def domain_backend_changed(relation_id=None, unit=None):
if get_api_version() < 3:
log('Domain specific backend identity configuration only supported '
'with Keystone v3 API, skipping domain creation and '
'restart.')
return
domain_name = relation_get(attribute='domain-name',
unit=unit,
rid=relation_id)
if domain_name:
# NOTE(jamespage): Only create domain data from lead
# unit when clustered and database
# is configured and created.
if is_leader() and is_db_ready() and is_db_initialised():
create_or_show_domain(domain_name)
# NOTE(jamespage): Deployment may have multiple domains,
# with different identity backends so
# ensure that a domain specific nonce
# is checked for restarts of keystone
restart_nonce = relation_get(attribute='restart-nonce',
unit=unit,
rid=relation_id)
domain_nonce_key = 'domain-restart-nonce-{}'.format(domain_name)
db = unitdata.kv()
if restart_nonce != db.get(domain_nonce_key):
restart_keystone()
db.set(domain_nonce_key, restart_nonce)
db.flush()
def keystone_fid_service_provider_changed():
if get_api_version() < 3:
log('Identity federation is only supported with keystone v3')
return
if CompareOpenStackReleases(os_release('keystone')) < 'ocata':
log('Ignoring keystone-fid-service-provider relation as it is'
' not supported on releases older than Ocata')
return
# for the join case a keystone public-facing hostname and service
# port need to be set
update_keystone_fid_service_provider(relation_id=relation_id())
# handle relation data updates (if any), e.g. remote_id_attribute
# and a restart will be handled via a nonce, not restart_on_change
CONFIGS.write(KEYSTONE_CONF)
# The relation is container-scoped so this keystone unit's unitdata
# will only contain a nonce of a single fid subordinate for a given
# fid backend (relation id)
restart_nonce = relation_get('restart-nonce')
if restart_nonce:
nonce = json.loads(restart_nonce)
# multiplex by relation id for multiple federated identity
# provider charms
fid_nonce_key = 'fid-restart-nonce-{}'.format(relation_id())
db = unitdata.kv()
if restart_nonce != db.get(fid_nonce_key):
restart_keystone()
db.set(fid_nonce_key, nonce)
db.flush()
def domain_backend_changed(relation_id=None, unit=None):
if get_api_version() < 3:
log('Domain specific backend identity configuration only supported '
'with Keystone v3 API, skipping domain creation and '
'restart.')
return
domain_name = relation_get(attribute='domain-name',
unit=unit,
rid=relation_id)
if domain_name:
# NOTE(jamespage): Only create domain data from lead
# unit when clustered and database
# is configured and created.
if is_leader() and is_db_ready() and is_db_initialised():
create_or_show_domain(domain_name)
# NOTE(jamespage): Deployment may have multiple domains,
# with different identity backends so
# ensure that a domain specific nonce
# is checked for restarts of keystone
restart_nonce = relation_get(attribute='restart-nonce',
unit=unit,
rid=relation_id)
domain_nonce_key = 'domain-restart-nonce-{}'.format(domain_name)
db = unitdata.kv()
if restart_nonce != db.get(domain_nonce_key):
if not is_unit_paused_set():
service_restart(keystone_service())
db.set(domain_nonce_key, restart_nonce)
db.flush()
def keystone_fid_service_provider_changed():
if get_api_version() < 3:
log('Identity federation is only supported with keystone v3')
return
if CompareOpenStackReleases(os_release('keystone')) < 'ocata':
log('Ignoring keystone-fid-service-provider relation as it is'
' not supported on releases older than Ocata')
return
# for the join case a keystone public-facing hostname and service
# port need to be set
update_keystone_fid_service_provider(relation_id=relation_id())
# handle relation data updates (if any), e.g. remote_id_attribute
# and a restart will be handled via a nonce, not restart_on_change
CONFIGS.write(KEYSTONE_CONF)
# The relation is container-scoped so this keystone unit's unitdata
# will only contain a nonce of a single fid subordinate for a given
# fid backend (relation id)
restart_nonce = relation_get('restart-nonce')
if restart_nonce:
nonce = json.loads(restart_nonce)
# multiplex by relation id for multiple federated identity
# provider charms
fid_nonce_key = 'fid-restart-nonce-{}'.format(relation_id())
db = unitdata.kv()
if restart_nonce != db.get(fid_nonce_key):
restart_keystone()
db.set(fid_nonce_key, nonce)
db.flush()
def websso_trusted_dashboard_changed():
if get_api_version() < 3:
log('WebSSO is only supported with keystone v3')
return
if CompareOpenStackReleases(os_release('keystone')) < 'ocata':
log('Ignoring WebSSO relation as it is not supported on'
' releases older than Ocata')
return
CONFIGS.write(KEYSTONE_CONF)
def websso_trusted_dashboard_changed():
if get_api_version() < 3:
log('WebSSO is only supported with keystone v3')
return
if CompareOpenStackReleases(os_release('keystone')) < 'ocata':
log('Ignoring WebSSO relation as it is not supported on'
' releases older than Ocata')
return
CONFIGS.write(KEYSTONE_CONF)
def admin_relation_changed(relation_id=None):
# TODO: fixup
if expect_ha() and not is_clustered():
log("Expected to be HA but no hacluster relation yet", level=INFO)
return
relation_data = {
'service_hostname': resolve_address(ADMIN),
'service_port': config('service-port'),
'service_username': config('admin-user'),
'service_tenant_name': config('admin-role'),
'service_region': config('region'),
'service_protocol': 'https' if https() else 'http',
'api_version': get_api_version(),
}
if relation_data['api_version'] > 2:
relation_data['service_user_domain_name'] = ADMIN_DOMAIN
relation_data['service_project_domain_name'] = ADMIN_DOMAIN
relation_data['service_project_name'] = ADMIN_PROJECT
relation_data['service_password'] = get_admin_passwd()
relation_set(relation_id=relation_id, **relation_data)
def admin_relation_changed(relation_id=None):
# TODO: fixup
if expect_ha() and not is_clustered():
log("Expected to be HA but no hacluster relation yet", level=INFO)
return
relation_data = {
'service_hostname': resolve_address(ADMIN),
'service_port': config('service-port'),
'service_username': config('admin-user'),
'service_tenant_name': config('admin-role'),
'service_region': config('region'),
'service_protocol': 'https' if https() else 'http',
'api_version': get_api_version(),
}
if relation_data['api_version'] > 2:
relation_data['service_user_domain_name'] = ADMIN_DOMAIN
relation_data['service_project_domain_name'] = ADMIN_DOMAIN
relation_data['service_project_name'] = ADMIN_PROJECT
relation_data['service_password'] = get_admin_passwd()
relation_set(relation_id=relation_id, **relation_data)
def __call__(self):
from keystone_utils import (
api_port,
endpoint_url,
resolve_address,
PUBLIC,
ADMIN,
ADMIN_DOMAIN,
snap_install_requested,
get_api_version,
)
ctxt = {}
ctxt['api_version'] = get_api_version()
ctxt['admin_role'] = config('admin-role')
if ctxt['api_version'] > 2:
ctxt['service_tenant_id'] = \
leader_get(attribute='service_tenant_id')
ctxt['admin_domain_name'] = ADMIN_DOMAIN
ctxt['admin_domain_id'] = \
leader_get(attribute='admin_domain_id')
ctxt['default_domain_id'] = \
leader_get(attribute='default_domain_id')
# This is required prior to system-scope being implemented (Queens)
ctxt['transitional_charm_user_id'] = leader_get(
attribute='transitional_charm_user_id')
ctxt['admin_port'] = determine_api_port(api_port('keystone-admin'),
singlenode_mode=True)
ctxt['public_port'] = determine_api_port(api_port('keystone-public'),
singlenode_mode=True)
ctxt['debug'] = config('debug')
ctxt['verbose'] = config('verbose')
ctxt['token_expiration'] = config('token-expiration')
ctxt['identity_backend'] = config('identity-backend')
ctxt['assignment_backend'] = config('assignment-backend')
ctxt['token_provider'] = config('token-provider')
ctxt['fernet_max_active_keys'] = config('fernet-max-active-keys')
if config('identity-backend') == 'ldap':
ctxt['ldap_server'] = config('ldap-server')
ctxt['ldap_user'] = config('ldap-user')
ctxt['ldap_password'] = config('ldap-password')
ctxt['ldap_suffix'] = config('ldap-suffix')
ctxt['ldap_readonly'] = config('ldap-readonly')
ldap_flags = config('ldap-config-flags')
if ldap_flags:
flags = context.config_flags_parser(ldap_flags)
ctxt['ldap_config_flags'] = flags
# Only try to decode it if there is something actually set - this
# siliences a NoneType warning in the logs if it isn't set
password_security_compliance = config('password-security-compliance')
if password_security_compliance:
ctxt['password_security_compliance'] = (
self._decode_password_security_compliance_string(
password_security_compliance))
# Base endpoint URL's which are used in keystone responses
# to unauthenticated requests to redirect clients to the
# correct auth URL.
ctxt['public_endpoint'] = endpoint_url(
resolve_address(PUBLIC),
api_port('keystone-public')).replace('v2.0', '')
ctxt['admin_endpoint'] = endpoint_url(
resolve_address(ADMIN),
api_port('keystone-admin')).replace('v2.0', '')
if snap_install_requested():
ctxt['domain_config_dir'] = (
'/var/snap/keystone/common/etc/keystone/domains')
ctxt['log_config'] = (
'/var/snap/keystone/common/etc/keystone/logging.conf')
ctxt['paste_config_file'] = (
'/var/snap/keystone/common/etc/keystone/keystone-paste.ini')
else:
ctxt['domain_config_dir'] = '/etc/keystone/domains'
ctxt['log_config'] = ('/etc/keystone/logging.conf')
ctxt['paste_config_file'] = '/etc/keystone/keystone-paste.ini'
return ctxt
def __call__(self):
from keystone_utils import (
api_port,
set_admin_token,
endpoint_url,
resolve_address,
PUBLIC,
ADMIN,
PKI_CERTS_DIR,
ensure_pki_cert_paths,
ADMIN_DOMAIN,
snap_install_requested,
get_api_version,
)
ctxt = {}
ctxt['token'] = set_admin_token(config('admin-token'))
ctxt['api_version'] = get_api_version()
ctxt['admin_role'] = config('admin-role')
if ctxt['api_version'] > 2:
ctxt['service_tenant_id'] = \
leader_get(attribute='service_tenant_id')
ctxt['admin_domain_name'] = ADMIN_DOMAIN
ctxt['admin_domain_id'] = \
leader_get(attribute='admin_domain_id')
ctxt['default_domain_id'] = \
leader_get(attribute='default_domain_id')
ctxt['admin_port'] = determine_api_port(api_port('keystone-admin'),
singlenode_mode=True)
ctxt['public_port'] = determine_api_port(api_port('keystone-public'),
singlenode_mode=True)
ctxt['debug'] = config('debug')
ctxt['verbose'] = config('verbose')
ctxt['token_expiration'] = config('token-expiration')
ctxt['identity_backend'] = config('identity-backend')
ctxt['assignment_backend'] = config('assignment-backend')
if config('identity-backend') == 'ldap':
ctxt['ldap_server'] = config('ldap-server')
ctxt['ldap_user'] = config('ldap-user')
ctxt['ldap_password'] = config('ldap-password')
ctxt['ldap_suffix'] = config('ldap-suffix')
ctxt['ldap_readonly'] = config('ldap-readonly')
ldap_flags = config('ldap-config-flags')
if ldap_flags:
flags = context.config_flags_parser(ldap_flags)
ctxt['ldap_config_flags'] = flags
enable_pki = config('enable-pki')
if enable_pki and bool_from_string(enable_pki):
log("Enabling PKI", level=DEBUG)
ctxt['token_provider'] = 'pki'
# NOTE(jamespage): Only check PKI configuration if the PKI
# token format is in use, which has been
# removed as of OpenStack Ocata.
ensure_pki_cert_paths()
certs = os.path.join(PKI_CERTS_DIR, 'certs')
privates = os.path.join(PKI_CERTS_DIR, 'privates')
ctxt['enable_signing'] = True
ctxt.update({
'certfile': os.path.join(certs, 'signing_cert.pem'),
'keyfile': os.path.join(privates, 'signing_key.pem'),
'ca_certs': os.path.join(certs, 'ca.pem'),
'ca_key': os.path.join(certs, 'ca_key.pem')
})
else:
ctxt['enable_signing'] = False
# Base endpoint URL's which are used in keystone responses
# to unauthenticated requests to redirect clients to the
# correct auth URL.
ctxt['public_endpoint'] = endpoint_url(
resolve_address(PUBLIC),
api_port('keystone-public')).replace('v2.0', '')
ctxt['admin_endpoint'] = endpoint_url(
resolve_address(ADMIN),
api_port('keystone-admin')).replace('v2.0', '')
if snap_install_requested():
ctxt['domain_config_dir'] = (
'/var/snap/keystone/common/etc/keystone/domains')
ctxt['log_config'] = (
'/var/snap/keystone/common/etc/keystone/logging.conf')
ctxt['paste_config_file'] = (
'/var/snap/keystone/common/etc/keystone/keystone-paste.ini')
else:
ctxt['domain_config_dir'] = '/etc/keystone/domains'
ctxt['log_config'] = ('/etc/keystone/logging.conf')
ctxt['paste_config_file'] = '/etc/keystone/keystone-paste.ini'
return ctxt
def __call__(self):
from keystone_utils import (
api_port,
set_admin_token,
endpoint_url,
resolve_address,
PUBLIC,
ADMIN,
ADMIN_DOMAIN,
snap_install_requested,
get_api_version,
)
ctxt = {}
ctxt['token'] = set_admin_token(config('admin-token'))
ctxt['api_version'] = get_api_version()
ctxt['admin_role'] = config('admin-role')
if ctxt['api_version'] > 2:
ctxt['service_tenant_id'] = \
leader_get(attribute='service_tenant_id')
ctxt['admin_domain_name'] = ADMIN_DOMAIN
ctxt['admin_domain_id'] = \
leader_get(attribute='admin_domain_id')
ctxt['default_domain_id'] = \
leader_get(attribute='default_domain_id')
ctxt['admin_port'] = determine_api_port(api_port('keystone-admin'),
singlenode_mode=True)
ctxt['public_port'] = determine_api_port(api_port('keystone-public'),
singlenode_mode=True)
ctxt['debug'] = config('debug')
ctxt['verbose'] = config('verbose')
ctxt['token_expiration'] = config('token-expiration')
ctxt['identity_backend'] = config('identity-backend')
ctxt['assignment_backend'] = config('assignment-backend')
ctxt['token_provider'] = config('token-provider')
ctxt['fernet_max_active_keys'] = config('fernet-max-active-keys')
if config('identity-backend') == 'ldap':
ctxt['ldap_server'] = config('ldap-server')
ctxt['ldap_user'] = config('ldap-user')
ctxt['ldap_password'] = config('ldap-password')
ctxt['ldap_suffix'] = config('ldap-suffix')
ctxt['ldap_readonly'] = config('ldap-readonly')
ldap_flags = config('ldap-config-flags')
if ldap_flags:
flags = context.config_flags_parser(ldap_flags)
ctxt['ldap_config_flags'] = flags
# Base endpoint URL's which are used in keystone responses
# to unauthenticated requests to redirect clients to the
# correct auth URL.
ctxt['public_endpoint'] = endpoint_url(
resolve_address(PUBLIC),
api_port('keystone-public')).replace('v2.0', '')
ctxt['admin_endpoint'] = endpoint_url(
resolve_address(ADMIN),
api_port('keystone-admin')).replace('v2.0', '')
if snap_install_requested():
ctxt['domain_config_dir'] = (
'/var/snap/keystone/common/etc/keystone/domains')
ctxt['log_config'] = (
'/var/snap/keystone/common/etc/keystone/logging.conf')
ctxt['paste_config_file'] = (
'/var/snap/keystone/common/etc/keystone/keystone-paste.ini')
else:
ctxt['domain_config_dir'] = '/etc/keystone/domains'
ctxt['log_config'] = ('/etc/keystone/logging.conf')
ctxt['paste_config_file'] = '/etc/keystone/keystone-paste.ini'
return ctxt
def __call__(self):
from keystone_utils import (
api_port, set_admin_token, endpoint_url, resolve_address,
PUBLIC, ADMIN, ADMIN_DOMAIN,
snap_install_requested, get_api_version,
)
ctxt = {}
ctxt['token'] = set_admin_token(config('admin-token'))
ctxt['api_version'] = get_api_version()
ctxt['admin_role'] = config('admin-role')
if ctxt['api_version'] > 2:
ctxt['service_tenant_id'] = \
leader_get(attribute='service_tenant_id')
ctxt['admin_domain_name'] = ADMIN_DOMAIN
ctxt['admin_domain_id'] = \
leader_get(attribute='admin_domain_id')
ctxt['default_domain_id'] = \
leader_get(attribute='default_domain_id')
ctxt['admin_port'] = determine_api_port(api_port('keystone-admin'),
singlenode_mode=True)
ctxt['public_port'] = determine_api_port(api_port('keystone-public'),
singlenode_mode=True)
ctxt['debug'] = config('debug')
ctxt['verbose'] = config('verbose')
ctxt['token_expiration'] = config('token-expiration')
ctxt['identity_backend'] = config('identity-backend')
ctxt['assignment_backend'] = config('assignment-backend')
ctxt['token_provider'] = config('token-provider')
ctxt['fernet_max_active_keys'] = config('fernet-max-active-keys')
if config('identity-backend') == 'ldap':
ctxt['ldap_server'] = config('ldap-server')
ctxt['ldap_user'] = config('ldap-user')
ctxt['ldap_password'] = config('ldap-password')
ctxt['ldap_suffix'] = config('ldap-suffix')
ctxt['ldap_readonly'] = config('ldap-readonly')
ldap_flags = config('ldap-config-flags')
if ldap_flags:
flags = context.config_flags_parser(ldap_flags)
ctxt['ldap_config_flags'] = flags
# Base endpoint URL's which are used in keystone responses
# to unauthenticated requests to redirect clients to the
# correct auth URL.
ctxt['public_endpoint'] = endpoint_url(
resolve_address(PUBLIC),
api_port('keystone-public')).replace('v2.0', '')
ctxt['admin_endpoint'] = endpoint_url(
resolve_address(ADMIN),
api_port('keystone-admin')).replace('v2.0', '')
if snap_install_requested():
ctxt['domain_config_dir'] = (
'/var/snap/keystone/common/etc/keystone/domains')
ctxt['log_config'] = (
'/var/snap/keystone/common/etc/keystone/logging.conf')
ctxt['paste_config_file'] = (
'/var/snap/keystone/common/etc/keystone/keystone-paste.ini')
else:
ctxt['domain_config_dir'] = '/etc/keystone/domains'
ctxt['log_config'] = ('/etc/keystone/logging.conf')
ctxt['paste_config_file'] = '/etc/keystone/keystone-paste.ini'
return ctxt
