Compare commits
26 Commits
149590eb35
...
merlin
| Author | SHA1 | Date | |
|---|---|---|---|
|
ce60b19fd2 | ||
|
|
e9e1778a30 | ||
|
|
b502fb98e7 | ||
|
|
3a1636bfee | ||
|
|
4426aed663 | ||
|
|
984c48d2e6 | ||
|
|
4b29b7b061 | ||
|
|
4e46364508 | ||
|
|
d0cac71af4 | ||
|
|
17ee2aa487 | ||
|
|
d161a24200 | ||
|
|
71d2bc13ea | ||
|
|
5ae8a4cf1a | ||
|
73e26ea716 | ||
|
|
820d2ecb4d | ||
|
|
f29afdb0b5 | ||
|
|
d98bcd7538 | ||
|
|
32ed45e6e5 | ||
|
|
167d755724 | ||
|
|
c6c947ce3c | ||
|
|
33d630685b | ||
|
|
005c0f0c6a | ||
|
|
2e372f3b78 | ||
|
|
8acb4813a1 | ||
|
|
776ce0b2d9 | ||
|
|
b1de9e17e5 |
50
.drone.yml
50
.drone.yml
@@ -94,6 +94,36 @@ pipeline:
|
||||
tag: latest
|
||||
when:
|
||||
branch: master
|
||||
keystone_merlin:
|
||||
image: plugins/docker
|
||||
dockerfile: keystone/Dockerfile
|
||||
context: keystone
|
||||
secrets: [docker_username, docker_password]
|
||||
registry: registry.webhosting.rug.nl
|
||||
repo: registry.webhosting.rug.nl/hpc/openstack-keystone-merlin
|
||||
tag: latest
|
||||
when:
|
||||
branch: merlin
|
||||
nova_service_merlin:
|
||||
image: plugins/docker
|
||||
dockerfile: nova_service/Dockerfile
|
||||
context: nova_service
|
||||
secrets: [docker_username, docker_password]
|
||||
registry: registry.webhosting.rug.nl
|
||||
repo: registry.webhosting.rug.nl/hpc/openstack-nova-service-merlin
|
||||
tag: latest
|
||||
when:
|
||||
branch: merlin
|
||||
horizon_merlin:
|
||||
image: plugins/docker
|
||||
dockerfile: horizon/Dockerfile
|
||||
context: horizon
|
||||
secrets: [docker_username, docker_password]
|
||||
registry: registry.webhosting.rug.nl
|
||||
repo: registry.webhosting.rug.nl/hpc/openstack-horizon-merlin
|
||||
tag: latest
|
||||
when:
|
||||
branch: merlin
|
||||
neutron_controller_merlin:
|
||||
image: plugins/docker
|
||||
dockerfile: neutron_controller/Dockerfile
|
||||
@@ -104,6 +134,16 @@ pipeline:
|
||||
tag: latest
|
||||
when:
|
||||
branch: merlin
|
||||
cinder_controller_merlin:
|
||||
image: plugins/docker
|
||||
dockerfile: cinder_controller/Dockerfile
|
||||
context: cinder_controller
|
||||
secrets: [docker_username, docker_password]
|
||||
registry: registry.webhosting.rug.nl
|
||||
repo: registry.webhosting.rug.nl/hpc/openstack-cinder-controller-merlin
|
||||
tag: latest
|
||||
when:
|
||||
branch: mwelin
|
||||
cinder_storage_merlin:
|
||||
image: plugins/docker
|
||||
dockerfile: cinder_storage/Dockerfile
|
||||
@@ -134,6 +174,16 @@ pipeline:
|
||||
tag: latest
|
||||
when:
|
||||
branch: merlin
|
||||
heat_merlin:
|
||||
image: plugins/docker
|
||||
dockerfile: heat/Dockerfile
|
||||
context: heat
|
||||
secrets: [docker_username, docker_password]
|
||||
registry: registry.webhosting.rug.nl
|
||||
repo: registry.webhosting.rug.nl/hpc/openstack-heat-merlin
|
||||
tag: latest
|
||||
when:
|
||||
branch: merlin
|
||||
notify:
|
||||
image: drillster/drone-email
|
||||
host: smtp.rug.nl
|
||||
|
||||
@@ -15,6 +15,8 @@ RUN set -x \
|
||||
python-oslo.cache \
|
||||
cinder-api \
|
||||
cinder-scheduler \
|
||||
python-ceph \
|
||||
python-rbd \
|
||||
&& apt-get -y clean
|
||||
|
||||
EXPOSE 8776
|
||||
|
||||
@@ -9,7 +9,7 @@ export OS_IDENTITY_API_VERSION=3
|
||||
export OS_USERNAME=admin
|
||||
export OS_PASSWORD=geheim
|
||||
export OS_TENANT_NAME=admin
|
||||
export OS_AUTH_URL=http://${KEYSTONE_HOST}:35357/v3
|
||||
export OS_AUTH_URL=https://merlin.hpc.rug.nl:35357/v3
|
||||
|
||||
export OS_PROJECT_DOMAIN_NAME=default
|
||||
export OS_USER_DOMAIN_NAME=default
|
||||
|
||||
@@ -6,7 +6,7 @@ cat << EOF > /root/admin-openrc.sh
|
||||
export OS_TENANT_NAME=admin
|
||||
export OS_USERNAME=admin
|
||||
export OS_PASSWORD=${OS_PASSWORD}
|
||||
export OS_AUTH_URL=http://${KEYSTONE_HOST}:35357/v3
|
||||
export OS_AUTH_URL=https://merlin.hpc.rug.nl:35357/v3
|
||||
export OS_IDENTITY_API_VERSION=3
|
||||
|
||||
export OS_PROJECT_DOMAIN_NAME=default
|
||||
|
||||
@@ -7,6 +7,7 @@ cinder-scheduler -d &
|
||||
sleep 5
|
||||
apachectl -DFOREGROUND &
|
||||
|
||||
tail -f /var/log/apache2/* &
|
||||
# If any process fails, kill the rest.
|
||||
# This ensures the container stops and systemd will restart it.
|
||||
|
||||
|
||||
@@ -11,11 +11,12 @@ connection = mysql+pymysql://$CINDER_USER:$CINDER_PASSWORD@$MYSQL_HOST/cinder
|
||||
[DEFAULT]
|
||||
auth_strategy = keystone
|
||||
transport_url = rabbit://$RABBIT_USER:$RABBIT_PASSWORD@$MY_IP
|
||||
enabled_backends = RBD-backend
|
||||
my_ip = $MY_IP
|
||||
|
||||
[keystone_authtoken]
|
||||
auth_uri = http://$KEYSTONE_HOST:5000
|
||||
auth_url = http://$KEYSTONE_HOST:35357
|
||||
auth_uri = https://$KEYSTONE_HOST:5000
|
||||
auth_url = https://$KEYSTONE_HOST:35357
|
||||
memcached_servers = $MEMCACHED_HOST:11211
|
||||
auth_type = password
|
||||
project_domain_name = Default
|
||||
@@ -27,4 +28,14 @@ password = $CINDER_PASSWORD
|
||||
[oslo_concurrency]
|
||||
lock_path = /var/lib/cinder/tmp
|
||||
|
||||
[RBD-backend]
|
||||
volume_backend_name = RBD-backend
|
||||
rbd_pool = volumes
|
||||
rbd_user = volumes
|
||||
rbd_secret_uuid = $RBD_SECRET_UUID
|
||||
volume_driver = cinder.volume.drivers.rbd.RBDDriver
|
||||
rbd_ceph_conf = /etc/ceph/ceph.conf
|
||||
|
||||
EOF
|
||||
|
||||
echo "172.23.59.101 merlin.hpc.rug.nl" >> /etc/hosts
|
||||
|
||||
@@ -17,6 +17,7 @@ RUN set -x \
|
||||
lvm2 \
|
||||
python-ceph \
|
||||
python-rbd \
|
||||
ceph-common \
|
||||
|
||||
&& apt-get -y clean
|
||||
|
||||
|
||||
@@ -9,7 +9,7 @@ export OS_IDENTITY_API_VERSION=3
|
||||
export OS_USERNAME=admin
|
||||
export OS_PASSWORD=geheim
|
||||
export OS_TENANT_NAME=admin
|
||||
export OS_AUTH_URL=http://${KEYSTONE_HOST}:35357/v3
|
||||
export OS_AUTH_URL=https://merlin.hpc.rug.nl:35357/v3
|
||||
|
||||
export OS_PROJECT_DOMAIN_NAME=default
|
||||
export OS_USER_DOMAIN_NAME=default
|
||||
|
||||
@@ -6,7 +6,7 @@ cat << EOF > /root/admin-openrc.sh
|
||||
export OS_TENANT_NAME=admin
|
||||
export OS_USERNAME=admin
|
||||
export OS_PASSWORD=${OS_PASSWORD}
|
||||
export OS_AUTH_URL=http://${KEYSTONE_HOST}:35357/v3
|
||||
export OS_AUTH_URL=https://merlin.hpc.rug.nl:35357/v3
|
||||
export OS_IDENTITY_API_VERSION=3
|
||||
|
||||
export OS_PROJECT_DOMAIN_NAME=default
|
||||
|
||||
@@ -16,8 +16,8 @@ enabled_backends = RBD-backend
|
||||
glance_api_servers = http://$GLANCE_HOST:9292
|
||||
|
||||
[keystone_authtoken]
|
||||
auth_uri = http://$KEYSTONE_HOST:5000
|
||||
auth_url = http://$KEYSTONE_HOST:35357
|
||||
auth_uri = https://$KEYSTONE_HOST:5000
|
||||
auth_url = https://$KEYSTONE_HOST:35357
|
||||
memcached_servers = $MEMCACHED_HOST:11211
|
||||
auth_type = password
|
||||
project_domain_name = Default
|
||||
@@ -33,8 +33,10 @@ lock_path = /var/lib/cinder/tmp
|
||||
volume_backend_name = RBD-backend
|
||||
rbd_pool = volumes
|
||||
rbd_user = volumes
|
||||
rbd_secret_uuid=d0db6ba7-a0c9-4da6-b0bc-aa7846325333
|
||||
rbd_secret_uuid = $RBD_SECRET_UUID
|
||||
volume_driver = cinder.volume.drivers.rbd.RBDDriver
|
||||
rbd_ceph_conf = /etc/ceph/ceph.conf
|
||||
|
||||
EOF
|
||||
|
||||
echo "172.23.59.101 merlin.hpc.rug.nl" >> /etc/hosts
|
||||
|
||||
@@ -8,7 +8,7 @@ export OS_IDENTITY_API_VERSION=3
|
||||
export OS_USERNAME=admin
|
||||
export OS_PASSWORD=geheim
|
||||
export OS_TENANT_NAME=admin
|
||||
export OS_AUTH_URL=http://${KEYSTONE_HOST}:35357/v3
|
||||
export OS_AUTH_URL=https://merlin.hpc.rug.nl:35357/v3
|
||||
|
||||
export OS_PROJECT_DOMAIN_NAME=default
|
||||
export OS_USER_DOMAIN_NAME=default
|
||||
|
||||
@@ -6,7 +6,7 @@ cat << EOF > /root/admin-openrc.sh
|
||||
export OS_TENANT_NAME=admin
|
||||
export OS_USERNAME=admin
|
||||
export OS_PASSWORD=${OS_PASSWORD}
|
||||
export OS_AUTH_URL=http://${KEYSTONE_HOST}:35357/v3
|
||||
export OS_AUTH_URL=https://merlin.hpc.rug.nl:35357/v3
|
||||
export OS_IDENTITY_API_VERSION=3
|
||||
|
||||
export GLANCE_USER_NAME=glance
|
||||
|
||||
@@ -9,8 +9,8 @@ cat << EOF > /etc/glance/glance-api.conf
|
||||
connection = mysql+pymysql://$GLANCE_USER:$GLANCE_PASSWORD@$MYSQL_HOST/glance
|
||||
[image_format]
|
||||
[keystone_authtoken]
|
||||
auth_uri = http://$KEYSTONE_HOST:5000
|
||||
auth_url = http://$KEYSTONE_HOST:35357
|
||||
auth_uri = https://$KEYSTONE_HOST:5000
|
||||
auth_url = https://$KEYSTONE_HOST:35357
|
||||
memcached_servers = $MEMCACHED_HOST:11211
|
||||
auth_type = password
|
||||
project_domain_name = Default
|
||||
@@ -57,8 +57,8 @@ rbd_store_user = images
|
||||
rbd_store_ceph_conf = /etc/ceph/ceph.conf
|
||||
|
||||
[keystone_authtoken]
|
||||
auth_uri = http://$KEYSTONE_HOST:5000
|
||||
auth_url = http://$KEYSTONE_HOST:35357
|
||||
auth_uri = https://$KEYSTONE_HOST:5000
|
||||
auth_url = https://$KEYSTONE_HOST:35357
|
||||
memcached_servers = $MEMCACHED_HOST:11211
|
||||
auth_type = password
|
||||
project_domain_name = Default
|
||||
@@ -79,3 +79,6 @@ rabbit_password = $RABBIT_PASSWORD
|
||||
flavor = keystone
|
||||
|
||||
EOF
|
||||
|
||||
echo "172.23.59.101 merlin.hpc.rug.nl" >> /etc/hosts
|
||||
|
||||
|
||||
@@ -5,7 +5,7 @@ export OS_IDENTITY_API_VERSION=3
|
||||
export OS_USERNAME=admin
|
||||
export OS_PASSWORD=geheim
|
||||
export OS_TENANT_NAME=admin
|
||||
export OS_AUTH_URL=http://${KEYSTONE_HOST}:35357/v3
|
||||
export OS_AUTH_URL=https://merlin.hpc.rug.nl:35357/v3
|
||||
|
||||
export OS_PROJECT_DOMAIN_NAME=default
|
||||
export OS_USER_DOMAIN_NAME=default
|
||||
|
||||
@@ -6,7 +6,7 @@ cat << EOF > /root/admin-openrc.sh
|
||||
export OS_TENANT_NAME=admin
|
||||
export OS_USERNAME=admin
|
||||
export OS_PASSWORD=${OS_PASSWORD}
|
||||
export OS_AUTH_URL=http://${KEYSTONE_HOST}:35357/v3
|
||||
export OS_AUTH_URL=https://merlin.hpc.rug.nl:35357/v3
|
||||
export OS_IDENTITY_API_VERSION=3
|
||||
|
||||
export HEAT_USER=heat
|
||||
|
||||
@@ -15,8 +15,8 @@ heat_waitcondition_server_url = http://$HEAT_HOST:8000/v1/waitcondition
|
||||
|
||||
|
||||
[keystone_authtoken]
|
||||
auth_uri = http://$KEYSTONE_HOST:5000
|
||||
auth_url = http://$KEYSTONE_HOST:35357
|
||||
auth_uri = https://$KEYSTONE_HOST:5000
|
||||
auth_url = https://$KEYSTONE_HOST:35357
|
||||
memcached_servers = $MEMCACHED_HOST:11211
|
||||
auth_type = password
|
||||
project_domain_name = Default
|
||||
@@ -27,9 +27,11 @@ password = $HEAT_PASSWORD
|
||||
|
||||
[trustee]
|
||||
auth_plugin = password
|
||||
auth_url = http://$KEYSTONE_HOST:35357
|
||||
auth_url = https://$KEYSTONE_HOST:35357
|
||||
username = $HEAT_USER
|
||||
password = $HEAT_PASSWORD
|
||||
user_domain_name = Default
|
||||
|
||||
EOF
|
||||
|
||||
echo "172.23.59.101 merlin.hpc.rug.nl" >> /etc/hosts
|
||||
|
||||
8
horizon/.gitignore
vendored
8
horizon/.gitignore
vendored
@@ -1,8 +0,0 @@
|
||||
# ---> Vim
|
||||
[._]*.s[a-w][a-z]
|
||||
[._]s[a-w][a-z]
|
||||
*.un~
|
||||
Session.vim
|
||||
.netrwhist
|
||||
*~
|
||||
|
||||
@@ -16,20 +16,29 @@ RUN set -x \
|
||||
python-openstackclient \
|
||||
&& apt-get -y clean
|
||||
|
||||
EXPOSE 80
|
||||
|
||||
EXPOSE 80 443
|
||||
|
||||
COPY openstack-dashboard.conf /etc/apache2/conf-available/openstack-dashboard.conf
|
||||
|
||||
COPY local_settings.py /etc/openstack-dashboard/local_settings.py
|
||||
|
||||
# Add a redirect to /keystone instead of the "It works! page"
|
||||
COPY 000-default.conf /etc/apache2/sites-available
|
||||
|
||||
COPY run.sh /etc/run.sh
|
||||
|
||||
RUN chown -R www-data: /var/lib/openstack-dashboard/
|
||||
|
||||
RUN touch /var/log/horizon.log
|
||||
|
||||
RUN chown www-data: /var/log/horizon.log
|
||||
|
||||
RUN chown horizon: /var/lib/openstack-dashboard/secret_key
|
||||
RUN a2enmod ssl
|
||||
RUN a2enmod headers
|
||||
RUN a2enmod rewrite
|
||||
|
||||
CMD apachectl -DFOREGROUND
|
||||
#RUN chown /var/lib/openstack-dashboard/secret_key horizon
|
||||
|
||||
CMD /etc/run.sh
|
||||
|
||||
|
||||
@@ -5,7 +5,7 @@ export OS_IDENTITY_API_VERSION=3
|
||||
export OS_USERNAME=admin
|
||||
export OS_PASSWORD=geheim
|
||||
export OS_TENANT_NAME=admin
|
||||
export OS_AUTH_URL=http://${KEYSTONE_HOST}:35357/v3
|
||||
export OS_AUTH_URL=https://merlin.hpc.rug.nl:35357/v3
|
||||
|
||||
export OS_PROJECT_DOMAIN_NAME=default
|
||||
export OS_USER_DOMAIN_NAME=default
|
||||
|
||||
@@ -37,7 +37,7 @@ EMAIL_BACKEND = 'django.core.mail.backends.console.EmailBackend'
|
||||
#EMAIL_HOST_PASSWORD = 'top-secret!'
|
||||
|
||||
OPENSTACK_HOST = os.environ['KEYSTONE_HOST']
|
||||
OPENSTACK_KEYSTONE_URL = "http://%s:5000/v3" % OPENSTACK_HOST
|
||||
OPENSTACK_KEYSTONE_URL = "https://%s:5000/v3" % OPENSTACK_HOST
|
||||
OPENSTACK_KEYSTONE_DEFAULT_ROLE = "_member_"
|
||||
|
||||
|
||||
@@ -266,7 +266,6 @@ TIME_ZONE = "UTC"
|
||||
# ('default', 'Default', 'themes/default'),
|
||||
# ('material', 'Material', 'themes/material'),
|
||||
#]
|
||||
|
||||
LOGGING = {
|
||||
'version': 1,
|
||||
# When set to True this will disable all logging except
|
||||
@@ -288,11 +287,12 @@ LOGGING = {
|
||||
},
|
||||
'console': {
|
||||
# Set the level to "DEBUG" for verbose output logging.
|
||||
'level': 'INFO',
|
||||
'class': 'logging.StreamHandler',
|
||||
'level': 'DEBUG',
|
||||
'class': 'logging.FileHandler',
|
||||
'filename': '/var/log/horizon.log',
|
||||
},
|
||||
'operation': {
|
||||
'level': 'INFO',
|
||||
'level': 'DEBUG',
|
||||
'class': 'logging.StreamHandler',
|
||||
'formatter': 'operation',
|
||||
},
|
||||
@@ -516,3 +516,12 @@ ALLOWED_HOSTS = '*'
|
||||
COMPRESS_OFFLINE = True
|
||||
|
||||
ALLOWED_PRIVATE_SUBNET_CIDR = {'ipv4': [], 'ipv6': []}
|
||||
|
||||
WEBSSO_ENABLED = True
|
||||
|
||||
WEBSSO_CHOICES = (
|
||||
("credentials", _("Keystone Credentials")),
|
||||
("mapped", _("Security Assertion Markup Language"))
|
||||
)
|
||||
|
||||
WEBSSO_INITIAL_CHOICE = "mapped"
|
||||
|
||||
36
horizon/openstack-dashboard.conf
Normal file
36
horizon/openstack-dashboard.conf
Normal file
@@ -0,0 +1,36 @@
|
||||
<VirtualHost *:80>
|
||||
RedirectMatch "^/$" "/horizon"
|
||||
ServerName merlin.hpc.rug.nl
|
||||
RewriteEngine On
|
||||
RewriteCond %{HTTPS} off
|
||||
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
|
||||
</VirtualHost>
|
||||
<VirtualHost *:443>
|
||||
RedirectMatch "^/$" "/horizon"
|
||||
ServerName merlin.hpc.rug.nl
|
||||
|
||||
SSLEngine On
|
||||
SSLCertificateFile "/certs/merlin.hpc.rug.nl.crt"
|
||||
SSLCertificateKeyFile "/certs/merlin.hpc.rug.nl.key"
|
||||
SSLCACertificateFile "/certs/DigiCertCA.crt"
|
||||
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
|
||||
|
||||
# HTTP Strict Transport Security (HSTS) enforces that all communications
|
||||
# with a server go over SSL. This mitigates the threat from attacks such
|
||||
# as SSL-Strip which replaces links on the wire, stripping away https prefixes
|
||||
# and potentially allowing an attacker to view confidential information on the
|
||||
# wire
|
||||
Header add Strict-Transport-Security "max-age=15768000"
|
||||
|
||||
Alias /horizon/static /var/lib/openstack-dashboard/static/
|
||||
Alias /static /var/lib/openstack-dashboard/static/
|
||||
|
||||
<Directory /var/lib/openstack-dashboard/static>
|
||||
Require all granted
|
||||
</Directory>
|
||||
|
||||
WSGIScriptAlias /horizon /usr/share/openstack-dashboard/openstack_dashboard/wsgi/django.wsgi process-group=horizon
|
||||
WSGIDaemonProcess horizon user=www-data group=www-data processes=3 threads=10 display-name=%{GROUP}
|
||||
WSGIProcessGroup horizon
|
||||
</VirtualHost>
|
||||
|
||||
12
horizon/run.sh
Executable file
12
horizon/run.sh
Executable file
@@ -0,0 +1,12 @@
|
||||
#!/bin/bash
|
||||
|
||||
#Making the console log console again...
|
||||
tail -f /var/log/horizon.log &
|
||||
|
||||
tail -f /var/log/apache2/* &
|
||||
|
||||
cat /etc/openstack-dashboard/local_settings.py >> \
|
||||
/usr/share/openstack-dashboard/openstack_dashboard/settings.py
|
||||
|
||||
|
||||
apachectl -DFOREGROUND
|
||||
8
keystone/.gitignore
vendored
8
keystone/.gitignore
vendored
@@ -1,8 +0,0 @@
|
||||
# ---> Vim
|
||||
[._]*.s[a-w][a-z]
|
||||
[._]s[a-w][a-z]
|
||||
*.un~
|
||||
Session.vim
|
||||
.netrwhist
|
||||
*~
|
||||
|
||||
@@ -13,16 +13,36 @@ RUN set -x \
|
||||
&& apt-get -y update \
|
||||
&& apt-get -y install \
|
||||
&& apt-get -y install keystone python-openstackclient \
|
||||
&& apt-get -y install libapache2-mod-shib2 \
|
||||
&& apt-get -y clean
|
||||
|
||||
# set admin token TODO: make this a secret
|
||||
# in volume of met env
|
||||
COPY keystone.conf /etc/keystone/keystone.conf
|
||||
|
||||
COPY apache-keystone.conf /etc/apache2/sites-available/keystone.conf
|
||||
|
||||
COPY shibboleth2.xml /etc/shibboleth/shibboleth2.xml
|
||||
COPY attribute-map.xml /etc/shibboleth/attribute-map.xml
|
||||
COPY attribute-policy.xml /etc/shibboleth/attribute-policy.xml
|
||||
|
||||
COPY sso_callback_template.html /etc/keystone/sso_callback_template.html
|
||||
|
||||
RUN mkdir /var/run/shibboleth
|
||||
|
||||
COPY run.sh /etc/run.sh
|
||||
|
||||
RUN mkdir /etc/keystone/fernet-keys
|
||||
|
||||
RUN chown keystone: /etc/keystone/fernet-keys
|
||||
|
||||
RUN a2enmod shib2
|
||||
|
||||
COPY bootstrap.sh /etc/bootstrap.sh
|
||||
|
||||
CMD apachectl -DFOREGROUND
|
||||
# Testing only!!!
|
||||
RUN mkdir -p /var/www/html/secure
|
||||
RUN apt-get -y install php libapache2-mod-php
|
||||
COPY test.php /var/www/html/secure/test.php
|
||||
|
||||
CMD /etc/run.sh
|
||||
|
||||
128
keystone/apache-keystone.conf
Normal file
128
keystone/apache-keystone.conf
Normal file
@@ -0,0 +1,128 @@
|
||||
LoadModule ssl_module modules/mod_ssl.so
|
||||
|
||||
Listen 5000
|
||||
Listen 35357
|
||||
|
||||
<Location /secure>
|
||||
AuthType shibboleth
|
||||
ShibRequestSetting requireSession 1
|
||||
require valid-user
|
||||
</Location>
|
||||
|
||||
Alias "/secure" "/var/www/html/secure"
|
||||
|
||||
<VirtualHost *:5000>
|
||||
ServerName https://merlin.hpc.rug.nl:5000
|
||||
SSLEngine on
|
||||
SSLCertificateFile "/certs/merlin.hpc.rug.nl.crt"
|
||||
SSLCertificateKeyFile "/certs/merlin.hpc.rug.nl.key"
|
||||
SSLCACertificateFile "/certs/DigiCertCA.crt"
|
||||
UseCanonicalName On
|
||||
WSGIScriptAlias / /usr/bin/keystone-wsgi-public
|
||||
WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
|
||||
WSGIProcessGroup keystone-public
|
||||
WSGIApplicationGroup %{GLOBAL}
|
||||
WSGIPassAuthorization On
|
||||
LimitRequestBody 114688
|
||||
|
||||
# Added for federation.
|
||||
WSGIScriptAliasMatch ^(/v3/OS-FEDERATION/identity_providers/.*?/protocols/.*?/auth)$ /usr/local/bin/keystone-wsgi-public/$1
|
||||
|
||||
<IfVersion >= 2.4>
|
||||
ErrorLogFormat "%{cu}t %M"
|
||||
</IfVersion>
|
||||
|
||||
ErrorLog /var/log/apache2/keystone.log
|
||||
CustomLog /var/log/apache2/keystone_access.log combined
|
||||
|
||||
<Directory /usr/bin>
|
||||
<IfVersion >= 2.4>
|
||||
Require all granted
|
||||
</IfVersion>
|
||||
<IfVersion < 2.4>
|
||||
Order allow,deny
|
||||
Allow from all
|
||||
</IfVersion>
|
||||
</Directory>
|
||||
|
||||
<Location /Shibboleth.sso>
|
||||
SetHandler shib
|
||||
</Location>
|
||||
|
||||
<Location /v3/OS-FEDERATION/identity_providers/nikhefwave/protocols/mapped/auth>
|
||||
ShibRequestSetting requireSession 1
|
||||
AuthType shibboleth
|
||||
ShibExportAssertion Off
|
||||
Require valid-user
|
||||
|
||||
<IfVersion < 2.4>
|
||||
ShibRequireSession On
|
||||
ShibRequireAll On
|
||||
</IfVersion>
|
||||
</Location>
|
||||
|
||||
<Location ~ "/v3/auth/OS-FEDERATION/websso/mapped">
|
||||
AuthType shibboleth
|
||||
Require valid-user
|
||||
ShibRequestSetting requireSession 1
|
||||
ShibRequireSession On
|
||||
ShibExportAssertion Off
|
||||
</Location>
|
||||
<Location ~ "/v3/auth/OS-FEDERATION/identity_providers/nikhefwave/protocols/mapped/websso/">
|
||||
AuthType shibboleth
|
||||
Require valid-user
|
||||
</Location>
|
||||
|
||||
</VirtualHost>
|
||||
|
||||
<VirtualHost *:35357>
|
||||
ServerName https://merlin.hpc.rug.nl:35357
|
||||
SSLEngine on
|
||||
SSLCertificateFile "/certs/merlin.hpc.rug.nl.crt"
|
||||
SSLCertificateKeyFile "/certs/merlin.hpc.rug.nl.key"
|
||||
SSLCACertificateFile "/certs/DigiCertCA.crt"
|
||||
UseCanonicalName On
|
||||
WSGIScriptAlias / /usr/bin/keystone-wsgi-admin
|
||||
WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
|
||||
WSGIProcessGroup keystone-admin
|
||||
WSGIApplicationGroup %{GLOBAL}
|
||||
WSGIPassAuthorization On
|
||||
LimitRequestBody 114688
|
||||
|
||||
<IfVersion >= 2.4>
|
||||
ErrorLogFormat "%{cu}t %M"
|
||||
</IfVersion>
|
||||
|
||||
ErrorLog /var/log/apache2/keystone.log
|
||||
CustomLog /var/log/apache2/keystone_access.log combined
|
||||
|
||||
<Directory /usr/bin>
|
||||
<IfVersion >= 2.4>
|
||||
Require all granted
|
||||
</IfVersion>
|
||||
<IfVersion < 2.4>
|
||||
Order allow,deny
|
||||
Allow from all
|
||||
</IfVersion>
|
||||
</Directory>
|
||||
</VirtualHost>
|
||||
|
||||
Alias /identity /usr/bin/keystone-wsgi-public
|
||||
<Location /identity>
|
||||
SetHandler wsgi-script
|
||||
Options +ExecCGI
|
||||
|
||||
WSGIProcessGroup keystone-public
|
||||
WSGIApplicationGroup %{GLOBAL}
|
||||
WSGIPassAuthorization On
|
||||
</Location>
|
||||
|
||||
Alias /identity_admin /usr/bin/keystone-wsgi-admin
|
||||
<Location /identity_admin>
|
||||
SetHandler wsgi-script
|
||||
Options +ExecCGI
|
||||
|
||||
WSGIProcessGroup keystone-admin
|
||||
WSGIApplicationGroup %{GLOBAL}
|
||||
WSGIPassAuthorization On
|
||||
</Location>
|
||||
32
keystone/attribute-map.xml
Normal file
32
keystone/attribute-map.xml
Normal file
@@ -0,0 +1,32 @@
|
||||
<?xml version="1.0"?>
|
||||
|
||||
|
||||
|
||||
<Attributes xmlns="urn:mace:shibboleth:2.0:attribute-map" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
|
||||
<Attribute name="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" id="persistent-id">
|
||||
<AttributeDecoder xsi:type="NameIDAttributeDecoder" formatter="$Name" defaultQualifiers="true"/>
|
||||
</Attribute>
|
||||
<Attribute name="eduPersonPrincipalName" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" id="eppn"/>
|
||||
|
||||
<!-- Added for nikhef -->
|
||||
<Attribute name="openstackGroupEntitlements" id="openstackGroupEntitlements" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"/>
|
||||
<!-- Added after mail 18-10-2018 -->
|
||||
<Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" id="eppn" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"/>
|
||||
|
||||
<Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" id="Shib-user"/>
|
||||
<Attribute name="urn:oid:2.5.4.4" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" id="Shib-surName"/>
|
||||
<Attribute name="urn:oid:2.5.4.42" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" id="Shib-givenName"/>
|
||||
<Attribute name="urn:oid:2.5.4.3" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" id="Shib-commonName"/>
|
||||
<Attribute name="urn:oid:2.16.840.1.113730.3.1.241" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" id="Shib-displayName"/>
|
||||
<Attribute name="urn:oid:0.9.2342.19200300.100.1.3" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" id="Shib-email"/>
|
||||
<Attribute name="urn:oid:1.3.6.1.4.1.25178.1.2.9" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" id="Shib-HomeOrg"/>
|
||||
<Attribute name="urn:oid:1.3.6.1.4.1.25178.1.2.10" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" id="Shib-HomeOrgType"/>
|
||||
<Attribute name="urn:oid:1.3.6.1.4.1.25178.1.2.14" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" id="Shib-PersonalUnqiueCode"/>
|
||||
<Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" id="Shib-Affiliation"/>
|
||||
<Attribute name="urn:oid:1.3.6.1.4.1.1466.115.121.1.15" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" id="Shib-ScopedAffiliation"/>
|
||||
<Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" id="Shib-Entitlement"/>
|
||||
<Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" id="Shib-eduPersonPN"/>
|
||||
<Attribute name="urn:oid:1.3.6.1.4.1.5923.1.5.1.1" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" id="Shib-memberOf"/>
|
||||
<Attribute name="urn:oid:0.9.2342.19200300.100.1.1" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" id="Shib-uid"/>
|
||||
<Attribute name="urn:oid:2.16.840.1.113730.3.1.39" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" id="Shib-language"/>
|
||||
</Attributes>
|
||||
71
keystone/attribute-policy.xml
Normal file
71
keystone/attribute-policy.xml
Normal file
@@ -0,0 +1,71 @@
|
||||
<afp:AttributeFilterPolicyGroup
|
||||
xmlns="urn:mace:shibboleth:2.0:afp:mf:basic"
|
||||
xmlns:saml="urn:mace:shibboleth:2.0:afp:mf:saml"
|
||||
xmlns:basic="urn:mace:shibboleth:2.0:afp:mf:basic"
|
||||
xmlns:afp="urn:mace:shibboleth:2.0:afp"
|
||||
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
|
||||
|
||||
<!-- Shared rule for affiliation values. -->
|
||||
<afp:PermitValueRule id="eduPersonAffiliationValues" xsi:type="OR">
|
||||
<Rule xsi:type="AttributeValueString" value="faculty"/>
|
||||
<Rule xsi:type="AttributeValueString" value="student"/>
|
||||
<Rule xsi:type="AttributeValueString" value="staff"/>
|
||||
<Rule xsi:type="AttributeValueString" value="alum"/>
|
||||
<Rule xsi:type="AttributeValueString" value="member"/>
|
||||
<Rule xsi:type="AttributeValueString" value="affiliate"/>
|
||||
<Rule xsi:type="AttributeValueString" value="employee"/>
|
||||
<Rule xsi:type="AttributeValueString" value="library-walk-in"/>
|
||||
</afp:PermitValueRule>
|
||||
|
||||
<!--
|
||||
Shared rule for all "scoped" attributes, but you'll have to manually apply it inside
|
||||
an AttributeRule for each attribute you want to check.
|
||||
-->
|
||||
<afp:PermitValueRule id="ScopingRules" xsi:type="basic:ANY"/>
|
||||
<!-- # Hacked for Nikhef federation
|
||||
<afp:PermitValueRule id="ScopingRules" xsi:type="AND">
|
||||
<Rule xsi:type="NOT">
|
||||
<Rule xsi:type="AttributeValueRegex" regex="@"/>
|
||||
</Rule>
|
||||
<Rule xsi:type="saml:AttributeScopeMatchesShibMDScope"/>
|
||||
</afp:PermitValueRule>
|
||||
-->
|
||||
<afp:AttributeFilterPolicy>
|
||||
<!-- This policy is in effect in all cases. -->
|
||||
<afp:PolicyRequirementRule xsi:type="ANY"/>
|
||||
|
||||
<!-- Filter out undefined affiliations and ensure only one primary. -->
|
||||
<afp:AttributeRule attributeID="affiliation">
|
||||
<afp:PermitValueRule xsi:type="AND">
|
||||
<RuleReference ref="eduPersonAffiliationValues"/>
|
||||
<RuleReference ref="ScopingRules"/>
|
||||
</afp:PermitValueRule>
|
||||
</afp:AttributeRule>
|
||||
<afp:AttributeRule attributeID="unscoped-affiliation">
|
||||
<afp:PermitValueRuleReference ref="eduPersonAffiliationValues"/>
|
||||
</afp:AttributeRule>
|
||||
<afp:AttributeRule attributeID="primary-affiliation">
|
||||
<afp:PermitValueRuleReference ref="eduPersonAffiliationValues"/>
|
||||
</afp:AttributeRule>
|
||||
|
||||
<afp:AttributeRule attributeID="eppn">
|
||||
<afp:PermitValueRuleReference ref="ScopingRules"/>
|
||||
</afp:AttributeRule>
|
||||
|
||||
<afp:AttributeRule attributeID="targeted-id">
|
||||
<afp:PermitValueRuleReference ref="ScopingRules"/>
|
||||
</afp:AttributeRule>
|
||||
|
||||
<!-- Require NameQualifier/SPNameQualifier match IdP and SP entityID respectively. -->
|
||||
<afp:AttributeRule attributeID="persistent-id">
|
||||
<afp:PermitValueRule xsi:type="saml:NameIDQualifierString"/>
|
||||
</afp:AttributeRule>
|
||||
|
||||
<!-- Catch-all that passes everything else through unmolested. -->
|
||||
<afp:AttributeRule attributeID="*">
|
||||
<afp:PermitValueRule xsi:type="ANY"/>
|
||||
</afp:AttributeRule>
|
||||
|
||||
</afp:AttributeFilterPolicy>
|
||||
|
||||
</afp:AttributeFilterPolicyGroup>
|
||||
@@ -6,7 +6,7 @@ cat << EOF > /root/admin-openrc.sh
|
||||
export OS_TENANT_NAME=admin
|
||||
export OS_USERNAME=admin
|
||||
export OS_PASSWORD=${OS_PASSWORD}
|
||||
export OS_AUTH_URL=http://${KEYSTONE_HOST}:35357/v3
|
||||
export OS_AUTH_URL=https://${KEYSTONE_HOST}:35357/v3
|
||||
export OS_IDENTITY_API_VERSION=3
|
||||
EOF
|
||||
|
||||
@@ -16,7 +16,7 @@ cat << EOF > /root/demo-openrc.sh
|
||||
export OS_TENANT_NAME=demo
|
||||
export OS_USERNAME=demo
|
||||
export OS_PASSWORD=${OS_DEMO_PASSWORD}
|
||||
export OS_AUTH_URL=http://${KEYSTONE_HOST}:35357/v3
|
||||
export OS_AUTH_URL=https://${KEYSTONE_HOST}:35357/v3
|
||||
export OS_IDENTITY_API_VERSION=3
|
||||
EOF
|
||||
|
||||
|
||||
@@ -1,6 +1,8 @@
|
||||
[DEFAULT]
|
||||
|
||||
verbose = true
|
||||
# debug = true
|
||||
log_file = /var/log/keystone/keystone.log
|
||||
|
||||
[database]
|
||||
connection = mysql+pymysql://keystone:keystone@mariadb/keystone
|
||||
@@ -8,5 +10,15 @@ connection = mysql+pymysql://keystone:keystone@mariadb/keystone
|
||||
[token]
|
||||
provider = fernet
|
||||
|
||||
[auth]
|
||||
methods = password,token,mapped,openid,saml2
|
||||
|
||||
[federation]
|
||||
trusted_dashboard = https://merlin.hpc.rug.nl/horizon/auth/websso/
|
||||
sso_calback_template = /etc/keystone/sso_calback_template.html
|
||||
|
||||
[mapped]
|
||||
remote_id_attribute = Shib-Identity-Provider
|
||||
|
||||
[identity]
|
||||
default_domain_id = default
|
||||
|
||||
252
keystone/routers.py
Normal file
252
keystone/routers.py
Normal file
@@ -0,0 +1,252 @@
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
import functools
|
||||
|
||||
from keystone.common import json_home
|
||||
from keystone.common import wsgi
|
||||
from keystone.federation import controllers
|
||||
|
||||
|
||||
build_resource_relation = functools.partial(
|
||||
json_home.build_v3_extension_resource_relation,
|
||||
extension_name='OS-FEDERATION', extension_version='1.0')
|
||||
|
||||
build_parameter_relation = functools.partial(
|
||||
json_home.build_v3_extension_parameter_relation,
|
||||
extension_name='OS-FEDERATION', extension_version='1.0')
|
||||
|
||||
IDP_ID_PARAMETER_RELATION = build_parameter_relation(parameter_name='idp_id')
|
||||
PROTOCOL_ID_PARAMETER_RELATION = build_parameter_relation(
|
||||
parameter_name='protocol_id')
|
||||
SP_ID_PARAMETER_RELATION = build_parameter_relation(parameter_name='sp_id')
|
||||
|
||||
|
||||
class Routers(wsgi.RoutersBase):
|
||||
"""API Endpoints for the Federation extension.
|
||||
|
||||
The API looks like::
|
||||
|
||||
PUT /OS-FEDERATION/identity_providers/{idp_id}
|
||||
GET /OS-FEDERATION/identity_providers
|
||||
GET /OS-FEDERATION/identity_providers/{idp_id}
|
||||
DELETE /OS-FEDERATION/identity_providers/{idp_id}
|
||||
PATCH /OS-FEDERATION/identity_providers/{idp_id}
|
||||
|
||||
PUT /OS-FEDERATION/identity_providers/
|
||||
{idp_id}/protocols/{protocol_id}
|
||||
GET /OS-FEDERATION/identity_providers/
|
||||
{idp_id}/protocols
|
||||
GET /OS-FEDERATION/identity_providers/
|
||||
{idp_id}/protocols/{protocol_id}
|
||||
PATCH /OS-FEDERATION/identity_providers/
|
||||
{idp_id}/protocols/{protocol_id}
|
||||
DELETE /OS-FEDERATION/identity_providers/
|
||||
{idp_id}/protocols/{protocol_id}
|
||||
|
||||
PUT /OS-FEDERATION/mappings
|
||||
GET /OS-FEDERATION/mappings
|
||||
PATCH /OS-FEDERATION/mappings/{mapping_id}
|
||||
GET /OS-FEDERATION/mappings/{mapping_id}
|
||||
DELETE /OS-FEDERATION/mappings/{mapping_id}
|
||||
|
||||
GET /OS-FEDERATION/projects
|
||||
GET /OS-FEDERATION/domains
|
||||
|
||||
PUT /OS-FEDERATION/service_providers/{sp_id}
|
||||
GET /OS-FEDERATION/service_providers
|
||||
GET /OS-FEDERATION/service_providers/{sp_id}
|
||||
DELETE /OS-FEDERATION/service_providers/{sp_id}
|
||||
PATCH /OS-FEDERATION/service_providers/{sp_id}
|
||||
|
||||
GET /OS-FEDERATION/identity_providers/{idp_id}/
|
||||
protocols/{protocol_id}/auth
|
||||
POST /OS-FEDERATION/identity_providers/{idp_id}/
|
||||
protocols/{protocol_id}/auth
|
||||
GET /auth/OS-FEDERATION/identity_providers/
|
||||
{idp_id}/protocols/{protocol_id}/websso
|
||||
?origin=https%3A//horizon.example.com
|
||||
POST /auth/OS-FEDERATION/identity_providers/
|
||||
{idp_id}/protocols/{protocol_id}/websso
|
||||
?origin=https%3A//horizon.example.com
|
||||
|
||||
|
||||
POST /auth/OS-FEDERATION/saml2
|
||||
POST /auth/OS-FEDERATION/saml2/ecp
|
||||
GET /OS-FEDERATION/saml2/metadata
|
||||
|
||||
GET /auth/OS-FEDERATION/websso/{protocol_id}
|
||||
?origin=https%3A//horizon.example.com
|
||||
|
||||
POST /auth/OS-FEDERATION/websso/{protocol_id}
|
||||
?origin=https%3A//horizon.example.com
|
||||
|
||||
"""
|
||||
|
||||
def _construct_url(self, suffix):
|
||||
return "/OS-FEDERATION/%s" % suffix
|
||||
|
||||
def append_v3_routers(self, mapper, routers):
|
||||
auth_controller = controllers.Auth()
|
||||
idp_controller = controllers.IdentityProvider()
|
||||
protocol_controller = controllers.FederationProtocol()
|
||||
mapping_controller = controllers.MappingController()
|
||||
project_controller = controllers.ProjectAssignmentV3()
|
||||
domain_controller = controllers.DomainV3()
|
||||
saml_metadata_controller = controllers.SAMLMetadataV3()
|
||||
sp_controller = controllers.ServiceProvider()
|
||||
|
||||
# Identity Provider CRUD operations
|
||||
|
||||
self._add_resource(
|
||||
mapper, idp_controller,
|
||||
path=self._construct_url('identity_providers/{idp_id}'),
|
||||
get_action='get_identity_provider',
|
||||
put_action='create_identity_provider',
|
||||
patch_action='update_identity_provider',
|
||||
delete_action='delete_identity_provider',
|
||||
rel=build_resource_relation(resource_name='identity_provider'),
|
||||
path_vars={
|
||||
'idp_id': IDP_ID_PARAMETER_RELATION,
|
||||
})
|
||||
self._add_resource(
|
||||
mapper, idp_controller,
|
||||
path=self._construct_url('identity_providers'),
|
||||
get_action='list_identity_providers',
|
||||
rel=build_resource_relation(resource_name='identity_providers'))
|
||||
|
||||
# Protocol CRUD operations
|
||||
|
||||
self._add_resource(
|
||||
mapper, protocol_controller,
|
||||
path=self._construct_url('identity_providers/{idp_id}/protocols/'
|
||||
'{protocol_id}'),
|
||||
get_action='get_protocol',
|
||||
put_action='create_protocol',
|
||||
patch_action='update_protocol',
|
||||
delete_action='delete_protocol',
|
||||
rel=build_resource_relation(
|
||||
resource_name='identity_provider_protocol'),
|
||||
path_vars={
|
||||
'idp_id': IDP_ID_PARAMETER_RELATION,
|
||||
'protocol_id': PROTOCOL_ID_PARAMETER_RELATION,
|
||||
})
|
||||
self._add_resource(
|
||||
mapper, protocol_controller,
|
||||
path=self._construct_url('identity_providers/{idp_id}/protocols'),
|
||||
get_action='list_protocols',
|
||||
rel=build_resource_relation(
|
||||
resource_name='identity_provider_protocols'),
|
||||
path_vars={
|
||||
'idp_id': IDP_ID_PARAMETER_RELATION,
|
||||
})
|
||||
|
||||
# Mapping CRUD operations
|
||||
|
||||
self._add_resource(
|
||||
mapper, mapping_controller,
|
||||
path=self._construct_url('mappings/{mapping_id}'),
|
||||
get_action='get_mapping',
|
||||
put_action='create_mapping',
|
||||
patch_action='update_mapping',
|
||||
delete_action='delete_mapping',
|
||||
rel=build_resource_relation(resource_name='mapping'),
|
||||
path_vars={
|
||||
'mapping_id': build_parameter_relation(
|
||||
parameter_name='mapping_id'),
|
||||
})
|
||||
self._add_resource(
|
||||
mapper, mapping_controller,
|
||||
path=self._construct_url('mappings'),
|
||||
get_action='list_mappings',
|
||||
rel=build_resource_relation(resource_name='mappings'))
|
||||
|
||||
# Service Providers CRUD operations
|
||||
|
||||
self._add_resource(
|
||||
mapper, sp_controller,
|
||||
path=self._construct_url('service_providers/{sp_id}'),
|
||||
get_action='get_service_provider',
|
||||
put_action='create_service_provider',
|
||||
patch_action='update_service_provider',
|
||||
delete_action='delete_service_provider',
|
||||
rel=build_resource_relation(resource_name='service_provider'),
|
||||
path_vars={
|
||||
'sp_id': SP_ID_PARAMETER_RELATION,
|
||||
})
|
||||
|
||||
self._add_resource(
|
||||
mapper, sp_controller,
|
||||
path=self._construct_url('service_providers'),
|
||||
get_action='list_service_providers',
|
||||
rel=build_resource_relation(resource_name='service_providers'))
|
||||
|
||||
self._add_resource(
|
||||
mapper, domain_controller,
|
||||
path=self._construct_url('domains'),
|
||||
new_path='/auth/domains',
|
||||
get_action='list_domains_for_user',
|
||||
rel=build_resource_relation(resource_name='domains'))
|
||||
self._add_resource(
|
||||
mapper, project_controller,
|
||||
path=self._construct_url('projects'),
|
||||
new_path='/auth/projects',
|
||||
get_action='list_projects_for_user',
|
||||
rel=build_resource_relation(resource_name='projects'))
|
||||
|
||||
# Auth operations
|
||||
self._add_resource(
|
||||
mapper, auth_controller,
|
||||
path=self._construct_url('identity_providers/{idp_id}/'
|
||||
'protocols/{protocol_id}/auth'),
|
||||
get_post_action='federated_authentication',
|
||||
rel=build_resource_relation(
|
||||
resource_name='identity_provider_protocol_auth'),
|
||||
path_vars={
|
||||
'idp_id': IDP_ID_PARAMETER_RELATION,
|
||||
'protocol_id': PROTOCOL_ID_PARAMETER_RELATION,
|
||||
})
|
||||
self._add_resource(
|
||||
mapper, auth_controller,
|
||||
path='/auth' + self._construct_url('saml2'),
|
||||
post_action='create_saml_assertion',
|
||||
rel=build_resource_relation(resource_name='saml2'))
|
||||
self._add_resource(
|
||||
mapper, auth_controller,
|
||||
path='/auth' + self._construct_url('saml2/ecp'),
|
||||
post_action='create_ecp_assertion',
|
||||
rel=build_resource_relation(resource_name='ecp'))
|
||||
self._add_resource(
|
||||
mapper, auth_controller,
|
||||
path='/auth' + self._construct_url('websso/{protocol_id}'),
|
||||
get_post_action='federated_sso_auth',
|
||||
rel=build_resource_relation(resource_name='websso'),
|
||||
path_vars={
|
||||
'protocol_id': PROTOCOL_ID_PARAMETER_RELATION,
|
||||
})
|
||||
self._add_resource(
|
||||
mapper, auth_controller,
|
||||
path='/auth' + self._construct_url(
|
||||
'identity_providers/{idp_id}/protocols/{protocol_id}/websso'),
|
||||
get_post_action='federated_idp_specific_sso_auth',
|
||||
rel=build_resource_relation(resource_name='identity_providers'),
|
||||
path_vars={
|
||||
'idp_id': IDP_ID_PARAMETER_RELATION,
|
||||
'protocol_id': PROTOCOL_ID_PARAMETER_RELATION,
|
||||
})
|
||||
|
||||
# Keystone-Identity-Provider metadata endpoint
|
||||
self._add_resource(
|
||||
mapper, saml_metadata_controller,
|
||||
path=self._construct_url('saml2/metadata'),
|
||||
get_action='get_metadata',
|
||||
rel=build_resource_relation(resource_name='metadata'))
|
||||
20
keystone/rules.json
Normal file
20
keystone/rules.json
Normal file
@@ -0,0 +1,20 @@
|
||||
[
|
||||
{
|
||||
"local": [
|
||||
{
|
||||
"group_ids": "{1}",
|
||||
"user": {
|
||||
"name": "{0}"
|
||||
}
|
||||
}
|
||||
],
|
||||
"remote": [
|
||||
{
|
||||
"type": "REMOTE_USER"
|
||||
},
|
||||
{
|
||||
"type": "openstackGroupEntitlements"
|
||||
}
|
||||
]
|
||||
}
|
||||
]
|
||||
22
keystone/run.sh
Executable file
22
keystone/run.sh
Executable file
@@ -0,0 +1,22 @@
|
||||
#!/bin/bash
|
||||
# start nova compute service
|
||||
|
||||
chown keystone: /etc/keystone/fernet-keys
|
||||
chmod 700 /etc/keystone/fernet-keys
|
||||
|
||||
# Start apache
|
||||
a2enmod ssl
|
||||
apachectl -DFOREGROUND &
|
||||
|
||||
tail -f /var/log/apache2/* &
|
||||
|
||||
chown _shibd: /etc/shibboleth/sp*.pem
|
||||
|
||||
shibd -f -F &
|
||||
|
||||
# If any process fails, kill the rest.
|
||||
# This ensures the container stops and systemd will restart it.
|
||||
|
||||
wait -n
|
||||
pkill -P $$
|
||||
|
||||
114
keystone/shibboleth2.xml
Normal file
114
keystone/shibboleth2.xml
Normal file
@@ -0,0 +1,114 @@
|
||||
<SPConfig xmlns="urn:mace:shibboleth:2.0:native:sp:config"
|
||||
xmlns:conf="urn:mace:shibboleth:2.0:native:sp:config"
|
||||
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
|
||||
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
|
||||
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
|
||||
clockSkew="180">
|
||||
|
||||
<!--
|
||||
By default, in-memory StorageService, ReplayCache, ArtifactMap, and SessionCache
|
||||
are used. See example-shibboleth2.xml for samples of explicitly configuring them.
|
||||
-->
|
||||
|
||||
<!--
|
||||
To customize behavior for specific resources on Apache, and to link vhosts or
|
||||
resources to ApplicationOverride settings below, use web server options/commands.
|
||||
See https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPConfigurationElements for help.
|
||||
|
||||
For examples with the RequestMap XML syntax instead, see the example-shibboleth2.xml
|
||||
file, and the https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPRequestMapHowTo topic.
|
||||
-->
|
||||
|
||||
<!-- The ApplicationDefaults element is where most of Shibboleth's SAML bits are defined. -->
|
||||
<ApplicationDefaults entityID="https://merlin.hpc.rug.nl"
|
||||
REMOTE_USER="eppn persistent-id targeted-id">
|
||||
|
||||
<!--
|
||||
Controls session lifetimes, address checks, cookie handling, and the protocol handlers.
|
||||
You MUST supply an effectively unique handlerURL value for each of your applications.
|
||||
The value defaults to /Shibboleth.sso, and should be a relative path, with the SP computing
|
||||
a relative value based on the virtual host. Using handlerSSL="true", the default, will force
|
||||
the protocol to be https. You should also set cookieProps to "https" for SSL-only sites.
|
||||
Note that while we default checkAddress to "false", this has a negative impact on the
|
||||
security of your site. Stealing sessions via cookie theft is much easier with this disabled.
|
||||
-->
|
||||
<Sessions lifetime="28800" timeout="3600" relayState="ss:mem"
|
||||
checkAddress="false" handlerSSL="true" cookieProps="https">
|
||||
|
||||
<!--
|
||||
Configures SSO for a default IdP. To allow for >1 IdP, remove
|
||||
entityID property and adjust discoveryURL to point to discovery service.
|
||||
(Set discoveryProtocol to "WAYF" for legacy Shibboleth WAYF support.)
|
||||
You can also override entityID on /Login query string, or in RequestMap/htaccess.
|
||||
-->
|
||||
<SSO entityID="https://osfedpx.nikhef.nl/simplesaml/saml2/idp/metadata.php">
|
||||
SAML2
|
||||
</SSO>
|
||||
|
||||
<!-- SAML and local-only logout. -->
|
||||
<Logout>SAML2 Local</Logout>
|
||||
|
||||
<!-- Extension service that generates "approximate" metadata based on SP configuration. -->
|
||||
<Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>
|
||||
|
||||
<!-- Status reporting service. -->
|
||||
<Handler type="Status" Location="/Status" acl="127.0.0.1 ::1"/>
|
||||
|
||||
<!-- Session diagnostic service. -->
|
||||
<Handler type="Session" Location="/Session" showAttributeValues="false"/>
|
||||
|
||||
<!-- JSON feed of discovery information. -->
|
||||
<Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
|
||||
</Sessions>
|
||||
|
||||
<!--
|
||||
Allows overriding of error template information/filenames. You can
|
||||
also add attributes with values that can be plugged into the templates.
|
||||
-->
|
||||
<Errors supportContact="root@localhost"
|
||||
helpLocation="/about.html"
|
||||
styleSheet="/shibboleth-sp/main.css"/>
|
||||
|
||||
<!-- Example of remotely supplied batch of signed metadata. -->
|
||||
<MetadataProvider type="XML" uri="https://osfedpx.nikhef.nl/simplesaml/saml2/idp/metadata.php"
|
||||
backingFilePath="federation-metadata.xml" reloadInterval="7200">
|
||||
</MetadataProvider>
|
||||
|
||||
<!-- Example of locally maintained metadata. -->
|
||||
<!--
|
||||
<MetadataProvider type="XML" file="partner-metadata.xml"/>
|
||||
-->
|
||||
|
||||
<!-- Map to extract attributes from SAML assertions. -->
|
||||
<AttributeExtractor type="XML" validate="true" reloadChanges="false" path="attribute-map.xml"/>
|
||||
|
||||
<!-- Use a SAML query if no attributes are supplied during SSO. -->
|
||||
<AttributeResolver type="Query" subjectMatch="true"/>
|
||||
|
||||
<!-- Default filtering policy for recognized attributes, lets other data pass. -->
|
||||
<AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>
|
||||
|
||||
<!-- Simple file-based resolver for using a single keypair. -->
|
||||
<CredentialResolver type="File" key="sp-key.pem" certificate="sp-cert.pem"/>
|
||||
|
||||
<!--
|
||||
The default settings can be overridden by creating ApplicationOverride elements (see
|
||||
the https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApplicationOverride topic).
|
||||
Resource requests are mapped by web server commands, or the RequestMapper, to an
|
||||
applicationId setting.
|
||||
|
||||
Example of a second application (for a second vhost) that has a different entityID.
|
||||
Resources on the vhost would map to an applicationId of "admin":
|
||||
-->
|
||||
<!--
|
||||
<ApplicationOverride id="admin" entityID="https://admin.example.org/shibboleth"/>
|
||||
-->
|
||||
</ApplicationDefaults>
|
||||
|
||||
<!-- Policies that determine how to process and authenticate runtime messages. -->
|
||||
<SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>
|
||||
|
||||
<!-- Low-level configuration about protocols and bindings available for use. -->
|
||||
<ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/>
|
||||
|
||||
</SPConfig>
|
||||
22
keystone/sso_callback_template.html
Normal file
22
keystone/sso_callback_template.html
Normal file
@@ -0,0 +1,22 @@
|
||||
<!DOCTYPE html>
|
||||
<html xmlns="http://www.w3.org/1999/xhtml">
|
||||
<head>
|
||||
<title>Keystone WebSSO redirect</title>
|
||||
</head>
|
||||
<body>
|
||||
<form id="sso" name="sso" action="$host" method="post">
|
||||
Please wait...
|
||||
<br/>
|
||||
<input type="hidden" name="token" id="token" value="$token"/>
|
||||
<noscript>
|
||||
<input type="submit" name="submit_no_javascript" id="submit_no_javascript"
|
||||
value="If your JavaScript is disabled, please click to continue"/>
|
||||
</noscript>
|
||||
</form>
|
||||
<script type="text/javascript">
|
||||
window.onload = function() {
|
||||
document.forms['sso'].submit();
|
||||
}
|
||||
</script>
|
||||
</body>
|
||||
</html>
|
||||
4
keystone/test.php
Normal file
4
keystone/test.php
Normal file
@@ -0,0 +1,4 @@
|
||||
<html>
|
||||
<head><title>Shibboleth test</title></head>
|
||||
<body><pre><?php print_r($_SERVER); ?></pre></body>
|
||||
</html>
|
||||
@@ -11,7 +11,7 @@ cat << EOF > /root/admin-openrc.sh
|
||||
export OS_TENANT_NAME=admin
|
||||
export OS_USERNAME=admin
|
||||
export OS_PASSWORD=${OS_PASSWORD}
|
||||
export OS_AUTH_URL=http://${KEYSTONE_HOST}:35357/v3
|
||||
export OS_AUTH_URL=https://merlin.hpc.rug.nl:35357/v3
|
||||
export OS_IDENTITY_API_VERSION=3
|
||||
|
||||
export OS_PROJECT_DOMAIN_NAME=default
|
||||
|
||||
@@ -22,8 +22,8 @@ root_helper = sudo /usr/bin/neutron-rootwrap /etc/neutron/rootwrap.conf
|
||||
connection = mysql+pymysql://$NEUTRON_USER:$NEUTRON_PASSWORD@mariadb/neutron
|
||||
|
||||
[keystone_authtoken]
|
||||
auth_uri = http://$KEYSTONE_HOST:5000
|
||||
auth_url = http://$KEYSTONE_HOST:35357
|
||||
auth_uri = https://$KEYSTONE_HOST:5000
|
||||
auth_url = https://$KEYSTONE_HOST:35357
|
||||
memcached_servers = $MEMCACHED_HOST:11211
|
||||
auth_type = password
|
||||
project_domain_name = Default
|
||||
@@ -33,7 +33,7 @@ username = $NEUTRON_USER
|
||||
password = $NEUTRON_PASSWORD
|
||||
|
||||
[nova]
|
||||
auth_url = http://$KEYSTONE_HOST:35357
|
||||
auth_url = https://$KEYSTONE_HOST:35357
|
||||
auth_type = password
|
||||
project_domain_name = Default
|
||||
user_domain_name = Default
|
||||
@@ -98,3 +98,5 @@ interface_driver = linuxbridge
|
||||
external_network_bridge =
|
||||
|
||||
EOF
|
||||
|
||||
echo "172.23.59.101 merlin.hpc.rug.nl" >> /etc/hosts
|
||||
|
||||
@@ -11,7 +11,7 @@ cat << EOF > /root/admin-openrc.sh
|
||||
export OS_TENANT_NAME=admin
|
||||
export OS_USERNAME=admin
|
||||
export OS_PASSWORD=${OS_PASSWORD}
|
||||
export OS_AUTH_URL=http://${KEYSTONE_HOST}:35357/v3
|
||||
export OS_AUTH_URL=https://merlin.hpc.rug.nl:35357/v3
|
||||
export OS_IDENTITY_API_VERSION=3
|
||||
|
||||
export OS_PROJECT_DOMAIN_NAME=default
|
||||
|
||||
@@ -22,8 +22,8 @@ root_helper = sudo /usr/bin/neutron-rootwrap /etc/neutron/rootwrap.conf
|
||||
connection = mysql+pymysql://$NEUTRON_USER:$NEUTRON_PASSWORD@mariadb/neutron
|
||||
|
||||
[keystone_authtoken]
|
||||
auth_uri = http://$KEYSTONE_HOST:5000
|
||||
auth_url = http://$KEYSTONE_HOST:35357
|
||||
auth_uri = https://$KEYSTONE_HOST:5000
|
||||
auth_url = https://$KEYSTONE_HOST:35357
|
||||
memcached_servers = $MEMCACHED_HOST:11211
|
||||
auth_type = password
|
||||
project_domain_name = Default
|
||||
@@ -33,7 +33,7 @@ username = $NEUTRON_USER
|
||||
password = $NEUTRON_PASSWORD
|
||||
|
||||
[nova]
|
||||
auth_url = http://$KEYSTONE_HOST:35357
|
||||
auth_url = https://$KEYSTONE_HOST:35357
|
||||
auth_type = password
|
||||
project_domain_name = Default
|
||||
user_domain_name = Default
|
||||
@@ -98,3 +98,5 @@ interface_driver = linuxbridge
|
||||
external_network_bridge =
|
||||
|
||||
EOF
|
||||
|
||||
echo "172.23.59.101 merlin.hpc.rug.nl" >> /etc/hosts
|
||||
|
||||
@@ -8,7 +8,7 @@ cat << EOF > /root/admin-openrc.sh
|
||||
export OS_TENANT_NAME=admin
|
||||
export OS_USERNAME=admin
|
||||
export OS_PASSWORD=${OS_PASSWORD}
|
||||
export OS_AUTH_URL=http://${KEYSTONE_HOST}:35357/v3
|
||||
export OS_AUTH_URL=https://merlin.hpc.rug.nl:35357/v3
|
||||
export OS_IDENTITY_API_VERSION=3
|
||||
|
||||
export OS_PROJECT_DOMAIN_NAME=default
|
||||
@@ -41,7 +41,7 @@ security_group_api=neutron
|
||||
|
||||
[neutron]
|
||||
url = http://$NEUTRON_CONTROLLER_HOST:9696
|
||||
auth_url = http://$KEYSTONE_HOST:35357
|
||||
auth_url = https://$KEYSTONE_HOST:35357
|
||||
auth_type = password
|
||||
project_domain_name = Default
|
||||
user_domain_name = Default
|
||||
@@ -66,8 +66,8 @@ lock_path = /var/lib/nova/tmp
|
||||
auth_strategy = keystone
|
||||
|
||||
[keystone_authtoken]
|
||||
auth_uri = http://$KEYSTONE_HOST:5000
|
||||
auth_url = http://$KEYSTONE_HOST:35357
|
||||
auth_uri = https://$KEYSTONE_HOST:5000
|
||||
auth_url = https://$KEYSTONE_HOST:35357
|
||||
memcached_servers = $MEMCACHED_HOST:11211
|
||||
auth_type = password
|
||||
project_domain_name = Default
|
||||
@@ -91,7 +91,7 @@ project_domain_name = Default
|
||||
project_name = service
|
||||
auth_type = password
|
||||
user_domain_name = Default
|
||||
auth_url = http://$KEYSTONE_HOST:35357/v3
|
||||
auth_url = https://$KEYSTONE_HOST:35357/v3
|
||||
username = $NOVA_PLACEMENT_USER
|
||||
password = $NOVA_PLACEMENT_PASSWORD
|
||||
|
||||
@@ -124,10 +124,11 @@ allow_resize_to_same_host = True
|
||||
[libvirt]
|
||||
virt_type = kvm
|
||||
images_type = rbd
|
||||
images_rbd_pool = compute
|
||||
images_rbd_pool = volumes
|
||||
images_rbd_ceph_conf = /etc/ceph/ceph.conf
|
||||
rbd_user = compute
|
||||
rbd_secret_uuid = d0db6ba7-a0c9-4da6-b0bc-aa7846325333
|
||||
rbd_user = volumes
|
||||
rbd_secret_uuid = $RBD_SECRET_UUID
|
||||
|
||||
|
||||
[vnc]
|
||||
enabled = True
|
||||
@@ -145,8 +146,8 @@ lock_path = /var/lib/nova/tmp
|
||||
auth_strategy = keystone
|
||||
|
||||
[keystone_authtoken]
|
||||
auth_uri = http://$KEYSTONE_HOST:5000
|
||||
auth_url = http://$KEYSTONE_HOST:35357
|
||||
auth_uri = https://$KEYSTONE_HOST:5000
|
||||
auth_url = https://$KEYSTONE_HOST:35357
|
||||
memcached_servers = $MEMCACHED_HOST:11211
|
||||
auth_type = password
|
||||
project_domain_name = Default
|
||||
@@ -170,7 +171,7 @@ project_domain_name = Default
|
||||
project_name = service
|
||||
auth_type = password
|
||||
user_domain_name = Default
|
||||
auth_url = http://$KEYSTONE_HOST:35357/v3
|
||||
auth_url = https://$KEYSTONE_HOST:35357/v3
|
||||
username = $NOVA_PLACEMENT_USER
|
||||
password = $NOVA_PLACEMENT_PASSWORD
|
||||
|
||||
@@ -179,7 +180,7 @@ api_paste_config=/etc/nova/api-paste.ini
|
||||
|
||||
[neutron]
|
||||
url = http://$NEUTRON_CONTROLLER_HOST:9696
|
||||
auth_url = http://$KEYSTONE_HOST:35357
|
||||
auth_url = https://$KEYSTONE_HOST:35357
|
||||
auth_type = password
|
||||
project_domain_name = Default
|
||||
user_domain_name = Default
|
||||
@@ -203,8 +204,8 @@ core_plugin = ml2
|
||||
global_physnet_mtu = $GLOBAL_PHYSNET_MTU
|
||||
|
||||
[keystone_authtoken]
|
||||
auth_uri = http://$KEYSTONE_HOST:5000
|
||||
auth_url = http://$KEYSTONE_HOST:35357
|
||||
auth_uri = https://$KEYSTONE_HOST:5000
|
||||
auth_url = https://$KEYSTONE_HOST:35357
|
||||
memcached_servers = $MEMCACHED_HOST:11211
|
||||
auth_type = password
|
||||
project_domain_name = Default
|
||||
@@ -214,7 +215,7 @@ username = $NEUTRON_USER
|
||||
password = $NEUTRON_PASSWORD
|
||||
|
||||
[nova]
|
||||
auth_url = http://$KEYSTONE_HOST:35357
|
||||
auth_url = https://$KEYSTONE_HOST:35357
|
||||
auth_type = password
|
||||
project_domain_name = Default
|
||||
user_domain_name = Default
|
||||
@@ -314,3 +315,5 @@ interface_driver = linuxbridge
|
||||
external_network_bridge =
|
||||
|
||||
EOF
|
||||
|
||||
echo "172.23.59.101 merlin.hpc.rug.nl" >> /etc/hosts
|
||||
|
||||
@@ -13,7 +13,7 @@ cat << EOF > /root/admin-openrc.sh
|
||||
export OS_TENANT_NAME=admin
|
||||
export OS_USERNAME=admin
|
||||
export OS_PASSWORD=${OS_PASSWORD}
|
||||
export OS_AUTH_URL=http://${KEYSTONE_HOST}:35357/v3
|
||||
export OS_AUTH_URL=https://merlin.hpc.rug.nl:35357/v3
|
||||
export OS_IDENTITY_API_VERSION=3
|
||||
|
||||
export OS_PROJECT_DOMAIN_NAME=default
|
||||
|
||||
@@ -24,7 +24,7 @@ security_group_api=neutron
|
||||
|
||||
[neutron]
|
||||
url = http://$NEUTRON_CONTROLLER_HOST:9696
|
||||
auth_url = http://$KEYSTONE_HOST:35357
|
||||
auth_url = https://$KEYSTONE_HOST:35357
|
||||
auth_type = password
|
||||
project_domain_name = Default
|
||||
user_domain_name = Default
|
||||
@@ -39,8 +39,8 @@ metadata_proxy_shared_secret = $METADATA_SECRET
|
||||
auth_strategy = keystone
|
||||
|
||||
[keystone_authtoken]
|
||||
auth_uri = http://$KEYSTONE_HOST:5000
|
||||
auth_url = http://$KEYSTONE_HOST:35357
|
||||
auth_uri = https://$KEYSTONE_HOST:5000
|
||||
auth_url = https://$KEYSTONE_HOST:35357
|
||||
memcached_servers = $MEMCACHED_HOST:11211
|
||||
auth_type = password
|
||||
project_domain_name = Default
|
||||
@@ -66,7 +66,7 @@ project_domain_name = Default
|
||||
project_name = service
|
||||
auth_type = password
|
||||
user_domain_name = Default
|
||||
auth_url = http://$KEYSTONE_HOST:35357/v3
|
||||
auth_url = https://$KEYSTONE_HOST:35357/v3
|
||||
username = $NOVA_PLACEMENT_USER
|
||||
password = $NOVA_PLACEMENT_PASSWORD
|
||||
|
||||
@@ -74,3 +74,5 @@ password = $NOVA_PLACEMENT_PASSWORD
|
||||
os_region_name = RegionOne
|
||||
|
||||
EOF
|
||||
|
||||
echo "172.23.59.101 merlin.hpc.rug.nl" >> /etc/hosts
|
||||
|
||||
@@ -6,7 +6,7 @@ cat << EOF > /root/admin-openrc.sh
|
||||
export OS_TENANT_NAME=admin
|
||||
export OS_USERNAME=admin
|
||||
export OS_PASSWORD=${OS_PASSWORD}
|
||||
export OS_AUTH_URL=http://${KEYSTONE_HOST}:35357/v3
|
||||
export OS_AUTH_URL=https://merlin.hpc.rug.nl:35357/v3
|
||||
export OS_IDENTITY_API_VERSION=3
|
||||
EOF
|
||||
|
||||
@@ -16,6 +16,6 @@ cat << EOF > /root/demo-openrc.sh
|
||||
export OS_TENANT_NAME=demo
|
||||
export OS_USERNAME=demo
|
||||
export OS_PASSWORD=${OS_DEMO_PASSWORD}
|
||||
export OS_AUTH_URL=http://${KEYSTONE_HOST}:35357/v3
|
||||
export OS_AUTH_URL=https://merlin.hpc.rug.nl:35357/v3
|
||||
export OS_IDENTITY_API_VERSION=3
|
||||
EOF
|
||||
|
||||
Reference in New Issue
Block a user