From: sousaedu Date: Wed, 23 Sep 2020 12:28:25 +0000 (+0100) Subject: Adding LDAP support for Keystone charm X-Git-Tag: release-v9.0-start~61 X-Git-Url: https://osm.etsi.org/gitweb/?a=commitdiff_plain;h=refs%2Fchanges%2F44%2F9744%2F2;p=osm%2Fdevops.git Adding LDAP support for Keystone charm Change-Id: Ic07622ef2332943479d1e9212f9d968ba6554ead Signed-off-by: sousaedu --- diff --git a/docker/Keystone/Dockerfile b/docker/Keystone/Dockerfile index 3880e96d..8525cb54 100644 --- a/docker/Keystone/Dockerfile +++ b/docker/Keystone/Dockerfile @@ -61,7 +61,7 @@ ENV SERVICE_PROJECT service # ldap # ENV LDAP_AUTHENTICATION_DOMAIN_NAME no default # ENV LDAP_URL ldap://localhost -# ENV LDAP_BIND_USER no defauslt +# ENV LDAP_BIND_USER no default # ENV LDAP_BIND_PASSWORD no default # ENV LDAP_USER_TREE_DN no default # ENV LDAP_USER_OBJECTCLASS inetOrgPerson diff --git a/installers/charm/build.sh b/installers/charm/build.sh index 5d1c868a..1c017ba1 100755 --- a/installers/charm/build.sh +++ b/installers/charm/build.sh @@ -1,3 +1,4 @@ +#!/bin/bash # Copyright 2020 Canonical Ltd. # # Licensed under the Apache License, Version 2.0 (the "License"); @@ -11,8 +12,9 @@ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. -#!/bin/bash + set -eux + function build() { cd $1 && tox -e build && cd .. } diff --git a/installers/charm/keystone/config.yaml b/installers/charm/keystone/config.yaml index c99d8783..b014e55b 100644 --- a/installers/charm/keystone/config.yaml +++ b/installers/charm/keystone/config.yaml @@ -52,10 +52,6 @@ options: type: string description: Ingress URL default: "" - ldap_enabled: - type: boolean - description: Boolean to enable/disable LDAP authentication - default: false region_id: type: string description: Region ID to be created when starting the service @@ -97,21 +93,135 @@ options: description: | Project domain name (Hardcoded in the container start.sh script) default: default - - # ENV LDAP_AUTHENTICATION_DOMAIN_NAME no default - # ENV LDAP_URL ldap://localhost - # ENV LDAP_BIND_USER no defauslt - # ENV LDAP_BIND_PASSWORD no default - # ENV LDAP_USER_TREE_DN no default - # ENV LDAP_USER_OBJECTCLASS inetOrgPerson - # ENV LDAP_USER_ID_ATTRIBUTE cn - # ENV LDAP_USER_NAME_ATTRIBUTE sn - # ENV LDAP_USER_PASS_ATTRIBUTE userPassword - # ENV LDAP_USER_FILTER no default - # ENV LDAP_USER_ENABLED_ATTRIBUTE enabled - # ENV LDAP_USER_ENABLED_MASK 0 - # ENV LDAP_USER_ENABLED_DEFAULT true - # ENV LDAP_USER_ENABLED_INVERT false - # ENV LDAP_USE_STARTTLS false - # ENV LDAP_TLS_CACERT_BASE64 no default - # ENV LDAP_TLS_REQ_CERT demand + ldap_enabled: + type: boolean + description: Boolean to enable/disable LDAP authentication + default: false + ldap_authentication_domain_name: + type: string + description: Name of the domain which use LDAP authentication + default: "" + ldap_url: + type: string + description: URL of the LDAP server + default: "ldap://localhost" + ldap_bind_user: + type: string + description: User to bind and search for users + default: "" + ldap_bind_password: + type: string + description: Password to bind and search for users + default: "" + ldap_user_tree_dn: + type: string + description: | + Root of the tree in LDAP server in which Keystone will search for users + default: "" + ldap_user_objectclass: + type: string + description: | + LDAP object class that Keystone will filter on within user_tree_dn to + find user objects. Any objects of other classes will be ignored. + default: inetOrgPerson + ldap_user_id_attribute: + type: string + description: | + This set of options define the mapping to LDAP attributes for the three + key user attributes supported by Keystone. The LDAP attribute chosen for + user_id must be something that is immutable for a user and no more than + 64 characters in length. Notice that Distinguished Name (DN) may be + longer than 64 characters and thus is not suitable. An uid, or mail may + be appropriate. + default: cn + ldap_user_name_attribute: + type: string + description: | + This set of options define the mapping to LDAP attributes for the three + key user attributes supported by Keystone. The LDAP attribute chosen for + user_id must be something that is immutable for a user and no more than + 64 characters in length. Notice that Distinguished Name (DN) may be + longer than 64 characters and thus is not suitable. An uid, or mail may + be appropriate. + default: sn + ldap_user_pass_attribute: + type: string + description: | + This set of options define the mapping to LDAP attributes for the three + key user attributes supported by Keystone. The LDAP attribute chosen for + user_id must be something that is immutable for a user and no more than + 64 characters in length. Notice that Distinguished Name (DN) may be + longer than 64 characters and thus is not suitable. An uid, or mail may + be appropriate. + default: userPassword + ldap_user_filter: + type: string + description: | + This filter option allow additional filter (over and above + user_objectclass) to be included into the search of user. One common use + of this is to provide more efficient searching, where the recommended + search for user objects is (&(objectCategory=person)(objectClass=user)). + By specifying user_objectclass as user and user_filter as + objectCategory=person in the Keystone configuration file, this can be + achieved. + default: "" + ldap_user_enabled_attribute: + type: string + description: | + In Keystone, a user entity can be either enabled or disabled. Setting + the above option will give a mapping to an equivalent attribute in LDAP, + allowing your LDAP management tools to disable a user. + default: enabled + ldap_user_enabled_mask: + type: int + description: | + Some LDAP schemas, rather than having a dedicated attribute for user + enablement, use a bit within a general control attribute (such as + userAccountControl) to indicate this. Setting user_enabled_mask will + cause Keystone to look at only the status of this bit in the attribute + specified by user_enabled_attribute, with the bit set indicating the + user is enabled. + default: 0 + ldap_user_enabled_default: + type: boolean + description: | + Most LDAP servers use a boolean or bit in a control field to indicate + enablement. However, some schemas might use an integer value in an + attribute. In this situation, set user_enabled_default to the integer + value that represents a user being enabled. + default: true + ldap_user_enabled_invert: + type: boolean + description: | + Some LDAP schemas have an “account locked” attribute, which is the + equivalent to account being “disabled.” In order to map this to the + Keystone enabled attribute, you can utilize the user_enabled_invert + setting in conjunction with user_enabled_attribute to map the lock + status to disabled in Keystone. + default: false + ldap_use_starttls: + type: boolean + description: | + Enable Transport Layer Security (TLS) for providing a secure connection + from Keystone to LDAP (StartTLS, not LDAPS). + default: false + ldap_tls_cacert_base64: + type: string + description: | + CA certificate in Base64 format (if you have the PEM file, text inside + "-----BEGIN CERTIFICATE-----"/"-----END CERTIFICATE-----" tags). + default: "" + ldap_tls_req_cert: + type: string + description: | + Defines how the certificates are checked for validity in the client + (i.e., Keystone end) of the secure connection (this doesn’t affect what + level of checking the server is doing on the certificates it receives + from Keystone). Possible values are "demand", "never", and "allow". The + default of demand means the client always checks the certificate and + will drop the connection if it is not provided or invalid. never is the + opposite—it never checks it, nor requires it to be provided. allow means + that if it is not provided then the connection is allowed to continue, + but if it is provided it will be checked—and if invalid, the connection + will be dropped. + default: demand diff --git a/installers/charm/keystone/metadata.yaml b/installers/charm/keystone/metadata.yaml index eb3c8efc..c04c121d 100644 --- a/installers/charm/keystone/metadata.yaml +++ b/installers/charm/keystone/metadata.yaml @@ -14,7 +14,7 @@ name: keystone summary: A Keystone K8s charm description: | - Transmission + A CAAS charm to deploy Keystone series: - kubernetes min-juju-version: 2.8.0 diff --git a/installers/charm/keystone/src/charm.py b/installers/charm/keystone/src/charm.py index 632e96a4..8a5942af 100755 --- a/installers/charm/keystone/src/charm.py +++ b/installers/charm/keystone/src/charm.py @@ -123,7 +123,7 @@ class KeystoneCharm(CharmBase): def _make_pod_envconfig(self): config = self.model.config - return { + envconfig = { "DB_HOST": self.state.db_host, "DB_PORT": self.state.db_port, "ROOT_DB_USER": self.state.db_user, @@ -139,6 +139,43 @@ class KeystoneCharm(CharmBase): "SERVICE_PROJECT": config["service_project"], } + if config.get("ldap_enabled"): + envconfig["LDAP_AUTHENTICATION_DOMAIN_NAME"] = config[ + "ldap_authentication_domain_name" + ] + envconfig["LDAP_URL"] = config["ldap_url"] + envconfig["LDAP_USER_OBJECTCLASS"] = config["ldap_user_objectclass"] + envconfig["LDAP_USER_ID_ATTRIBUTE"] = config["ldap_user_id_attribute"] + envconfig["LDAP_USER_NAME_ATTRIBUTE"] = config["ldap_user_name_attribute"] + envconfig["LDAP_USER_PASS_ATTRIBUTE"] = config["ldap_user_pass_attribute"] + envconfig["LDAP_USER_ENABLED_MASK"] = config["ldap_user_enabled_mask"] + envconfig["LDAP_USER_ENABLED_DEFAULT"] = config["ldap_user_enabled_default"] + envconfig["LDAP_USER_ENABLED_INVERT"] = config["ldap_user_enabled_invert"] + + if config["ldap_bind_user"]: + envconfig["LDAP_BIND_USER"] = config["ldap_bind_user"] + + if config["ldap_bind_password"]: + envconfig["LDAP_BIND_PASSWORD"] = config["ldap_bind_password"] + + if config["ldap_user_tree_dn"]: + envconfig["LDAP_USER_TREE_DN"] = config["ldap_user_tree_dn"] + + if config["ldap_user_filter"]: + envconfig["LDAP_USER_FILTER"] = config["ldap_user_filter"] + + if config["ldap_user_enabled_attribute"]: + envconfig["LDAP_USER_ENABLED_ATTRIBUTE"] = config[ + "ldap_user_enabled_attribute" + ] + + if config["ldap_use_starttls"]: + envconfig["LDAP_USE_STARTTLS"] = config["ldap_use_starttls"] + envconfig["LDAP_TLS_CACERT_BASE64"] = config["ldap_tls_cacert_base64"] + envconfig["LDAP_TLS_REQ_CERT"] = config["ldap_tls_req_cert"] + + return envconfig + def _make_pod_ingress_resources(self): site_url = self.model.config["site_url"] diff --git a/installers/charm/lint.sh b/installers/charm/lint.sh index 1a4fa803..3c42dd1b 100755 --- a/installers/charm/lint.sh +++ b/installers/charm/lint.sh @@ -1,3 +1,4 @@ +#!/bin/bash # Copyright 2020 Canonical Ltd. # # Licensed under the Apache License, Version 2.0 (the "License"); @@ -11,8 +12,9 @@ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. -#!/bin/bash + set -eux + function lint() { cd $1 tox -e lint @@ -25,3 +27,6 @@ lint 'nbi-k8s' lint 'pol-k8s' lint 'ro-k8s' lint 'ui-k8s' +lint 'keystone' +lint 'ng-ui' +lint 'pla' \ No newline at end of file