| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792 |
- # -*- coding: utf-8 -*-
- # Licensed under the Apache License, Version 2.0 (the "License");
- # you may not use this file except in compliance with the License.
- # You may obtain a copy of the License at
- #
- # http://www.apache.org/licenses/LICENSE-2.0
- #
- # Unless required by applicable law or agreed to in writing, software
- # distributed under the License is distributed on an "AS IS" BASIS,
- # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
- # implied.
- # See the License for the specific language governing permissions and
- # limitations under the License.
- """
- Installs and configures Keystone
- """
- import uuid
- from packstack.installer import basedefs
- from packstack.installer import validators
- from packstack.installer import processors
- from packstack.installer import utils
- from packstack.modules.documentation import update_params_usage
- # ------------- Keystone Packstack Plugin Initialization --------------
- PLUGIN_NAME = "OS-Keystone"
- PLUGIN_NAME_COLORED = utils.color_text(PLUGIN_NAME, 'blue')
- def initConfig(controller):
- keystone_params = {
- "KEYSTONE": [ # base keystone options
- {"CMD_OPTION": "keystone-db-passwd",
- "PROMPT": "Enter the password for the Keystone DB access",
- "OPTION_LIST": [],
- "VALIDATORS": [validators.validate_not_empty],
- "PROCESSORS": [processors.process_password],
- "DEFAULT_VALUE": "PW_PLACEHOLDER",
- "MASK_INPUT": True,
- "LOOSE_VALIDATION": False,
- "CONF_NAME": "CONFIG_KEYSTONE_DB_PW",
- "USE_DEFAULT": False,
- "NEED_CONFIRM": True,
- "CONDITION": False},
- {"CMD_OPTION": 'keystone-db-purge-enable',
- "PROMPT": (
- "Enter y if cron job for removing soft deleted DB rows "
- "should be created"
- ),
- "OPTION_LIST": ['y', 'n'],
- "VALIDATORS": [validators.validate_not_empty],
- "PROCESSORS": [processors.process_bool],
- "DEFAULT_VALUE": 'y',
- "MASK_INPUT": False,
- "LOOSE_VALIDATION": False,
- "CONF_NAME": 'CONFIG_KEYSTONE_DB_PURGE_ENABLE',
- "USE_DEFAULT": False,
- "NEED_CONFIRM": True,
- "CONDITION": False},
- {"CMD_OPTION": "keystone-region",
- "PROMPT": "Region name",
- "OPTION_LIST": [],
- "VALIDATORS": [validators.validate_not_empty],
- "DEFAULT_VALUE": "RegionOne",
- "MASK_INPUT": False,
- "LOOSE_VALIDATION": False,
- "CONF_NAME": "CONFIG_KEYSTONE_REGION",
- "USE_DEFAULT": False,
- "NEED_CONFIRM": False,
- "CONDITION": False},
- {"CMD_OPTION": "keystone-admin-token",
- "PROMPT": "The token to use for the Keystone service api",
- "OPTION_LIST": [],
- "VALIDATORS": [validators.validate_not_empty],
- "DEFAULT_VALUE": uuid.uuid4().hex,
- "MASK_INPUT": True,
- "LOOSE_VALIDATION": False,
- "CONF_NAME": "CONFIG_KEYSTONE_ADMIN_TOKEN",
- "USE_DEFAULT": True,
- "NEED_CONFIRM": False,
- "CONDITION": False},
- {"CMD_OPTION": "keystone-admin-email",
- "PROMPT": "Enter the email address for the Keystone admin user",
- "OPTION_LIST": [],
- "VALIDATORS": [validators.validate_not_empty],
- "DEFAULT_VALUE": "root@localhost",
- "MASK_INPUT": False,
- "LOOSE_VALIDATION": False,
- "CONF_NAME": "CONFIG_KEYSTONE_ADMIN_EMAIL",
- "USE_DEFAULT": False,
- "NEED_CONFIRM": False,
- "CONDITION": False},
- {"CMD_OPTION": "keystone-admin-username",
- "PROMPT": "Enter the username for the Keystone admin user",
- "OPTION_LIST": [],
- "VALIDATORS": [validators.validate_not_empty],
- "DEFAULT_VALUE": "admin",
- "MASK_INPUT": False,
- "LOOSE_VALIDATION": False,
- "CONF_NAME": "CONFIG_KEYSTONE_ADMIN_USERNAME",
- "USE_DEFAULT": False,
- "NEED_CONFIRM": False,
- "CONDITION": False},
- {"CMD_OPTION": "keystone-admin-passwd",
- "PROMPT": "Enter the password for the Keystone admin user",
- "OPTION_LIST": [],
- "VALIDATORS": [validators.validate_not_empty],
- "DEFAULT_VALUE": "PW_PLACEHOLDER",
- "PROCESSORS": [processors.process_password],
- "MASK_INPUT": True,
- "LOOSE_VALIDATION": False,
- "CONF_NAME": "CONFIG_KEYSTONE_ADMIN_PW",
- "USE_DEFAULT": False,
- "NEED_CONFIRM": True,
- "CONDITION": False},
- {"CMD_OPTION": "keystone-demo-passwd",
- "PROMPT": "Enter the password for the Keystone demo user",
- "OPTION_LIST": [],
- "VALIDATORS": [validators.validate_not_empty],
- "DEFAULT_VALUE": "PW_PLACEHOLDER",
- "PROCESSORS": [processors.process_password],
- "MASK_INPUT": True,
- "LOOSE_VALIDATION": False,
- "CONF_NAME": "CONFIG_KEYSTONE_DEMO_PW",
- "USE_DEFAULT": False,
- "NEED_CONFIRM": True,
- "CONDITION": False},
- {"CMD_OPTION": "keystone-api-version",
- "PROMPT": "Enter the Keystone API version string.",
- "OPTION_LIST": ['v2.0', 'v3'],
- "VALIDATORS": [validators.validate_options],
- "DEFAULT_VALUE": 'v3',
- "MASK_INPUT": False,
- "LOOSE_VALIDATION": False,
- "CONF_NAME": 'CONFIG_KEYSTONE_API_VERSION',
- "USE_DEFAULT": True,
- "NEED_CONFIRM": False,
- "CONDITION": False},
- {"CMD_OPTION": "keystone-token-format",
- "PROMPT": "Enter the Keystone token format.",
- "OPTION_LIST": ['UUID', 'PKI', 'FERNET'],
- "VALIDATORS": [validators.validate_options],
- "DEFAULT_VALUE": 'FERNET',
- "MASK_INPUT": False,
- "LOOSE_VALIDATION": False,
- "CONF_NAME": 'CONFIG_KEYSTONE_TOKEN_FORMAT',
- "USE_DEFAULT": False,
- "NEED_CONFIRM": False,
- "CONDITION": False},
- {"CMD_OPTION": "keystone-identity-backend",
- "PROMPT": "Enter the Keystone identity backend type.",
- "OPTION_LIST": ['sql', 'ldap'],
- "VALIDATORS": [validators.validate_options],
- "DEFAULT_VALUE": "sql",
- "MASK_INPUT": False,
- "LOOSE_VALIDATION": False,
- "CONF_NAME": 'CONFIG_KEYSTONE_IDENTITY_BACKEND',
- "USE_DEFAULT": False,
- "NEED_CONFIRM": False,
- "CONDITION": False}
- ],
- "KEYSTONE_LDAP": [ # keystone ldap identity backend options
- {"CMD_OPTION": "keystone-ldap-url",
- "PROMPT": "Enter the Keystone LDAP backend URL.",
- "OPTION_LIST": [],
- "VALIDATORS": [validators.validate_ldap_url],
- "DEFAULT_VALUE": host_to_ldap_url(utils.get_localhost_ip()),
- "MASK_INPUT": False,
- "LOOSE_VALIDATION": False,
- "CONF_NAME": 'CONFIG_KEYSTONE_LDAP_URL',
- "USE_DEFAULT": False,
- "NEED_CONFIRM": False,
- "CONDITION": False},
- {"CMD_OPTION": "keystone-ldap-user-dn",
- "PROMPT": "Enter the Keystone LDAP user DN.",
- "OPTION_LIST": [],
- "VALIDATORS": [validators.validate_ldap_dn],
- "DEFAULT_VALUE": "",
- "MASK_INPUT": False,
- "LOOSE_VALIDATION": False,
- "CONF_NAME": 'CONFIG_KEYSTONE_LDAP_USER_DN',
- "USE_DEFAULT": False,
- "NEED_CONFIRM": False,
- "CONDITION": False},
- {"CMD_OPTION": "keystone-ldap-user-password",
- "PROMPT": "Enter the Keystone LDAP user password.",
- "OPTION_LIST": [],
- "VALIDATORS": [],
- "DEFAULT_VALUE": "",
- "PROCESSORS": [processors.process_password],
- "MASK_INPUT": True,
- "LOOSE_VALIDATION": False,
- "CONF_NAME": 'CONFIG_KEYSTONE_LDAP_USER_PASSWORD',
- "USE_DEFAULT": False,
- "NEED_CONFIRM": False,
- "CONDITION": False},
- {"CMD_OPTION": "keystone-ldap-suffix",
- "PROMPT": "Enter the Keystone LDAP suffix.",
- "OPTION_LIST": [],
- "VALIDATORS": [validators.validate_not_empty,
- validators.validate_ldap_dn],
- "DEFAULT_VALUE": "",
- "MASK_INPUT": False,
- "LOOSE_VALIDATION": False,
- "CONF_NAME": 'CONFIG_KEYSTONE_LDAP_SUFFIX',
- "USE_DEFAULT": False,
- "NEED_CONFIRM": False,
- "CONDITION": False},
- {"CMD_OPTION": "keystone-ldap-query-scope",
- "PROMPT": "Enter the Keystone LDAP query scope.",
- "OPTION_LIST": ['base', 'one', 'sub'],
- "VALIDATORS": [validators.validate_options],
- "DEFAULT_VALUE": "one",
- "MASK_INPUT": False,
- "LOOSE_VALIDATION": False,
- "CONF_NAME": 'CONFIG_KEYSTONE_LDAP_QUERY_SCOPE',
- "USE_DEFAULT": False,
- "NEED_CONFIRM": False,
- "CONDITION": False},
- {"CMD_OPTION": "keystone-ldap-page-size",
- "PROMPT": "Enter the Keystone LDAP query page size.",
- "OPTION_LIST": [],
- "VALIDATORS": [validators.validate_integer],
- "DEFAULT_VALUE": "-1",
- "MASK_INPUT": False,
- "LOOSE_VALIDATION": False,
- "CONF_NAME": 'CONFIG_KEYSTONE_LDAP_PAGE_SIZE',
- "USE_DEFAULT": False,
- "NEED_CONFIRM": False,
- "CONDITION": False},
- {"CMD_OPTION": "keystone-ldap-user-subtree",
- "PROMPT": "Enter the Keystone LDAP user subtree.",
- "OPTION_LIST": [],
- "VALIDATORS": [validators.validate_not_empty,
- validators.validate_ldap_dn],
- "DEFAULT_VALUE": "",
- "MASK_INPUT": False,
- "LOOSE_VALIDATION": False,
- "CONF_NAME": 'CONFIG_KEYSTONE_LDAP_USER_SUBTREE',
- "USE_DEFAULT": False,
- "NEED_CONFIRM": False,
- "CONDITION": False},
- {"CMD_OPTION": "keystone-ldap-user-filter",
- "PROMPT": "Enter the Keystone LDAP user query filter.",
- "OPTION_LIST": [],
- "VALIDATORS": [],
- "DEFAULT_VALUE": "",
- "MASK_INPUT": False,
- "LOOSE_VALIDATION": False,
- "CONF_NAME": 'CONFIG_KEYSTONE_LDAP_USER_FILTER',
- "USE_DEFAULT": False,
- "NEED_CONFIRM": False,
- "CONDITION": False},
- {"CMD_OPTION": "keystone-ldap-user-objectclass",
- "PROMPT": "Enter the Keystone LDAP user objectclass.",
- "OPTION_LIST": [],
- "VALIDATORS": [],
- "DEFAULT_VALUE": "",
- "MASK_INPUT": False,
- "LOOSE_VALIDATION": False,
- "CONF_NAME": 'CONFIG_KEYSTONE_LDAP_USER_OBJECTCLASS',
- "USE_DEFAULT": False,
- "NEED_CONFIRM": False,
- "CONDITION": False},
- {"CMD_OPTION": "keystone-ldap-user-id-attribute",
- "PROMPT": "Enter the Keystone LDAP user ID attribute.",
- "OPTION_LIST": [],
- "VALIDATORS": [],
- "DEFAULT_VALUE": "",
- "MASK_INPUT": False,
- "LOOSE_VALIDATION": False,
- "CONF_NAME": 'CONFIG_KEYSTONE_LDAP_USER_ID_ATTRIBUTE',
- "USE_DEFAULT": False,
- "NEED_CONFIRM": False,
- "CONDITION": False},
- {"CMD_OPTION": "keystone-ldap-user-name-attribute",
- "PROMPT": "Enter the Keystone LDAP user name attribute.",
- "OPTION_LIST": [],
- "VALIDATORS": [],
- "DEFAULT_VALUE": "",
- "MASK_INPUT": False,
- "LOOSE_VALIDATION": False,
- "CONF_NAME": 'CONFIG_KEYSTONE_LDAP_USER_NAME_ATTRIBUTE',
- "USE_DEFAULT": False,
- "NEED_CONFIRM": False,
- "CONDITION": False},
- {"CMD_OPTION": "keystone-ldap-user-mail-attribute",
- "PROMPT": "Enter the Keystone LDAP user email address attribute.",
- "OPTION_LIST": [],
- "VALIDATORS": [],
- "DEFAULT_VALUE": "",
- "MASK_INPUT": False,
- "LOOSE_VALIDATION": False,
- "CONF_NAME": 'CONFIG_KEYSTONE_LDAP_USER_MAIL_ATTRIBUTE',
- "USE_DEFAULT": False,
- "NEED_CONFIRM": False,
- "CONDITION": False},
- {"CMD_OPTION": "keystone-ldap-user-enabled-attribute",
- "PROMPT": "Enter the Keystone LDAP user enabled attribute.",
- "OPTION_LIST": [],
- "VALIDATORS": [],
- "DEFAULT_VALUE": "",
- "MASK_INPUT": False,
- "LOOSE_VALIDATION": False,
- "CONF_NAME": 'CONFIG_KEYSTONE_LDAP_USER_ENABLED_ATTRIBUTE',
- "USE_DEFAULT": False,
- "NEED_CONFIRM": False,
- "CONDITION": False},
- {"CMD_OPTION": "keystone-ldap-user-enabled-mask",
- "PROMPT": "Enter the Keystone LDAP user enabled mask.",
- "OPTION_LIST": [],
- "VALIDATORS": [validators.validate_integer],
- "DEFAULT_VALUE": "-1",
- "MASK_INPUT": False,
- "LOOSE_VALIDATION": False,
- "CONF_NAME": 'CONFIG_KEYSTONE_LDAP_USER_ENABLED_MASK',
- "USE_DEFAULT": False,
- "NEED_CONFIRM": False,
- "CONDITION": False},
- {"CMD_OPTION": "keystone-ldap-user-enabled-default",
- "PROMPT": "Enter the Keystone LDAP user enabled default.",
- "OPTION_LIST": [],
- "VALIDATORS": [],
- "DEFAULT_VALUE": "TRUE",
- "MASK_INPUT": False,
- "LOOSE_VALIDATION": False,
- "CONF_NAME": 'CONFIG_KEYSTONE_LDAP_USER_ENABLED_DEFAULT',
- "USE_DEFAULT": False,
- "NEED_CONFIRM": False,
- "CONDITION": False},
- {"CMD_OPTION": "keystone-ldap-user-enabled-invert",
- "PROMPT": "Enter the Keystone LDAP user enabled invert (n or y).",
- "OPTION_LIST": ['n', 'y'],
- "VALIDATORS": [validators.validate_options],
- "DEFAULT_VALUE": 'n',
- "MASK_INPUT": False,
- "LOOSE_VALIDATION": False,
- "CONF_NAME": 'CONFIG_KEYSTONE_LDAP_USER_ENABLED_INVERT',
- "USE_DEFAULT": False,
- "NEED_CONFIRM": False,
- "CONDITION": False},
- {"CMD_OPTION": "keystone-ldap-user-attribute-ignore",
- "PROMPT": (
- "Enter the comma separated Keystone LDAP user "
- "attributes to ignore."
- ),
- "OPTION_LIST": [],
- "DEFAULT_VALUE": "",
- "MASK_INPUT": False,
- "LOOSE_VALIDATION": False,
- "CONF_NAME": 'CONFIG_KEYSTONE_LDAP_USER_ATTRIBUTE_IGNORE',
- "USE_DEFAULT": False,
- "NEED_CONFIRM": False,
- "CONDITION": False},
- {"CMD_OPTION": "keystone-ldap-user-default-project-id-attribute",
- "PROMPT": (
- "Enter the Keystone LDAP user default_project_id attribute."
- ),
- "OPTION_LIST": [],
- "DEFAULT_VALUE": "",
- "MASK_INPUT": False,
- "LOOSE_VALIDATION": False,
- "CONF_NAME":
- 'CONFIG_KEYSTONE_LDAP_USER_DEFAULT_PROJECT_ID_ATTRIBUTE',
- "USE_DEFAULT": False,
- "NEED_CONFIRM": False,
- "CONDITION": False},
- {"CMD_OPTION": "keystone-ldap-user-allow-create",
- "PROMPT": (
- "Do you want to allow user create through Keystone (n or y)."
- ),
- "OPTION_LIST": ['n', 'y'],
- "VALIDATORS": [validators.validate_options],
- "DEFAULT_VALUE": 'n',
- "MASK_INPUT": False,
- "LOOSE_VALIDATION": False,
- "CONF_NAME": 'CONFIG_KEYSTONE_LDAP_USER_ALLOW_CREATE',
- "USE_DEFAULT": False,
- "NEED_CONFIRM": False,
- "CONDITION": False},
- {"CMD_OPTION": "keystone-ldap-user-allow-update",
- "PROMPT": (
- "Do you want to allow user update through Keystone (n or y)."
- ),
- "OPTION_LIST": ['n', 'y'],
- "VALIDATORS": [validators.validate_options],
- "DEFAULT_VALUE": 'n',
- "MASK_INPUT": False,
- "LOOSE_VALIDATION": False,
- "CONF_NAME": 'CONFIG_KEYSTONE_LDAP_USER_ALLOW_UPDATE',
- "USE_DEFAULT": False,
- "NEED_CONFIRM": False,
- "CONDITION": False},
- {"CMD_OPTION": "keystone-ldap-user-allow-delete",
- "PROMPT": (
- "Do you want to allow user delete through Keystone (n or y)."
- ),
- "OPTION_LIST": ['n', 'y'],
- "VALIDATORS": [validators.validate_options],
- "DEFAULT_VALUE": 'n',
- "MASK_INPUT": False,
- "LOOSE_VALIDATION": False,
- "CONF_NAME": 'CONFIG_KEYSTONE_LDAP_USER_ALLOW_DELETE',
- "USE_DEFAULT": False,
- "NEED_CONFIRM": False,
- "CONDITION": False},
- {"CMD_OPTION": "keystone-ldap-user-pass-attribute",
- "PROMPT": "Enter the Keystone LDAP user password attribute.",
- "OPTION_LIST": [],
- "DEFAULT_VALUE": "",
- "MASK_INPUT": False,
- "LOOSE_VALIDATION": False,
- "CONF_NAME": 'CONFIG_KEYSTONE_LDAP_USER_PASS_ATTRIBUTE',
- "USE_DEFAULT": False,
- "NEED_CONFIRM": False,
- "CONDITION": False},
- {"CMD_OPTION": "keystone-ldap-user-enabled-emulation-dn",
- "PROMPT": "Enter the Keystone LDAP enabled emulation DN.",
- "OPTION_LIST": [],
- "VALIDATORS": [validators.validate_ldap_dn],
- "DEFAULT_VALUE": "",
- "MASK_INPUT": False,
- "LOOSE_VALIDATION": False,
- "CONF_NAME": 'CONFIG_KEYSTONE_LDAP_USER_ENABLED_EMULATION_DN',
- "USE_DEFAULT": False,
- "NEED_CONFIRM": False,
- "CONDITION": False},
- {"CMD_OPTION": "keystone-ldap-user-additional-attribute-mapping",
- "PROMPT": (
- "Enter the comma separated Keystone LDAP user additional "
- "attribute mappings in the form "
- "ldap_attr:user_attr[,ldap_attr:user_attr]...."
- ),
- "OPTION_LIST": [],
- "DEFAULT_VALUE": "",
- "MASK_INPUT": False,
- "LOOSE_VALIDATION": False,
- "CONF_NAME":
- 'CONFIG_KEYSTONE_LDAP_USER_ADDITIONAL_ATTRIBUTE_MAPPING',
- "USE_DEFAULT": False,
- "NEED_CONFIRM": False,
- "CONDITION": False},
- {"CMD_OPTION": "keystone-ldap-group-subtree",
- "PROMPT": "Enter the Keystone LDAP group subtree.",
- "OPTION_LIST": [],
- "VALIDATORS": [validators.validate_not_empty,
- validators.validate_ldap_dn],
- "DEFAULT_VALUE": "",
- "MASK_INPUT": False,
- "LOOSE_VALIDATION": False,
- "CONF_NAME": 'CONFIG_KEYSTONE_LDAP_GROUP_SUBTREE',
- "USE_DEFAULT": False,
- "NEED_CONFIRM": False,
- "CONDITION": False},
- {"CMD_OPTION": "keystone-ldap-group-filter",
- "PROMPT": "Enter the Keystone LDAP group query filter.",
- "OPTION_LIST": [],
- "VALIDATORS": [],
- "DEFAULT_VALUE": "",
- "MASK_INPUT": False,
- "LOOSE_VALIDATION": False,
- "CONF_NAME": 'CONFIG_KEYSTONE_LDAP_GROUP_FILTER',
- "USE_DEFAULT": False,
- "NEED_CONFIRM": False,
- "CONDITION": False},
- {"CMD_OPTION": "keystone-ldap-group-objectclass",
- "PROMPT": "Enter the Keystone LDAP group objectclass.",
- "OPTION_LIST": [],
- "VALIDATORS": [],
- "DEFAULT_VALUE": "",
- "MASK_INPUT": False,
- "LOOSE_VALIDATION": False,
- "CONF_NAME": 'CONFIG_KEYSTONE_LDAP_GROUP_OBJECTCLASS',
- "USE_DEFAULT": False,
- "NEED_CONFIRM": False,
- "CONDITION": False},
- {"CMD_OPTION": "keystone-ldap-group-id-attribute",
- "PROMPT": "Enter the Keystone LDAP group ID attribute.",
- "OPTION_LIST": [],
- "VALIDATORS": [],
- "DEFAULT_VALUE": "",
- "MASK_INPUT": False,
- "LOOSE_VALIDATION": False,
- "CONF_NAME": 'CONFIG_KEYSTONE_LDAP_GROUP_ID_ATTRIBUTE',
- "USE_DEFAULT": False,
- "NEED_CONFIRM": False,
- "CONDITION": False},
- {"CMD_OPTION": "keystone-ldap-group-name-attribute",
- "PROMPT": "Enter the Keystone LDAP group name attribute.",
- "OPTION_LIST": [],
- "VALIDATORS": [],
- "DEFAULT_VALUE": "",
- "MASK_INPUT": False,
- "LOOSE_VALIDATION": False,
- "CONF_NAME": 'CONFIG_KEYSTONE_LDAP_GROUP_NAME_ATTRIBUTE',
- "USE_DEFAULT": False,
- "NEED_CONFIRM": False,
- "CONDITION": False},
- {"CMD_OPTION": "keystone-ldap-group-member-attribute",
- "PROMPT": "Enter the Keystone LDAP group member attribute.",
- "OPTION_LIST": [],
- "VALIDATORS": [],
- "DEFAULT_VALUE": "",
- "MASK_INPUT": False,
- "LOOSE_VALIDATION": False,
- "CONF_NAME": 'CONFIG_KEYSTONE_LDAP_GROUP_MEMBER_ATTRIBUTE',
- "USE_DEFAULT": False,
- "NEED_CONFIRM": False,
- "CONDITION": False},
- {"CMD_OPTION": "keystone-ldap-group-desc-attribute",
- "PROMPT": "Enter the Keystone LDAP group description attribute.",
- "OPTION_LIST": [],
- "VALIDATORS": [],
- "DEFAULT_VALUE": "",
- "MASK_INPUT": False,
- "LOOSE_VALIDATION": False,
- "CONF_NAME": 'CONFIG_KEYSTONE_LDAP_GROUP_DESC_ATTRIBUTE',
- "USE_DEFAULT": False,
- "NEED_CONFIRM": False,
- "CONDITION": False},
- {"CMD_OPTION": "keystone-ldap-group-attribute-ignore",
- "PROMPT": (
- "Enter the comma separated Keystone LDAP group "
- "attributes to ignore."
- ),
- "OPTION_LIST": [],
- "DEFAULT_VALUE": "",
- "MASK_INPUT": False,
- "LOOSE_VALIDATION": False,
- "CONF_NAME": 'CONFIG_KEYSTONE_LDAP_GROUP_ATTRIBUTE_IGNORE',
- "USE_DEFAULT": False,
- "NEED_CONFIRM": False,
- "CONDITION": False},
- {"CMD_OPTION": "keystone-ldap-group-allow-create",
- "PROMPT": (
- "Do you want to allow group create through Keystone (n or y)."
- ),
- "OPTION_LIST": ['n', 'y'],
- "VALIDATORS": [validators.validate_options],
- "DEFAULT_VALUE": 'n',
- "MASK_INPUT": False,
- "LOOSE_VALIDATION": False,
- "CONF_NAME": 'CONFIG_KEYSTONE_LDAP_GROUP_ALLOW_CREATE',
- "USE_DEFAULT": False,
- "NEED_CONFIRM": False,
- "CONDITION": False},
- {"CMD_OPTION": "keystone-ldap-group-allow-update",
- "PROMPT": (
- "Do you want to allow group update through Keystone (n or y)."
- ),
- "OPTION_LIST": ['n', 'y'],
- "VALIDATORS": [validators.validate_options],
- "DEFAULT_VALUE": 'n',
- "MASK_INPUT": False,
- "LOOSE_VALIDATION": False,
- "CONF_NAME": 'CONFIG_KEYSTONE_LDAP_GROUP_ALLOW_UPDATE',
- "USE_DEFAULT": False,
- "NEED_CONFIRM": False,
- "CONDITION": False},
- {"CMD_OPTION": "keystone-ldap-group-allow-delete",
- "PROMPT": (
- "Do you want to allow group delete through Keystone (n or y)."
- ),
- "OPTION_LIST": ['n', 'y'],
- "VALIDATORS": [validators.validate_options],
- "DEFAULT_VALUE": 'n',
- "MASK_INPUT": False,
- "LOOSE_VALIDATION": False,
- "CONF_NAME": 'CONFIG_KEYSTONE_LDAP_GROUP_ALLOW_DELETE',
- "USE_DEFAULT": False,
- "NEED_CONFIRM": False,
- "CONDITION": False},
- {"CMD_OPTION": "keystone-ldap-group-additional-attribute-mapping",
- "PROMPT": (
- "Enter the comma separated Keystone LDAP group additional "
- "attribute mappings in the form "
- "ldap_attr:group_attr[,ldap_attr:group_attr]...."
- ),
- "OPTION_LIST": [],
- "DEFAULT_VALUE": "",
- "MASK_INPUT": False,
- "LOOSE_VALIDATION": False,
- "CONF_NAME":
- 'CONFIG_KEYSTONE_LDAP_GROUP_ADDITIONAL_ATTRIBUTE_MAPPING',
- "USE_DEFAULT": False,
- "NEED_CONFIRM": False,
- "CONDITION": False},
- {"CMD_OPTION": "keystone-ldap-use-tls",
- "PROMPT": (
- "Enable TLS for Keystone communicating with "
- "LDAP servers (n or y)."
- ),
- "OPTION_LIST": ['n', 'y'],
- "VALIDATORS": [validators.validate_options],
- "DEFAULT_VALUE": 'n',
- "MASK_INPUT": False,
- "LOOSE_VALIDATION": False,
- "CONF_NAME": 'CONFIG_KEYSTONE_LDAP_USE_TLS',
- "USE_DEFAULT": False,
- "NEED_CONFIRM": False,
- "CONDITION": False},
- {"CMD_OPTION": "keystone-ldap-tls-cacertdir",
- "PROMPT": "CA Certificate directory for Keystone LDAP.",
- "OPTION_LIST": [],
- "DEFAULT_VALUE": "",
- "MASK_INPUT": False,
- "LOOSE_VALIDATION": False,
- "CONF_NAME": 'CONFIG_KEYSTONE_LDAP_TLS_CACERTDIR',
- "USE_DEFAULT": False,
- "NEED_CONFIRM": False,
- "CONDITION": False},
- {"CMD_OPTION": "keystone-ldap-tls-cacertfile",
- "PROMPT": "CA Certificate file for Keystone LDAP.",
- "OPTION_LIST": [],
- "DEFAULT_VALUE": "",
- "MASK_INPUT": False,
- "LOOSE_VALIDATION": False,
- "CONF_NAME": 'CONFIG_KEYSTONE_LDAP_TLS_CACERTFILE',
- "USE_DEFAULT": False,
- "NEED_CONFIRM": False,
- "CONDITION": False},
- {"CMD_OPTION": "keystone-ldap-tls-req-cert",
- "PROMPT": (
- "Keystone LDAP certificate checking strictness "
- "(never, allow, demand)"
- ),
- "OPTION_LIST": ["never", "allow", "demand"],
- "VALIDATORS": [validators.validate_options],
- "DEFAULT_VALUE": "demand",
- "MASK_INPUT": False,
- "LOOSE_VALIDATION": False,
- "CONF_NAME": 'CONFIG_KEYSTONE_LDAP_TLS_REQ_CERT',
- "USE_DEFAULT": False,
- "NEED_CONFIRM": False,
- "CONDITION": False}
- ]
- }
- update_params_usage(basedefs.PACKSTACK_DOC, keystone_params)
- keystone_groups = [
- {"GROUP_NAME": "KEYSTONE",
- "DESCRIPTION": "Keystone Config parameters",
- "PRE_CONDITION": lambda x: 'yes',
- "PRE_CONDITION_MATCH": "yes",
- "POST_CONDITION": False,
- "POST_CONDITION_MATCH": True},
- {"GROUP_NAME": "KEYSTONE_LDAP",
- "DESCRIPTION": "Keystone LDAP Identity Backend Config parameters",
- "PRE_CONDITION": 'CONFIG_KEYSTONE_IDENTITY_BACKEND',
- "PRE_CONDITION_MATCH": "ldap",
- "POST_CONDITION": False,
- "POST_CONDITION_MATCH": True}
- ]
- for group in keystone_groups:
- params = keystone_params[group["GROUP_NAME"]]
- controller.addGroup(group, params)
- def initSequences(controller):
- keystonesteps = [
- {'title':
- 'Fixing Keystone LDAP config parameters to be undef if empty',
- 'functions': [munge_ldap_config_params]},
- {'title': 'Preparing Keystone entries',
- 'functions': [create_manifest]},
- ]
- controller.addSequence("Installing OpenStack Keystone", [], [],
- keystonesteps)
- # ------------------------- helper functions -------------------------
- def host_to_ldap_url(hostfqdn):
- """Converts a host fqdn into an appropriate default
- LDAP URL.
- """
- return "ldap://%s" % hostfqdn
- # -------------------------- step functions --------------------------
- def munge_ldap_config_params(config, messages):
- def is_bool(keyname):
- return keyname in (
- 'CONFIG_KEYSTONE_LDAP_USER_ENABLED_INVERT',
- 'CONFIG_KEYSTONE_LDAP_USER_ALLOW_CREATE',
- 'CONFIG_KEYSTONE_LDAP_USER_ALLOW_UPDATE',
- 'CONFIG_KEYSTONE_LDAP_USER_ALLOW_DELETE',
- 'CONFIG_KEYSTONE_LDAP_GROUP_ALLOW_CREATE',
- 'CONFIG_KEYSTONE_LDAP_GROUP_ALLOW_UPDATE',
- 'CONFIG_KEYSTONE_LDAP_GROUP_ALLOW_DELETE',
- 'CONFIG_KEYSTONE_LDAP_USE_TLS'
- )
- def yn_to_bool(val):
- return {'n': False, 'y': True}.get(val, False)
- for key in config:
- if not key.startswith('CONFIG_KEYSTONE_LDAP_'):
- continue
- if key in ('CONFIG_KEYSTONE_LDAP_PAGE_SIZE',
- 'CONFIG_KEYSTONE_LDAP_USER_ENABLED_MASK'):
- if config[key] == '-1':
- config[key] = None
- elif is_bool(key):
- config[key] = yn_to_bool(config[key])
- elif config[key] == '':
- config[key] = None
- def create_manifest(config, messages):
- if config['CONFIG_IP_VERSION'] == 'ipv6':
- host = config['CONFIG_CONTROLLER_HOST']
- config['CONFIG_KEYSTONE_HOST_URL'] = "[%s]" % host
- else:
- config['CONFIG_KEYSTONE_HOST_URL'] = config['CONFIG_CONTROLLER_HOST']
- config['CONFIG_KEYSTONE_PUBLIC_URL'] = "http://%s:5000/%s" % (
- config['CONFIG_KEYSTONE_HOST_URL'],
- config['CONFIG_KEYSTONE_API_VERSION']
- )
- config['CONFIG_KEYSTONE_PUBLIC_URL_VERSIONLESS'] = "http://%s:5000/" % (
- config['CONFIG_KEYSTONE_HOST_URL']
- )
- config['CONFIG_KEYSTONE_ADMIN_URL'] = "http://%s:35357" % (
- config['CONFIG_KEYSTONE_HOST_URL']
- )
- fw_details = dict()
- key = "keystone"
- fw_details.setdefault(key, {})
- fw_details[key]['host'] = "ALL"
- fw_details[key]['service_name'] = "keystone"
- fw_details[key]['chain'] = "INPUT"
- fw_details[key]['ports'] = ['5000', '35357']
- fw_details[key]['proto'] = "tcp"
- config['FIREWALL_KEYSTONE_RULES'] = fw_details
|
