def initialise_pki(): """Create certs and keys required for token signing. Used for PKI and signing token revocation list. NOTE: keystone.conf [signing] section must be up-to-date prior to executing this. """ ensure_pki_cert_paths() if not peer_units() or is_ssl_cert_master(): log("Ensuring PKI token certs created", level=DEBUG) cmd = [ 'keystone-manage', 'pki_setup', '--keystone-user', 'keystone', '--keystone-group', 'keystone' ] check_call(cmd) # Ensure logfile has keystone perms since we may have just created it # with root. ensure_permissions('/var/log/keystone', user='******', group='keystone', perms=0o744) ensure_permissions('/var/log/keystone/keystone.log', user='******', group='keystone', perms=0o644) ensure_pki_dir_permissions()
def __call__(self): from keystone_utils import (api_port, set_admin_token, endpoint_url, resolve_address, PUBLIC, ADMIN, PKI_CERTS_DIR, ensure_pki_cert_paths, get_admin_domain_id) ctxt = {} ctxt['token'] = set_admin_token(config('admin-token')) ctxt['api_version'] = int(config('preferred-api-version')) ctxt['admin_role'] = config('admin-role') if ctxt['api_version'] > 2: ctxt['admin_domain_id'] = (get_admin_domain_id() or 'admin_domain_id') ctxt['admin_port'] = determine_api_port(api_port('keystone-admin'), singlenode_mode=True) ctxt['public_port'] = determine_api_port(api_port('keystone-public'), singlenode_mode=True) ctxt['debug'] = config('debug') ctxt['verbose'] = config('verbose') ctxt['token_expiration'] = config('token-expiration') ctxt['identity_backend'] = config('identity-backend') ctxt['assignment_backend'] = config('assignment-backend') if config('identity-backend') == 'ldap': ctxt['ldap_server'] = config('ldap-server') ctxt['ldap_user'] = config('ldap-user') ctxt['ldap_password'] = config('ldap-password') ctxt['ldap_suffix'] = config('ldap-suffix') ctxt['ldap_readonly'] = config('ldap-readonly') ldap_flags = config('ldap-config-flags') if ldap_flags: flags = context.config_flags_parser(ldap_flags) ctxt['ldap_config_flags'] = flags enable_pki = config('enable-pki') if enable_pki and bool_from_string(enable_pki): log("Enabling PKI", level=DEBUG) ctxt['token_provider'] = 'pki' ensure_pki_cert_paths() certs = os.path.join(PKI_CERTS_DIR, 'certs') privates = os.path.join(PKI_CERTS_DIR, 'privates') ctxt.update({ 'certfile': os.path.join(certs, 'signing_cert.pem'), 'keyfile': os.path.join(privates, 'signing_key.pem'), 'ca_certs': os.path.join(certs, 'ca.pem'), 'ca_key': os.path.join(certs, 'ca_key.pem') }) # Base endpoint URL's which are used in keystone responses # to unauthenticated requests to redirect clients to the # correct auth URL. ctxt['public_endpoint'] = endpoint_url( resolve_address(PUBLIC), api_port('keystone-public')).replace('v2.0', '') ctxt['admin_endpoint'] = endpoint_url( resolve_address(ADMIN), api_port('keystone-admin')).replace('v2.0', '') return ctxt
def initialise_pki(): """Create certs and keys required for token signing. Used for PKI and signing token revocation list. NOTE: keystone.conf [signing] section must be up-to-date prior to executing this. """ if CompareOpenStackReleases(os_release('keystone-common')) >= 'pike': # pike dropped support for PKI token; skip function return ensure_pki_cert_paths() if not peer_units() or is_ssl_cert_master(): log("Ensuring PKI token certs created", level=DEBUG) if snap_install_requested(): cmd = ['/snap/bin/keystone-manage', 'pki_setup', '--keystone-user', KEYSTONE_USER, '--keystone-group', KEYSTONE_USER] _log_dir = '/var/snap/keystone/common/log' else: cmd = ['keystone-manage', 'pki_setup', '--keystone-user', KEYSTONE_USER, '--keystone-group', KEYSTONE_USER] _log_dir = '/var/log/keystone' check_call(cmd) # Ensure logfile has keystone perms since we may have just created it # with root. ensure_permissions(_log_dir, user=KEYSTONE_USER, group=KEYSTONE_USER, perms=0o744) ensure_permissions('{}/keystone.log'.format(_log_dir), user=KEYSTONE_USER, group=KEYSTONE_USER, perms=0o644) ensure_pki_dir_permissions()
def __call__(self): from keystone_utils import ( api_port, set_admin_token, endpoint_url, resolve_address, PUBLIC, ADMIN, PKI_CERTS_DIR, ensure_pki_cert_paths, get_admin_domain_id ) ctxt = {} ctxt['token'] = set_admin_token(config('admin-token')) ctxt['api_version'] = int(config('preferred-api-version')) ctxt['admin_role'] = config('admin-role') if ctxt['api_version'] > 2: ctxt['admin_domain_id'] = ( get_admin_domain_id() or 'admin_domain_id') ctxt['admin_port'] = determine_api_port(api_port('keystone-admin'), singlenode_mode=True) ctxt['public_port'] = determine_api_port(api_port('keystone-public'), singlenode_mode=True) ctxt['debug'] = config('debug') ctxt['verbose'] = config('verbose') ctxt['token_expiration'] = config('token-expiration') ctxt['identity_backend'] = config('identity-backend') ctxt['assignment_backend'] = config('assignment-backend') if config('identity-backend') == 'ldap': ctxt['ldap_server'] = config('ldap-server') ctxt['ldap_user'] = config('ldap-user') ctxt['ldap_password'] = config('ldap-password') ctxt['ldap_suffix'] = config('ldap-suffix') ctxt['ldap_readonly'] = config('ldap-readonly') ldap_flags = config('ldap-config-flags') if ldap_flags: flags = context.config_flags_parser(ldap_flags) ctxt['ldap_config_flags'] = flags enable_pki = config('enable-pki') if enable_pki and bool_from_string(enable_pki): log("Enabling PKI", level=DEBUG) ctxt['token_provider'] = 'pki' ensure_pki_cert_paths() certs = os.path.join(PKI_CERTS_DIR, 'certs') privates = os.path.join(PKI_CERTS_DIR, 'privates') ctxt.update({'certfile': os.path.join(certs, 'signing_cert.pem'), 'keyfile': os.path.join(privates, 'signing_key.pem'), 'ca_certs': os.path.join(certs, 'ca.pem'), 'ca_key': os.path.join(certs, 'ca_key.pem')}) # Base endpoint URL's which are used in keystone responses # to unauthenticated requests to redirect clients to the # correct auth URL. ctxt['public_endpoint'] = endpoint_url( resolve_address(PUBLIC), api_port('keystone-public')).replace('v2.0', '') ctxt['admin_endpoint'] = endpoint_url( resolve_address(ADMIN), api_port('keystone-admin')).replace('v2.0', '') return ctxt
def initialise_pki(): """Create certs and keys required for token signing. Used for PKI and signing token revocation list. NOTE: keystone.conf [signing] section must be up-to-date prior to executing this. """ ensure_pki_cert_paths() if not peer_units() or is_ssl_cert_master(): log("Ensuring PKI token certs created", level=DEBUG) cmd = ["keystone-manage", "pki_setup", "--keystone-user", "keystone", "--keystone-group", "keystone"] check_call(cmd) # Ensure logfile has keystone perms since we may have just created it # with root. ensure_permissions("/var/log/keystone", user="******", group="keystone", perms=0o744) ensure_permissions("/var/log/keystone/keystone.log", user="******", group="keystone", perms=0o644) ensure_pki_dir_permissions()
def __call__(self): from keystone_utils import ( api_port, set_admin_token, endpoint_url, resolve_address, PUBLIC, ADMIN, PKI_CERTS_DIR, ensure_pki_cert_paths, ADMIN_DOMAIN, snap_install_requested, get_api_version, ) ctxt = {} ctxt['token'] = set_admin_token(config('admin-token')) ctxt['api_version'] = get_api_version() ctxt['admin_role'] = config('admin-role') if ctxt['api_version'] > 2: ctxt['service_tenant_id'] = \ leader_get(attribute='service_tenant_id') ctxt['admin_domain_name'] = ADMIN_DOMAIN ctxt['admin_domain_id'] = \ leader_get(attribute='admin_domain_id') ctxt['default_domain_id'] = \ leader_get(attribute='default_domain_id') ctxt['admin_port'] = determine_api_port(api_port('keystone-admin'), singlenode_mode=True) ctxt['public_port'] = determine_api_port(api_port('keystone-public'), singlenode_mode=True) ctxt['debug'] = config('debug') ctxt['verbose'] = config('verbose') ctxt['token_expiration'] = config('token-expiration') ctxt['identity_backend'] = config('identity-backend') ctxt['assignment_backend'] = config('assignment-backend') if config('identity-backend') == 'ldap': ctxt['ldap_server'] = config('ldap-server') ctxt['ldap_user'] = config('ldap-user') ctxt['ldap_password'] = config('ldap-password') ctxt['ldap_suffix'] = config('ldap-suffix') ctxt['ldap_readonly'] = config('ldap-readonly') ldap_flags = config('ldap-config-flags') if ldap_flags: flags = context.config_flags_parser(ldap_flags) ctxt['ldap_config_flags'] = flags enable_pki = config('enable-pki') if enable_pki and bool_from_string(enable_pki): log("Enabling PKI", level=DEBUG) ctxt['token_provider'] = 'pki' # NOTE(jamespage): Only check PKI configuration if the PKI # token format is in use, which has been # removed as of OpenStack Ocata. ensure_pki_cert_paths() certs = os.path.join(PKI_CERTS_DIR, 'certs') privates = os.path.join(PKI_CERTS_DIR, 'privates') ctxt['enable_signing'] = True ctxt.update({ 'certfile': os.path.join(certs, 'signing_cert.pem'), 'keyfile': os.path.join(privates, 'signing_key.pem'), 'ca_certs': os.path.join(certs, 'ca.pem'), 'ca_key': os.path.join(certs, 'ca_key.pem') }) else: ctxt['enable_signing'] = False # Base endpoint URL's which are used in keystone responses # to unauthenticated requests to redirect clients to the # correct auth URL. ctxt['public_endpoint'] = endpoint_url( resolve_address(PUBLIC), api_port('keystone-public')).replace('v2.0', '') ctxt['admin_endpoint'] = endpoint_url( resolve_address(ADMIN), api_port('keystone-admin')).replace('v2.0', '') if snap_install_requested(): ctxt['domain_config_dir'] = ( '/var/snap/keystone/common/etc/keystone/domains') ctxt['log_config'] = ( '/var/snap/keystone/common/etc/keystone/logging.conf') ctxt['paste_config_file'] = ( '/var/snap/keystone/common/etc/keystone/keystone-paste.ini') else: ctxt['domain_config_dir'] = '/etc/keystone/domains' ctxt['log_config'] = ('/etc/keystone/logging.conf') ctxt['paste_config_file'] = '/etc/keystone/keystone-paste.ini' return ctxt