp_metadata_path: /etc/keystone/saml2_idp_metadata.xml
#  service_providers:
#    - id: "sp_1"
#      auth_url: https://example.com:5000/v3/OS-FEDERATION/identity_providers/idp/protocols/saml2/auth
#      sp_url: https://example.com:5000/Shibboleth.sso/SAML2/ECP
#  # the following settings are optional
#  organization_name: example_company
#  organization_display_name: Example Corp.
#  organization_url: example.com
#  contact_company: example_company
#  contact_name: John
#  contact_surname: Smith
#  contact_email: jsmith@example.com
#  contact_telephone: 555-55-5555
#  contact_type: technical

# Enable the following section in order to install and configure
# Keystone as a Resource Service Provider (SP) and to configure
# trusts with specific Identity Providers (IdP).
keystone_sp: {}
#keystone_sp:
#  cert_duration_years: 5
#  trusted_dashboard_list:
#    - "https://{{ external_lb_vip_address }}/auth/websso/"
#    - "https://{{ horizon_server_name }}/auth/websso/"
#  trusted_idp_list:
#    note that only one of these is supported at any one time for now
#    - name: "keystone-idp"
#      entity_ids:
#         - 'https://keystone-idp:5000/v3/OS-FEDERATION/saml2/idp'
#      metadata_uri: 'https://keystone-idp:5000/v3/OS-FEDERATION/saml2/metadata'
#      metadata_file: 'metadata-keystone-idp.xml'
#      metadata_reload: 1800
#      federated_identities:
#        - domain: Default
#          project: fedproject
#          group: fedgroup
#          role: _member_
#      protocols:
#        - name: saml2
#          mapping:
#            name: keystone-idp-mapping
#            rules:
#              - remote:
#                  - type: openstack_user
#                local:
#                  - group:
#                      name: fedgroup
#                      domain:
#                        name: Default
#                    user:
#                      name: '{0}'
#          attributes:
#            - name: openstack_user
#              id: openstack_user
#            - name: openstack_roles
#              id: openstack_roles
#            - name: openstack_project
#              id: openstack_project
#            - name: openstack_user_domain
#              id: openstack_user_domain
#            - name: openstack_project_domain
#              id: openstack_project_domain
#
#    - name: 'testshib-idp'
#      entity_ids:
#        - 'https://idp.testshib.org/idp/shibboleth'
#      metadata_uri: 'http://www.testshib.org/metadata/testshib-providers.xml'
#      metadata_file: 'metadata-testshib-idp.xml'
#      metadata_reload: 1800
#      federated_identities:
#        - domain: Default
#          project: fedproject
#          group: fedgroup
#          role: _member_
#      protocols:
#        - name: saml2
#          mapping:
#            name: testshib-idp-mapping
#            rules:
#              - remote:
#                  - type: eppn
#                local:
#                  - group:
#                      name: fedgroup
#                      domain:
#                        name: Default
#                  - user:
#                      name: '{0}'
#
#    - name: 'adfs-idp'
#      entity_ids:
#       - 'http://adfs.contoso.com/adfs/services/trust'
#      metadata_uri: 'https://adfs.contoso.com/FederationMetadata/2007-06/FederationMetadata.xml'
#      metadata_file: 'metadata-adfs-idp.xml'
#      metadata_reload: 1800
#      federated_identities:
#        - domain: Default
#          project: fedproject
#          group: fedgroup
#          role: _member_
#      protocols:
#        - name: saml2
#          mapping:
#            name: adfs-idp-mapping
#            rules:
#              - remote:
#                  - type: upn
#                local:
#                  - group:
#                      name: fedgroup
#                      domain:
#                        name: Default
#                  - user:
#                      name: '{0}'
#          attributes:
#            - name: 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn'
#              id: upn

keystone_service_in_ldap: false

# Keystone notification settings
keystone_ceilometer_enabled: false

# Keystone packages that must be installed before anything else
keystone_requires_pip_packages:
  - virtualenv
  - python-keystoneclient # Keystoneclient needed to OSA keystone lib

# Common pip packages
keystone_pip_packages:
  - keystone
  - ldappool
  - pyldap
  - PyMySQL
  - python-memcached
  - python-openstackclient
  - uWSGI

# This variable is used by the repo_build process to determine
# which host group to check for members of before building the
# pip packages required by this role. The value is picked up
# by the py_pkgs lookup.
keystone_role_project_group: keystone_all

#: Tunable file-based overrides
# The contents of these files, if they exist, are read from the
# specified path on the deployment host, interpreted by the
# template engine and copied to the target host. If they do
# not exist then the default files will be sourced from the
# service git repository.
keystone_paste_default_file_path: "/etc/openstack_deploy/keystone/keystone-paste.ini"
keystone_policy_default_file_path: "/etc/openstack_deploy/keystone/policy.json"
keystone_sso_callback_file_path: "/etc/openstack_deploy/keystone/sso_callback_template.html"

# If the above-mentioned files do not exist, then these
# paths will be used to find the files from the git config
# lookup location.
keystone_git_config_lookup_location: https://git.openstack.org/cgit/openstack/keystone/plain
keystone_paste_git_file_path: "etc/keystone-paste.ini?h={{ keystone_git_install_branch }}"
keystone_sso_callback_git_file_path: "etc/sso_callback_template.html?h={{ keystone_git_install_branch }}"

#: Tunable var-based overrides
# The contents of these are templated over the default files.
keystone_keystone_conf_overrides: {}
keystone_keystone_default_conf_overrides: {}
keystone_keystone_paste_ini_overrides: {}
keystone_policy_overrides: {}

keystone_required_secrets:
  - keystone_auth_admin_password
  - keystone_container_mysql_password
  - keystone_rabbitmq_password
  - keystone_service_password

keystone_uwsgi_init_overrides: {}

## Extra HTTP headers for Keystone
# Add any additional headers here that Keystone should return.
#
# Example:
#
#   keystone_extra_headers:
#     - parameter: "Access-Control-Expose-Headers"
#       value: "X-Subject-Token"
#     - parameter: "Access-Control-Allow-Headers"
#       value: "Content-Type, X-Auth-Token"
#     - parameter: "Access-Control-Allow-Origin"
#       value: "*"
keystone_extra_headers: []

# Toggle whether memcache should be flushed when doing
# database migrations. This is sometimes useful when
# doing upgrades, but should not usually be required.
# ref: https://bugs.launchpad.net/openstack-ansible/+bug/1793389
keystone_flush_memcache: no

Dependencies

This role needs pip >= 7.1 installed on the target host.

To use this role, define the following variables:

# hostname or IP of load balancer providing external network
# access to Keystone
external_lb_vip_address: 10.100.100.102

# hostname or IP of load balancer providing internal network
# access to Keystone
internal_lb_vip_address: 10.100.100.102

# password used by the keystone service to interact with Galera
keystone_container_mysql_password: "YourPassword"

keystone_auth_admin_password: "SuperSecretePassword"
keystone_service_password: "secrete"
keystone_rabbitmq_password: "secrete"
keystone_container_mysql_password: "SuperSecrete"

This list is not exhaustive at present. See role internals for further details.

Example playbook

    - name: Installation and setup of Keystone
      hosts: keystone_all
      user: root
      pre_tasks:
        - name: Create DB for service
          mysql_db:
            login_user: "root"
            login_password: "secrete"
            login_host: "localhost"
            name: "{{ keystone_galera_database }}"
            state: "present"
          delegate_to: "{{ keystone_galera_address }}"
          when: inventory_hostname == groups['keystone_all'][0]
          no_log: true
        - name: Grant access to the DB for the service
          mysql_user:
            login_user: "root"
            login_password: "secrete"
            login_host: "localhost"
            name: "{{ keystone_galera_database }}"
            password: "{{ keystone_container_mysql_password }}"
            host: "{{ item }}"
            state: "present"
            priv: "{{ keystone_galera_database }}.*:ALL"
          with_items:
            - "localhost"
            - "%"
          delegate_to: "{{ keystone_galera_address }}"
          when: inventory_hostname == groups['keystone_all'][0]
          no_log: true
      roles:
        - { role: "os_keystone", tags: [ "os-keystone" ] }
      vars:
        external_lb_vip_address: 10.100.100.102
        internal_lb_vip_address: 10.100.100.102
        keystone_galera_address: 10.100.100.101
        keystone_galera_database: keystone
        keystone_venv_tag: "testing"
        keystone_developer_mode: true
        keystone_git_install_branch: "stable/queens"
        keystone_auth_admin_password: "SuperSecretePassword"
        keystone_service_password: "secrete"
        keystone_rabbitmq_password: "secrete"
        keystone_container_mysql_password: "SuperSecrete"
        keystone_rabbitmq_port: 5671
        keystone_rabbitmq_userid: keystone
        keystone_rabbitmq_vhost: /keystone
        keystone_rabbitmq_servers: 10.100.100.101
        keystone_rabbitmq_use_ssl: true
        galera_client_drop_config_file: false

External Restart Hooks

When the role performs a restart of the service, it will notify an Ansible handler named Manage LB, which is a noop within this role. In the playbook, other roles may be loaded before and after this role which will implement Ansible handler listeners for Manage LB, allowing external roles to manage the load balancer endpoints responsible for sending traffic to the servers being restarted by marking them in maintenance or active mode, draining sessions, etc. For an example implementation, please reference the ansible-haproxy-endpoints role used by the openstack-ansible project.

Tags

This role supports two tags: keystone-install and keystone-config

The keystone-install tag can be used to install and upgrade.

The keystone-config tag can be used to maintain configuration of the service.

Creative Commons Attribution 3.0 License

Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.