def configure_ca(self): from keystone_utils import ( SSH_USER, get_ca, ensure_permissions, is_ssl_cert_master, ) if not is_cert_provided_in_config() and not is_ssl_cert_master(): log( "Not ssl-cert-master - skipping apache ca config until " "master is elected", level=INFO) return ca_cert = config('ssl_ca') if ca_cert is None: ca = get_ca(user=SSH_USER) ca_cert = ca.get_ca_bundle() else: ca_cert = b64decode(ca_cert) # Ensure accessible by keystone ssh user and group (unison) install_ca_cert(ca_cert) ensure_permissions(CA_CERT_PATH, user=SSH_USER, group='keystone', perms=0o0644)
def initialise_pki(): """Create certs and keys required for token signing. Used for PKI and signing token revocation list. NOTE: keystone.conf [signing] section must be up-to-date prior to executing this. """ if CompareOpenStackReleases(os_release('keystone-common')) >= 'pike': # pike dropped support for PKI token; skip function return ensure_pki_cert_paths() if not peer_units() or is_ssl_cert_master(): log("Ensuring PKI token certs created", level=DEBUG) if snap_install_requested(): cmd = ['/snap/bin/keystone-manage', 'pki_setup', '--keystone-user', KEYSTONE_USER, '--keystone-group', KEYSTONE_USER] _log_dir = '/var/snap/keystone/common/log' else: cmd = ['keystone-manage', 'pki_setup', '--keystone-user', KEYSTONE_USER, '--keystone-group', KEYSTONE_USER] _log_dir = '/var/log/keystone' check_call(cmd) # Ensure logfile has keystone perms since we may have just created it # with root. ensure_permissions(_log_dir, user=KEYSTONE_USER, group=KEYSTONE_USER, perms=0o744) ensure_permissions('{}/keystone.log'.format(_log_dir), user=KEYSTONE_USER, group=KEYSTONE_USER, perms=0o644) ensure_pki_dir_permissions()
def initialise_pki(): """Create certs and keys required for token signing. Used for PKI and signing token revocation list. NOTE: keystone.conf [signing] section must be up-to-date prior to executing this. """ ensure_pki_cert_paths() if not peer_units() or is_ssl_cert_master(): log("Ensuring PKI token certs created", level=DEBUG) cmd = [ 'keystone-manage', 'pki_setup', '--keystone-user', 'keystone', '--keystone-group', 'keystone' ] check_call(cmd) # Ensure logfile has keystone perms since we may have just created it # with root. ensure_permissions('/var/log/keystone', user='******', group='keystone', perms=0o744) ensure_permissions('/var/log/keystone/keystone.log', user='******', group='keystone', perms=0o644) ensure_pki_dir_permissions()
def cluster_changed(): unison.ssh_authorized_peers(user=SSH_USER, group="juju_keystone", peer_interface="cluster", ensure_local_user=True) # NOTE(jamespage) re-echo passwords for peer storage echo_whitelist = ["_passwd", "identity-service:", "ssl-cert-master", "db-initialised", "ssl-cert-available-updates"] log("Peer echo whitelist: %s" % (echo_whitelist), level=DEBUG) peer_echo(includes=echo_whitelist, force=True) check_peer_actions() initialise_pki() # Figure out if we need to mandate a sync units = get_ssl_sync_request_units() synced_units = relation_get(attribute="ssl-synced-units", unit=local_unit()) diff = None if synced_units: synced_units = json.loads(synced_units) diff = set(units).symmetric_difference(set(synced_units)) if units and (not synced_units or diff): log("New peers joined and need syncing - %s" % (", ".join(units)), level=DEBUG) update_all_identity_relation_units_force_sync() else: update_all_identity_relation_units() if not is_elected_leader(CLUSTER_RES) and is_ssl_cert_master(): # Force and sync and trigger a sync master re-election since we are not # leader anymore. force_ssl_sync() else: CONFIGS.write_all()
def ha_changed(): CONFIGS.write_all() clustered = relation_get('clustered') if clustered: log('Cluster configured, notifying other services and updating ' 'keystone endpoint configuration') if is_ssl_cert_master(): update_all_identity_relation_units_force_sync() else: update_all_identity_relation_units()
def configure_cert(self, cn): from keystone_utils import ( SSH_USER, get_ca, ensure_permissions, is_ssl_cert_master, KEYSTONE_USER, ) # Ensure ssl dir exists whether master or not perms = 0o775 mkdir(path=self.ssl_dir, owner=SSH_USER, group=KEYSTONE_USER, perms=perms) # Ensure accessible by keystone ssh user and group (for sync) ensure_permissions(self.ssl_dir, user=SSH_USER, group=KEYSTONE_USER, perms=perms) if not is_cert_provided_in_config() and not is_ssl_cert_master(): log( "Not ssl-cert-master - skipping apache cert config until " "master is elected", level=INFO) return log("Creating apache ssl certs in %s" % (self.ssl_dir), level=INFO) cert = config('ssl_cert') key = config('ssl_key') if not (cert and key): ca = get_ca(user=SSH_USER) cert, key = ca.get_cert_and_key(common_name=cn) else: cert = b64decode(cert) key = b64decode(key) write_file(path=os.path.join(self.ssl_dir, 'cert_{}'.format(cn)), content=cert, owner=SSH_USER, group=KEYSTONE_USER, perms=0o640) write_file(path=os.path.join(self.ssl_dir, 'key_{}'.format(cn)), content=key, owner=SSH_USER, group=KEYSTONE_USER, perms=0o640)
def cluster_changed(): unison.ssh_authorized_peers(user=SSH_USER, group=SSH_USER, peer_interface='cluster', ensure_local_user=True) # NOTE(jamespage) re-echo passwords for peer storage echo_whitelist = [ '_passwd', 'identity-service:', 'db-initialised', 'ssl-cert-available-updates' ] # Don't echo if leader since a re-election may be in progress. if not is_leader(): echo_whitelist.append('ssl-cert-master') log("Peer echo whitelist: %s" % (echo_whitelist), level=DEBUG) peer_echo(includes=echo_whitelist, force=True) check_peer_actions() initialise_pki() if is_leader(): # Figure out if we need to mandate a sync units = get_ssl_sync_request_units() synced_units = relation_get_and_migrate(attribute='ssl-synced-units', unit=local_unit()) diff = None if synced_units: synced_units = json.loads(synced_units) diff = set(units).symmetric_difference(set(synced_units)) else: units = None if units and (not synced_units or diff): log("New peers joined and need syncing - %s" % (', '.join(units)), level=DEBUG) update_all_identity_relation_units_force_sync() else: update_all_identity_relation_units() if not is_leader() and is_ssl_cert_master(): # Force and sync and trigger a sync master re-election since we are not # leader anymore. force_ssl_sync() else: CONFIGS.write_all()
def initialise_pki(): """Create certs and keys required for PKI token signing. NOTE: keystone.conf [signing] section must be up-to-date prior to executing this. """ if not peer_units() or is_ssl_cert_master(): log("Ensuring PKI token certs created", level=DEBUG) cmd = ['keystone-manage', 'pki_setup', '--keystone-user', 'keystone', '--keystone-group', 'keystone'] check_call(cmd) # Ensure logfile has keystone perms since we may have just created it # with root. ensure_permissions('/var/log/keystone', user='******', group='keystone', perms=0o744) ensure_permissions('/var/log/keystone/keystone.log', user='******', group='keystone', perms=0o644) ensure_pki_dir_permissions()
def initialise_pki(): """Create certs and keys required for token signing. Used for PKI and signing token revocation list. NOTE: keystone.conf [signing] section must be up-to-date prior to executing this. """ ensure_pki_cert_paths() if not peer_units() or is_ssl_cert_master(): log("Ensuring PKI token certs created", level=DEBUG) cmd = ["keystone-manage", "pki_setup", "--keystone-user", "keystone", "--keystone-group", "keystone"] check_call(cmd) # Ensure logfile has keystone perms since we may have just created it # with root. ensure_permissions("/var/log/keystone", user="******", group="keystone", perms=0o744) ensure_permissions("/var/log/keystone/keystone.log", user="******", group="keystone", perms=0o644) ensure_pki_dir_permissions()
def configure_cert(self, cn): from keystone_utils import ( SSH_USER, get_ca, ensure_permissions, is_ssl_cert_master, ) # Ensure ssl dir exists whether master or not ssl_dir = os.path.join('/etc/apache2/ssl/', self.service_namespace) perms = 0o755 mkdir(path=ssl_dir, owner=SSH_USER, group='keystone', perms=perms) # Ensure accessible by keystone ssh user and group (for sync) ensure_permissions(ssl_dir, user=SSH_USER, group='keystone', perms=perms) if not is_cert_provided_in_config() and not is_ssl_cert_master(): log("Not ssl-cert-master - skipping apache cert config until " "master is elected", level=INFO) return log("Creating apache ssl certs in %s" % (ssl_dir), level=INFO) cert = config('ssl_cert') key = config('ssl_key') if not (cert and key): ca = get_ca(user=SSH_USER) cert, key = ca.get_cert_and_key(common_name=cn) else: cert = b64decode(cert) key = b64decode(key) write_file(path=os.path.join(ssl_dir, 'cert_{}'.format(cn)), content=cert, owner=SSH_USER, group='keystone', perms=0o644) write_file(path=os.path.join(ssl_dir, 'key_{}'.format(cn)), content=key, owner=SSH_USER, group='keystone', perms=0o644)
def configure_ca(self): from keystone_utils import ( SSH_USER, get_ca, ensure_permissions, is_ssl_cert_master, KEYSTONE_USER, ) if not is_cert_provided_in_config() and not is_ssl_cert_master(): log( "Not ssl-cert-master - skipping apache ca config until " "master is elected", level=INFO) return cert = config('ssl_cert') key = config('ssl_key') ca_cert = config('ssl_ca') if ca_cert: ca_cert = b64decode(ca_cert) elif not (cert and key): # NOTE(hopem): if a cert and key are provided as config we don't # mandate that a CA is also provided since it isn't necessarily # needed. As a result we only generate a custom CA if we are also # generating cert and key. ca = get_ca(user=SSH_USER) ca_cert = ca.get_ca_bundle() if ca_cert: # Ensure accessible by keystone ssh user and group (unison) install_ca_cert(ca_cert) ensure_permissions(CA_CERT_PATH, user=SSH_USER, group=KEYSTONE_USER, perms=0o0644)
def configure_ca(self): from keystone_utils import ( SSH_USER, get_ca, ensure_permissions, is_ssl_cert_master, ) if not is_cert_provided_in_config() and not is_ssl_cert_master(): log("Not ssl-cert-master - skipping apache ca config until " "master is elected", level=INFO) return ca_cert = config('ssl_ca') if ca_cert is None: ca = get_ca(user=SSH_USER) ca_cert = ca.get_ca_bundle() else: ca_cert = b64decode(ca_cert) # Ensure accessible by keystone ssh user and group (unison) install_ca_cert(ca_cert) ensure_permissions(CA_CERT_PATH, user=SSH_USER, group='keystone', perms=0o0644)