Adding LDAP support for Keystone charm
Change-Id: Ic07622ef2332943479d1e9212f9d968ba6554ead
Signed-off-by: sousaedu <eduardo.sousa@canonical.com>
diff --git a/docker/Keystone/Dockerfile b/docker/Keystone/Dockerfile
index 3880e96..8525cb5 100644
--- a/docker/Keystone/Dockerfile
+++ b/docker/Keystone/Dockerfile
@@ -61,7 +61,7 @@
# ldap
# ENV LDAP_AUTHENTICATION_DOMAIN_NAME no default
# ENV LDAP_URL ldap://localhost
-# ENV LDAP_BIND_USER no defauslt
+# ENV LDAP_BIND_USER no default
# ENV LDAP_BIND_PASSWORD no default
# ENV LDAP_USER_TREE_DN no default
# ENV LDAP_USER_OBJECTCLASS inetOrgPerson
diff --git a/installers/charm/build.sh b/installers/charm/build.sh
index 5d1c868..1c017ba 100755
--- a/installers/charm/build.sh
+++ b/installers/charm/build.sh
@@ -1,3 +1,4 @@
+#!/bin/bash
# Copyright 2020 Canonical Ltd.
#
# Licensed under the Apache License, Version 2.0 (the "License");
@@ -11,8 +12,9 @@
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
-#!/bin/bash
+
set -eux
+
function build() {
cd $1 && tox -e build && cd ..
}
diff --git a/installers/charm/keystone/config.yaml b/installers/charm/keystone/config.yaml
index c99d878..b014e55 100644
--- a/installers/charm/keystone/config.yaml
+++ b/installers/charm/keystone/config.yaml
@@ -52,10 +52,6 @@
type: string
description: Ingress URL
default: ""
- ldap_enabled:
- type: boolean
- description: Boolean to enable/disable LDAP authentication
- default: false
region_id:
type: string
description: Region ID to be created when starting the service
@@ -97,21 +93,135 @@
description: |
Project domain name (Hardcoded in the container start.sh script)
default: default
-
- # ENV LDAP_AUTHENTICATION_DOMAIN_NAME no default
- # ENV LDAP_URL ldap://localhost
- # ENV LDAP_BIND_USER no defauslt
- # ENV LDAP_BIND_PASSWORD no default
- # ENV LDAP_USER_TREE_DN no default
- # ENV LDAP_USER_OBJECTCLASS inetOrgPerson
- # ENV LDAP_USER_ID_ATTRIBUTE cn
- # ENV LDAP_USER_NAME_ATTRIBUTE sn
- # ENV LDAP_USER_PASS_ATTRIBUTE userPassword
- # ENV LDAP_USER_FILTER no default
- # ENV LDAP_USER_ENABLED_ATTRIBUTE enabled
- # ENV LDAP_USER_ENABLED_MASK 0
- # ENV LDAP_USER_ENABLED_DEFAULT true
- # ENV LDAP_USER_ENABLED_INVERT false
- # ENV LDAP_USE_STARTTLS false
- # ENV LDAP_TLS_CACERT_BASE64 no default
- # ENV LDAP_TLS_REQ_CERT demand
+ ldap_enabled:
+ type: boolean
+ description: Boolean to enable/disable LDAP authentication
+ default: false
+ ldap_authentication_domain_name:
+ type: string
+ description: Name of the domain which use LDAP authentication
+ default: ""
+ ldap_url:
+ type: string
+ description: URL of the LDAP server
+ default: "ldap://localhost"
+ ldap_bind_user:
+ type: string
+ description: User to bind and search for users
+ default: ""
+ ldap_bind_password:
+ type: string
+ description: Password to bind and search for users
+ default: ""
+ ldap_user_tree_dn:
+ type: string
+ description: |
+ Root of the tree in LDAP server in which Keystone will search for users
+ default: ""
+ ldap_user_objectclass:
+ type: string
+ description: |
+ LDAP object class that Keystone will filter on within user_tree_dn to
+ find user objects. Any objects of other classes will be ignored.
+ default: inetOrgPerson
+ ldap_user_id_attribute:
+ type: string
+ description: |
+ This set of options define the mapping to LDAP attributes for the three
+ key user attributes supported by Keystone. The LDAP attribute chosen for
+ user_id must be something that is immutable for a user and no more than
+ 64 characters in length. Notice that Distinguished Name (DN) may be
+ longer than 64 characters and thus is not suitable. An uid, or mail may
+ be appropriate.
+ default: cn
+ ldap_user_name_attribute:
+ type: string
+ description: |
+ This set of options define the mapping to LDAP attributes for the three
+ key user attributes supported by Keystone. The LDAP attribute chosen for
+ user_id must be something that is immutable for a user and no more than
+ 64 characters in length. Notice that Distinguished Name (DN) may be
+ longer than 64 characters and thus is not suitable. An uid, or mail may
+ be appropriate.
+ default: sn
+ ldap_user_pass_attribute:
+ type: string
+ description: |
+ This set of options define the mapping to LDAP attributes for the three
+ key user attributes supported by Keystone. The LDAP attribute chosen for
+ user_id must be something that is immutable for a user and no more than
+ 64 characters in length. Notice that Distinguished Name (DN) may be
+ longer than 64 characters and thus is not suitable. An uid, or mail may
+ be appropriate.
+ default: userPassword
+ ldap_user_filter:
+ type: string
+ description: |
+ This filter option allow additional filter (over and above
+ user_objectclass) to be included into the search of user. One common use
+ of this is to provide more efficient searching, where the recommended
+ search for user objects is (&(objectCategory=person)(objectClass=user)).
+ By specifying user_objectclass as user and user_filter as
+ objectCategory=person in the Keystone configuration file, this can be
+ achieved.
+ default: ""
+ ldap_user_enabled_attribute:
+ type: string
+ description: |
+ In Keystone, a user entity can be either enabled or disabled. Setting
+ the above option will give a mapping to an equivalent attribute in LDAP,
+ allowing your LDAP management tools to disable a user.
+ default: enabled
+ ldap_user_enabled_mask:
+ type: int
+ description: |
+ Some LDAP schemas, rather than having a dedicated attribute for user
+ enablement, use a bit within a general control attribute (such as
+ userAccountControl) to indicate this. Setting user_enabled_mask will
+ cause Keystone to look at only the status of this bit in the attribute
+ specified by user_enabled_attribute, with the bit set indicating the
+ user is enabled.
+ default: 0
+ ldap_user_enabled_default:
+ type: boolean
+ description: |
+ Most LDAP servers use a boolean or bit in a control field to indicate
+ enablement. However, some schemas might use an integer value in an
+ attribute. In this situation, set user_enabled_default to the integer
+ value that represents a user being enabled.
+ default: true
+ ldap_user_enabled_invert:
+ type: boolean
+ description: |
+ Some LDAP schemas have an “account locked” attribute, which is the
+ equivalent to account being “disabled.” In order to map this to the
+ Keystone enabled attribute, you can utilize the user_enabled_invert
+ setting in conjunction with user_enabled_attribute to map the lock
+ status to disabled in Keystone.
+ default: false
+ ldap_use_starttls:
+ type: boolean
+ description: |
+ Enable Transport Layer Security (TLS) for providing a secure connection
+ from Keystone to LDAP (StartTLS, not LDAPS).
+ default: false
+ ldap_tls_cacert_base64:
+ type: string
+ description: |
+ CA certificate in Base64 format (if you have the PEM file, text inside
+ "-----BEGIN CERTIFICATE-----"/"-----END CERTIFICATE-----" tags).
+ default: ""
+ ldap_tls_req_cert:
+ type: string
+ description: |
+ Defines how the certificates are checked for validity in the client
+ (i.e., Keystone end) of the secure connection (this doesn’t affect what
+ level of checking the server is doing on the certificates it receives
+ from Keystone). Possible values are "demand", "never", and "allow". The
+ default of demand means the client always checks the certificate and
+ will drop the connection if it is not provided or invalid. never is the
+ opposite—it never checks it, nor requires it to be provided. allow means
+ that if it is not provided then the connection is allowed to continue,
+ but if it is provided it will be checked—and if invalid, the connection
+ will be dropped.
+ default: demand
diff --git a/installers/charm/keystone/metadata.yaml b/installers/charm/keystone/metadata.yaml
index eb3c8ef..c04c121 100644
--- a/installers/charm/keystone/metadata.yaml
+++ b/installers/charm/keystone/metadata.yaml
@@ -14,7 +14,7 @@
name: keystone
summary: A Keystone K8s charm
description: |
- Transmission
+ A CAAS charm to deploy Keystone
series:
- kubernetes
min-juju-version: 2.8.0
diff --git a/installers/charm/keystone/src/charm.py b/installers/charm/keystone/src/charm.py
index 632e96a..8a5942a 100755
--- a/installers/charm/keystone/src/charm.py
+++ b/installers/charm/keystone/src/charm.py
@@ -123,7 +123,7 @@
def _make_pod_envconfig(self):
config = self.model.config
- return {
+ envconfig = {
"DB_HOST": self.state.db_host,
"DB_PORT": self.state.db_port,
"ROOT_DB_USER": self.state.db_user,
@@ -139,6 +139,43 @@
"SERVICE_PROJECT": config["service_project"],
}
+ if config.get("ldap_enabled"):
+ envconfig["LDAP_AUTHENTICATION_DOMAIN_NAME"] = config[
+ "ldap_authentication_domain_name"
+ ]
+ envconfig["LDAP_URL"] = config["ldap_url"]
+ envconfig["LDAP_USER_OBJECTCLASS"] = config["ldap_user_objectclass"]
+ envconfig["LDAP_USER_ID_ATTRIBUTE"] = config["ldap_user_id_attribute"]
+ envconfig["LDAP_USER_NAME_ATTRIBUTE"] = config["ldap_user_name_attribute"]
+ envconfig["LDAP_USER_PASS_ATTRIBUTE"] = config["ldap_user_pass_attribute"]
+ envconfig["LDAP_USER_ENABLED_MASK"] = config["ldap_user_enabled_mask"]
+ envconfig["LDAP_USER_ENABLED_DEFAULT"] = config["ldap_user_enabled_default"]
+ envconfig["LDAP_USER_ENABLED_INVERT"] = config["ldap_user_enabled_invert"]
+
+ if config["ldap_bind_user"]:
+ envconfig["LDAP_BIND_USER"] = config["ldap_bind_user"]
+
+ if config["ldap_bind_password"]:
+ envconfig["LDAP_BIND_PASSWORD"] = config["ldap_bind_password"]
+
+ if config["ldap_user_tree_dn"]:
+ envconfig["LDAP_USER_TREE_DN"] = config["ldap_user_tree_dn"]
+
+ if config["ldap_user_filter"]:
+ envconfig["LDAP_USER_FILTER"] = config["ldap_user_filter"]
+
+ if config["ldap_user_enabled_attribute"]:
+ envconfig["LDAP_USER_ENABLED_ATTRIBUTE"] = config[
+ "ldap_user_enabled_attribute"
+ ]
+
+ if config["ldap_use_starttls"]:
+ envconfig["LDAP_USE_STARTTLS"] = config["ldap_use_starttls"]
+ envconfig["LDAP_TLS_CACERT_BASE64"] = config["ldap_tls_cacert_base64"]
+ envconfig["LDAP_TLS_REQ_CERT"] = config["ldap_tls_req_cert"]
+
+ return envconfig
+
def _make_pod_ingress_resources(self):
site_url = self.model.config["site_url"]
diff --git a/installers/charm/lint.sh b/installers/charm/lint.sh
index 1a4fa80..3c42dd1 100755
--- a/installers/charm/lint.sh
+++ b/installers/charm/lint.sh
@@ -1,3 +1,4 @@
+#!/bin/bash
# Copyright 2020 Canonical Ltd.
#
# Licensed under the Apache License, Version 2.0 (the "License");
@@ -11,8 +12,9 @@
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
-#!/bin/bash
+
set -eux
+
function lint() {
cd $1
tox -e lint
@@ -25,3 +27,6 @@
lint 'pol-k8s'
lint 'ro-k8s'
lint 'ui-k8s'
+lint 'keystone'
+lint 'ng-ui'
+lint 'pla'
\ No newline at end of file