Execution
Date
14 Dec 2025 10:21:40 +0000
Duration
00:43:55.98
Controller
aio1.openstack.local
User
root
Versions
Ansible
2.18.6
ara
1.7.4 / 1.7.4
Python
3.13.5
Summary
13
Hosts
2438
Tasks
2413
Results
107
Plays
511
Files
0
Records
File: /home/zuul/src/opendev.org/openstack/openstack-ansible-os_keystone/vars/main.yml
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 | --- # Copyright 2018, Rackspace US, Inc. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. keystone_core_files: [] uwsgi_keystone_services: |- {% set services = {} %} {% for key, value in keystone_services.items() %} {% if (value['group'] in group_names) and (('condition' not in value) or ('condition' in value and value['condition'])) and ('wsgi_app' in value and value['wsgi_app']) %} {% set _ = value.update( { 'wsgi_venv': (keystone_install_method == 'source') | ternary(keystone_bin | dirname, None), 'uwsgi_uid': keystone_system_user_name, 'uwsgi_guid': keystone_system_group_name, 'uwsgi_processes': keystone_wsgi_processes, 'uwsgi_threads': keystone_wsgi_threads, } ) %} {% set _ = services.update({key: value}) %} {% endif %} {% endfor %} {{ services }} _keystone_is_first_play_host: >- {{ (keystone_services['keystone-wsgi-public']['group'] in group_names and inventory_hostname == ((groups[keystone_services['keystone-wsgi-public']['group']] | select('in', ansible_play_hosts)) | list)[0]) | bool }} _keystone_is_last_play_host: >- {{ (keystone_services['keystone-wsgi-public']['group'] in group_names and inventory_hostname == ((groups[keystone_services['keystone-wsgi-public']['group']] | select('in', ansible_play_hosts)) | list)[-1]) | bool }} _keystone_oslomsg_rpc_vhost_conf: >- {{ (keystone_oslomsg_rpc_vhost is string) | ternary( keystone_oslomsg_rpc_vhost, keystone_oslomsg_rpc_vhost | selectattr('state', 'eq', 'present') | map(attribute='name') | first) }} _keystone_oslomsg_notify_vhost_conf: >- {{ (keystone_oslomsg_notify_vhost is string) | ternary( keystone_oslomsg_notify_vhost, keystone_oslomsg_notify_vhost | selectattr('state', 'eq', 'present') | map(attribute='name') | first) }} _keystone_cache_backend_map: dogpile: - oslo_cache.memcache_pool - dogpile.cache.pymemcache - dogpile.cache.memcached - dogpile.cache.bmemcached mongo: - oslo_cache.mongo etcd3gw: - oslo_cache.etcd3gw _keystone_cache_backend_package: |- {% set oslo = namespace(backend='dogpile') %} {% for key, value in _keystone_cache_backend_map.items() %} {% if keystone_cache_backend in value %} {% set oslo.backend = key %} {%- endif %} {%- endfor %} oslo.cache[{{ oslo.backend }}] keystone_sp_apache_mod_shib: >- {{ ( keystone_sp != {} and (keystone_sp.apache_mod is undefined or ( keystone_sp.apache_mod is defined and keystone_sp.apache_mod != 'mod_auth_openidc')) ) }} keystone_sp_apache_mod_auth_openidc: >- {{ (keystone_sp != {} and keystone_sp.apache_mod is defined and keystone_sp.apache_mod == 'mod_auth_openidc') }} _keystone_httpd_vhost_ssl: |- {% set ssl_options = {} %} {% if (keystone_user_ssl_cert is defined and keystone_user_ssl_cert) and (keystone_user_ssl_key is defined and keystone_user_ssl_key) %} {% set _ = ssl_options.update({'cert': keystone_user_ssl_cert, 'key': keystone_user_ssl_key}) %} {% if keystone_user_ssl_ca_cert is defined and keystone_user_ssl_ca_cert %} {% set _ = ssl_options.update({'ca': keystone_user_ssl_ca_cert}) %} {% endif %} {% else %} {% set _ = ssl_options.update({'san': keystone_pki_san}) %} {% endif %} {{ ssl_options }} _keystone_httpd_base_options: - Options +FollowSymLinks _keystone_httpd_shib_options: - "ShibURLScheme {{ keystone_service_publicuri_proto }}" - "ProxyPass /Shibboleth.sso !" - "<LocationMatch /v3/OS-FEDERATION/identity_providers/.*?/protocols/saml2/auth>" - " ShibRequestSetting requireSession 1" - " AuthType shibboleth" - " ShibExportAssertion Off" - " Require valid-user" - "</LocationMatch>" _keystone_httpd_openidc_base_options: - "OIDCClaimPrefix \"{{ keystone_sp.trusted_idp_list.0.oidc_claim_prefix | default('OIDC-') }}\"" - "OIDCResponseType \"{{ keystone_sp.trusted_idp_list.0.oidc_resp_type | default('id_token') }}\"" - "OIDCScope \"{{ keystone_sp.trusted_idp_list.0.oidc_scope | default('openid email profile') }}\"" - "OIDCProviderMetadataURL {{ keystone_sp.trusted_idp_list.0.oidc_provider_metadata_url }}" - "OIDCClientID {{ keystone_sp.trusted_idp_list.0.oidc_client_id }}" - "OIDCClientSecret {{ keystone_sp.trusted_idp_list.0.oidc_client_secret }}" - "OIDCCryptoPassphrase {{ keystone_sp.trusted_idp_list.0.oidc_crypto_passphrase }}" - "OIDCRedirectURI {{ keystone_service_publicuri }}{{ keystone_sp.trusted_idp_list.0.oidc_redirect_path | default('/oidc_redirect') }}" _keystone_httpd_openidc_options: |- {% set openidc_options = _keystone_httpd_openidc_base_options %} {% if _keystone_sp_apache_mod_auth_openidc_gte_2_4_11 is defined and _keystone_sp_apache_mod_auth_openidc_gte_2_4_11 %} {% set _ = openidc_options.append('OIDCXForwardedHeaders ' ~ keystone_secure_proxy_ssl_header) %} {% endif %} {% if keystone_sp.trusted_idp_list.0.oidc_auth_verify_jwks_uri is defined %} {% set _ = openidc_options.append('OIDCOAuthVerifyJwksUri ' ~ keystone_sp.trusted_idp_list.0.oidc_auth_verify_jwks_uri) %} {% endif %} {% if keystone_sp.trusted_idp_list.0.oidc_outgoing_proxy is defined %} {% set _ = openidc_options.append('OIDCOutgoingProxy ' ~ keystone_sp.trusted_idp_list.0.oidc_outgoing_proxy) %} {% endif %} {% if keystone_sp.trusted_idp_list.0.oidc_oauth_introspection_endpoint is defined %} {% set _ = openidc_options.append('OIDCOAuthIntrospectionEndpoint ' ~ keystone_sp.trusted_idp_list.0.oidc_oauth_introspection_endpoint) %} {% endif %} {% if keystone_sp.trusted_idp_list.0.oidc_oauth_client_id is defined %} {% set _ = openidc_options.append('OIDCOAuthClientID ' ~ keystone_sp.trusted_idp_list.0.oidc_oauth_client_id) %} {% endif %} {% if keystone_sp.trusted_idp_list.0.oidc_oauth_client_secret is defined %} {% set _ = openidc_options.append('OIDCOAuthClientSecret ' ~ keystone_sp.trusted_idp_list.0.oidc_oauth_client_secret) %} {% endif %} {% if keystone_sp.trusted_idp_list.0.oidc_pkce_method is defined %} {% set _ = openidc_options.append('OIDCPKCEMethod ' ~ keystone_sp.trusted_idp_list.0.oidc_pkce_method) %} {% endif %} {% if keystone_cache_servers | length > 0 -%} {% set _ = openidc_options.append('OIDCCacheType memcache') %} {% set _ = openidc_options.append('OIDCMemCacheServers "' ~ keystone_cache_servers | join(' ') ~ '"') %} {% endif %} {% if keystone_sp.trusted_idp_list.0.oidc_auth_request_params is defined %} {% set _ = openidc_options.append('OIDCAuthRequestParams ' ~ keystone_sp.trusted_idp_list.0.oidc_auth_request_params) %} {% endif %} {% if keystone_sp.trusted_idp_list.0.oidc_state_max_number_of_cookies is defined -%} {% set _ = openidc_options.append('OIDCStateMaxNumberOfCookies ' ~ keystone_sp.trusted_idp_list.0.oidc_state_max_number_of_cookies) %} {% endif %} {% if keystone_sp.trusted_idp_list.0.oidc_default_url is defined %} {% set _ = openidc_options.append('OIDCDefaultURL ' ~ keystone_sp.trusted_idp_list.0.oidc_default_url) %} {% endif %} {% if keystone_sp.trusted_idp_list.0.oidc_claim_delimiter is defined %} {% set _ = openidc_options.append('OIDCClaimDelimiter ' ~ keystone_sp.trusted_idp_list.0.oidc_claim_delimiter) %} {% endif %} {{ openidc_options }} _keystone_httpd_openidc_location_options: - Require valid-user - AuthType openid-connect _keystone_httpd_openidc_locations: - path: "{{ keystone_sp.trusted_idp_list.0.oidc_redirect_path | default('/oidc_redirect') }}" options: "{{ _keystone_httpd_openidc_location_options }}" - path: "/v3/OS-FEDERATION/identity_providers/{{ keystone_sp.trusted_idp_list.0.name }}/protocols/openid/auth" options: - Require valid-user - AuthType auth-openidc - path: /v3/auth/OS-FEDERATION/websso/openid options: "{{ _keystone_httpd_openidc_location_options }}" - path: /v3/auth/OS-FEDERATION/identity_providers/{{ keystone_sp.trusted_idp_list.0.name }}/protocols/openid/websso options: "{{ _keystone_httpd_openidc_location_options }}" _keystone_httpd_shib_locations: - path: /CShibboleth.sso options: - SetHandler shib - path: /v3/auth/OS-FEDERATION/websso/saml2\ options: - AuthType shibboleth - ShibRequestSetting requireSession 1 - ShibRequestSetting exportAssertion 1 - ShibRequireSession On - ShibExportAssertion On - Require valid-user _keystone_httpd_sp_directories: - path: /var/www/cgi-bin/keystone options: - Options Indexes FollowSymLinks MultiViews - AllowOverride All - Order allow,deny - allow from all |