コード例 #1
0
    def configure_ca(self):
        from keystone_utils import (
            SSH_USER,
            get_ca,
            ensure_permissions,
            is_ssl_cert_master,
        )

        if not is_cert_provided_in_config() and not is_ssl_cert_master():
            log(
                "Not ssl-cert-master - skipping apache ca config until "
                "master is elected",
                level=INFO)
            return

        ca_cert = config('ssl_ca')
        if ca_cert is None:
            ca = get_ca(user=SSH_USER)
            ca_cert = ca.get_ca_bundle()
        else:
            ca_cert = b64decode(ca_cert)

        # Ensure accessible by keystone ssh user and group (unison)
        install_ca_cert(ca_cert)
        ensure_permissions(CA_CERT_PATH,
                           user=SSH_USER,
                           group='keystone',
                           perms=0o0644)
コード例 #2
0
def initialise_pki():
    """Create certs and keys required for token signing.

    Used for PKI and signing token revocation list.

    NOTE: keystone.conf [signing] section must be up-to-date prior to
          executing this.
    """
    if CompareOpenStackReleases(os_release('keystone-common')) >= 'pike':
        # pike dropped support for PKI token; skip function
        return
    ensure_pki_cert_paths()
    if not peer_units() or is_ssl_cert_master():
        log("Ensuring PKI token certs created", level=DEBUG)
        if snap_install_requested():
            cmd = ['/snap/bin/keystone-manage', 'pki_setup',
                   '--keystone-user', KEYSTONE_USER,
                   '--keystone-group', KEYSTONE_USER]
            _log_dir = '/var/snap/keystone/common/log'
        else:
            cmd = ['keystone-manage', 'pki_setup',
                   '--keystone-user', KEYSTONE_USER,
                   '--keystone-group', KEYSTONE_USER]
            _log_dir = '/var/log/keystone'
        check_call(cmd)

        # Ensure logfile has keystone perms since we may have just created it
        # with root.
        ensure_permissions(_log_dir, user=KEYSTONE_USER,
                           group=KEYSTONE_USER, perms=0o744)
        ensure_permissions('{}/keystone.log'.format(_log_dir),
                           user=KEYSTONE_USER, group=KEYSTONE_USER,
                           perms=0o644)

    ensure_pki_dir_permissions()
コード例 #3
0
def initialise_pki():
    """Create certs and keys required for token signing.

    Used for PKI and signing token revocation list.

    NOTE: keystone.conf [signing] section must be up-to-date prior to
          executing this.
    """
    ensure_pki_cert_paths()
    if not peer_units() or is_ssl_cert_master():
        log("Ensuring PKI token certs created", level=DEBUG)
        cmd = [
            'keystone-manage', 'pki_setup', '--keystone-user', 'keystone',
            '--keystone-group', 'keystone'
        ]
        check_call(cmd)

        # Ensure logfile has keystone perms since we may have just created it
        # with root.
        ensure_permissions('/var/log/keystone',
                           user='******',
                           group='keystone',
                           perms=0o744)
        ensure_permissions('/var/log/keystone/keystone.log',
                           user='******',
                           group='keystone',
                           perms=0o644)

    ensure_pki_dir_permissions()
コード例 #4
0
    def configure_cert(self, cn):
        from keystone_utils import (
            SSH_USER,
            get_ca,
            ensure_permissions,
            is_ssl_cert_master,
            KEYSTONE_USER,
        )

        # Ensure ssl dir exists whether master or not
        perms = 0o775
        mkdir(path=self.ssl_dir,
              owner=SSH_USER,
              group=KEYSTONE_USER,
              perms=perms)
        # Ensure accessible by keystone ssh user and group (for sync)
        ensure_permissions(self.ssl_dir,
                           user=SSH_USER,
                           group=KEYSTONE_USER,
                           perms=perms)

        if not is_cert_provided_in_config() and not is_ssl_cert_master():
            log(
                "Not ssl-cert-master - skipping apache cert config until "
                "master is elected",
                level=INFO)
            return

        log("Creating apache ssl certs in %s" % (self.ssl_dir), level=INFO)

        cert = config('ssl_cert')
        key = config('ssl_key')

        if not (cert and key):
            ca = get_ca(user=SSH_USER)
            cert, key = ca.get_cert_and_key(common_name=cn)
        else:
            cert = b64decode(cert)
            key = b64decode(key)

        write_file(path=os.path.join(self.ssl_dir, 'cert_{}'.format(cn)),
                   content=cert,
                   owner=SSH_USER,
                   group=KEYSTONE_USER,
                   perms=0o640)
        write_file(path=os.path.join(self.ssl_dir, 'key_{}'.format(cn)),
                   content=key,
                   owner=SSH_USER,
                   group=KEYSTONE_USER,
                   perms=0o640)
コード例 #5
0
ファイル: keystone_hooks.py プロジェクト: BillTheBest/hyper-c
def initialise_pki():
    """Create certs and keys required for PKI token signing.

    NOTE: keystone.conf [signing] section must be up-to-date prior to
          executing this.
    """
    if not peer_units() or is_ssl_cert_master():
        log("Ensuring PKI token certs created", level=DEBUG)
        cmd = ['keystone-manage', 'pki_setup', '--keystone-user', 'keystone',
               '--keystone-group', 'keystone']
        check_call(cmd)

        # Ensure logfile has keystone perms since we may have just created it
        # with root.
        ensure_permissions('/var/log/keystone', user='******',
                           group='keystone', perms=0o744)
        ensure_permissions('/var/log/keystone/keystone.log', user='******',
                           group='keystone', perms=0o644)

    ensure_pki_dir_permissions()
コード例 #6
0
ファイル: keystone_hooks.py プロジェクト: coreycb/keystone
def initialise_pki():
    """Create certs and keys required for token signing.

    Used for PKI and signing token revocation list.

    NOTE: keystone.conf [signing] section must be up-to-date prior to
          executing this.
    """
    ensure_pki_cert_paths()
    if not peer_units() or is_ssl_cert_master():
        log("Ensuring PKI token certs created", level=DEBUG)
        cmd = ["keystone-manage", "pki_setup", "--keystone-user", "keystone", "--keystone-group", "keystone"]
        check_call(cmd)

        # Ensure logfile has keystone perms since we may have just created it
        # with root.
        ensure_permissions("/var/log/keystone", user="******", group="keystone", perms=0o744)
        ensure_permissions("/var/log/keystone/keystone.log", user="******", group="keystone", perms=0o644)

    ensure_pki_dir_permissions()
コード例 #7
0
    def configure_cert(self, cn):
        from keystone_utils import (
            SSH_USER,
            get_ca,
            ensure_permissions,
            is_ssl_cert_master,
        )

        # Ensure ssl dir exists whether master or not
        ssl_dir = os.path.join('/etc/apache2/ssl/', self.service_namespace)
        perms = 0o755
        mkdir(path=ssl_dir, owner=SSH_USER, group='keystone', perms=perms)
        # Ensure accessible by keystone ssh user and group (for sync)
        ensure_permissions(ssl_dir, user=SSH_USER, group='keystone',
                           perms=perms)

        if not is_cert_provided_in_config() and not is_ssl_cert_master():
            log("Not ssl-cert-master - skipping apache cert config until "
                "master is elected", level=INFO)
            return

        log("Creating apache ssl certs in %s" % (ssl_dir), level=INFO)

        cert = config('ssl_cert')
        key = config('ssl_key')

        if not (cert and key):
            ca = get_ca(user=SSH_USER)
            cert, key = ca.get_cert_and_key(common_name=cn)
        else:
            cert = b64decode(cert)
            key = b64decode(key)

        write_file(path=os.path.join(ssl_dir, 'cert_{}'.format(cn)),
                   content=cert, owner=SSH_USER, group='keystone', perms=0o644)
        write_file(path=os.path.join(ssl_dir, 'key_{}'.format(cn)),
                   content=key, owner=SSH_USER, group='keystone', perms=0o644)
コード例 #8
0
    def configure_ca(self):
        from keystone_utils import (
            SSH_USER,
            get_ca,
            ensure_permissions,
            is_ssl_cert_master,
            KEYSTONE_USER,
        )

        if not is_cert_provided_in_config() and not is_ssl_cert_master():
            log(
                "Not ssl-cert-master - skipping apache ca config until "
                "master is elected",
                level=INFO)
            return

        cert = config('ssl_cert')
        key = config('ssl_key')

        ca_cert = config('ssl_ca')
        if ca_cert:
            ca_cert = b64decode(ca_cert)
        elif not (cert and key):
            # NOTE(hopem): if a cert and key are provided as config we don't
            # mandate that a CA is also provided since it isn't necessarily
            # needed. As a result we only generate a custom CA if we are also
            # generating cert and key.
            ca = get_ca(user=SSH_USER)
            ca_cert = ca.get_ca_bundle()

        if ca_cert:
            # Ensure accessible by keystone ssh user and group (unison)
            install_ca_cert(ca_cert)
            ensure_permissions(CA_CERT_PATH,
                               user=SSH_USER,
                               group=KEYSTONE_USER,
                               perms=0o0644)
コード例 #9
0
    def configure_ca(self):
        from keystone_utils import (
            SSH_USER,
            get_ca,
            ensure_permissions,
            is_ssl_cert_master,
        )

        if not is_cert_provided_in_config() and not is_ssl_cert_master():
            log("Not ssl-cert-master - skipping apache ca config until "
                "master is elected", level=INFO)
            return

        ca_cert = config('ssl_ca')
        if ca_cert is None:
            ca = get_ca(user=SSH_USER)
            ca_cert = ca.get_ca_bundle()
        else:
            ca_cert = b64decode(ca_cert)

        # Ensure accessible by keystone ssh user and group (unison)
        install_ca_cert(ca_cert)
        ensure_permissions(CA_CERT_PATH, user=SSH_USER, group='keystone',
                           perms=0o0644)
コード例 #10
0
    def __call__(self):
        from keystone_utils import (
            api_port,
            set_admin_token,
            endpoint_url,
            resolve_address,
            PUBLIC,
            ADMIN,
            PKI_CERTS_DIR,
            SSH_USER,
            ensure_permissions,
        )
        ctxt = {}
        ctxt['token'] = set_admin_token(config('admin-token'))
        ctxt['admin_port'] = determine_api_port(api_port('keystone-admin'),
                                                singlenode_mode=True)
        ctxt['public_port'] = determine_api_port(api_port('keystone-public'),
                                                 singlenode_mode=True)

        debug = config('debug')
        ctxt['debug'] = debug and bool_from_string(debug)
        verbose = config('verbose')
        ctxt['verbose'] = verbose and bool_from_string(verbose)
        ctxt['token_expiration'] = config('token-expiration')

        ctxt['identity_backend'] = config('identity-backend')
        ctxt['assignment_backend'] = config('assignment-backend')
        if config('identity-backend') == 'ldap':
            ctxt['ldap_server'] = config('ldap-server')
            ctxt['ldap_user'] = config('ldap-user')
            ctxt['ldap_password'] = config('ldap-password')
            ctxt['ldap_suffix'] = config('ldap-suffix')
            ctxt['ldap_readonly'] = config('ldap-readonly')
            ldap_flags = config('ldap-config-flags')
            if ldap_flags:
                flags = context.config_flags_parser(ldap_flags)
                ctxt['ldap_config_flags'] = flags

        enable_pki = config('enable-pki')
        if enable_pki and bool_from_string(enable_pki):
            ctxt['signing'] = True
            ctxt['token_provider'] = 'pki'

        if 'token_provider' in ctxt:
            log("Configuring PKI token cert paths", level=DEBUG)
            certs = os.path.join(PKI_CERTS_DIR, 'certs')
            privates = os.path.join(PKI_CERTS_DIR, 'privates')
            for path in [PKI_CERTS_DIR, certs, privates]:
                perms = 0o755
                if not os.path.isdir(path):
                    mkdir(path=path,
                          owner=SSH_USER,
                          group='keystone',
                          perms=perms)
                else:
                    # Ensure accessible by ssh user and group (for sync).
                    ensure_permissions(path,
                                       user=SSH_USER,
                                       group='keystone',
                                       perms=perms)

            signing_paths = {
                'certfile': os.path.join(certs, 'signing_cert.pem'),
                'keyfile': os.path.join(privates, 'signing_key.pem'),
                'ca_certs': os.path.join(certs, 'ca.pem'),
                'ca_key': os.path.join(certs, 'ca_key.pem')
            }

            for key, val in signing_paths.iteritems():
                ctxt[key] = val

        # Base endpoint URL's which are used in keystone responses
        # to unauthenticated requests to redirect clients to the
        # correct auth URL.
        ctxt['public_endpoint'] = endpoint_url(
            resolve_address(PUBLIC),
            api_port('keystone-public')).rstrip('v2.0')
        ctxt['admin_endpoint'] = endpoint_url(
            resolve_address(ADMIN), api_port('keystone-admin')).rstrip('v2.0')
        return ctxt
コード例 #11
0
    def __call__(self):
        from keystone_utils import (
            api_port, set_admin_token, endpoint_url, resolve_address,
            PUBLIC, ADMIN, PKI_CERTS_DIR, SSH_USER, ensure_permissions,
        )
        ctxt = {}
        ctxt['token'] = set_admin_token(config('admin-token'))
        ctxt['admin_port'] = determine_api_port(api_port('keystone-admin'),
                                                singlenode_mode=True)
        ctxt['public_port'] = determine_api_port(api_port('keystone-public'),
                                                 singlenode_mode=True)

        debug = config('debug')
        ctxt['debug'] = debug and bool_from_string(debug)
        verbose = config('verbose')
        ctxt['verbose'] = verbose and bool_from_string(verbose)
        ctxt['token_expiration'] = config('token-expiration')

        ctxt['identity_backend'] = config('identity-backend')
        ctxt['assignment_backend'] = config('assignment-backend')
        if config('identity-backend') == 'ldap':
            ctxt['ldap_server'] = config('ldap-server')
            ctxt['ldap_user'] = config('ldap-user')
            ctxt['ldap_password'] = config('ldap-password')
            ctxt['ldap_suffix'] = config('ldap-suffix')
            ctxt['ldap_readonly'] = config('ldap-readonly')
            ldap_flags = config('ldap-config-flags')
            if ldap_flags:
                flags = context.config_flags_parser(ldap_flags)
                ctxt['ldap_config_flags'] = flags

        enable_pki = config('enable-pki')
        if enable_pki and bool_from_string(enable_pki):
            ctxt['signing'] = True
            ctxt['token_provider'] = 'pki'

        if 'token_provider' in ctxt:
            log("Configuring PKI token cert paths", level=DEBUG)
            certs = os.path.join(PKI_CERTS_DIR, 'certs')
            privates = os.path.join(PKI_CERTS_DIR, 'privates')
            for path in [PKI_CERTS_DIR, certs, privates]:
                perms = 0o755
                if not os.path.isdir(path):
                    mkdir(path=path, owner=SSH_USER, group='keystone',
                          perms=perms)
                else:
                    # Ensure accessible by ssh user and group (for sync).
                    ensure_permissions(path, user=SSH_USER,
                                       group='keystone', perms=perms)

            signing_paths = {'certfile': os.path.join(certs,
                                                      'signing_cert.pem'),
                             'keyfile': os.path.join(privates,
                                                     'signing_key.pem'),
                             'ca_certs': os.path.join(certs, 'ca.pem'),
                             'ca_key': os.path.join(certs, 'ca_key.pem')}

            for key, val in signing_paths.iteritems():
                ctxt[key] = val

        # Base endpoint URL's which are used in keystone responses
        # to unauthenticated requests to redirect clients to the
        # correct auth URL.
        ctxt['public_endpoint'] = endpoint_url(
            resolve_address(PUBLIC),
            api_port('keystone-public')).rstrip('v2.0')
        ctxt['admin_endpoint'] = endpoint_url(
            resolve_address(ADMIN),
            api_port('keystone-admin')).rstrip('v2.0')
        return ctxt