+# Copyright 2019 Nokia
+
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+- name: Ensures AM Configuration dir exists
+ file:
+ dest: "{{ am_server_config_dir }}"
+ state: directory
+
+- name: Ensures AM temp dir exists
+ file:
+ dest: "{{ am_server_temp_dir }}"
+ state: directory
+ tags:
+ - am_dbfiller
+ - am_rc
+
+- name: Ensures AM values dir exists
+ file:
+ dest: "{{ am_server_values_dir }}"
+ state: directory
+ tags:
+ - am_dbfiller
+
+- name: AM backend log file creation and rights set
+ file:
+ path: "{{ am_config.Logging.logdir }}/am.log"
+ owner: access-manager
+ group: access-manager
+ mode: 0600
+ state: touch
+
+- name: Patch log file creation and rights set
+ file:
+ path: "{{ am_config.Logging.logdir }}/keystone_users_patch.log"
+ owner: access-manager
+ group: access-manager
+ mode: 0600
+ state: touch
+
+- name: Create AM Plugin Config
+ template:
+ src: am.plugin.conf.j2
+ dest: "{{ am_plugin_config_path }}"
+ owner: restapi
+ group: restapi
+ mode: 0400
+
+- name: Create AM Backend Config
+ template:
+ src: am.backend.conf.j2
+ dest: "{{ am_backend_config_path }}"
+ owner: access-manager
+ group: access-manager
+ mode: 0400
+
+- name: Ensure project for um_admin exists
+ run_once: true
+ keystone:
+ command: ensure_project
+ project_name: "{{ am_project_name }}"
+ domain_name: "{{ am_project_domain }}"
+ login_user: "{{ keystone_admin_user_name }}"
+ login_password: "{{ keystone_auth_admin_password }}"
+ login_project_name: "{{ keystone_admin_tenant_name }}"
+ endpoint: "{{ keystone_service_adminurl }}"
+ insecure: "{{ keystone_service_adminuri_insecure }}"
+
+- name: Ensure um_admin user
+ run_once: true
+ keystone:
+ command: "ensure_user"
+ endpoint: "{{ keystone_service_adminurl }}"
+ login_user: "{{ keystone_admin_user_name }}"
+ login_password: "{{ keystone_auth_admin_password }}"
+ login_project_name: "{{ keystone_admin_tenant_name }}"
+ user_name: "{{ infrastructure_admin_user_name }}"
+ tenant_name: "{{ am_project_name }}"
+ password: "{{ infrastructure_admin_password }}"
+ insecure: "{{ keystone_service_adminuri_insecure }}"
+ register: um_admin_uuid
+ until: um_admin_uuid|success
+ retries: 5
+ delay: 10
+
+- name: Ensure UM admin user added to admin role
+ run_once: true
+ keystone:
+ command: "ensure_user_role"
+ endpoint: "{{ keystone_service_adminurl }}"
+ login_user: "{{ keystone_admin_user_name }}"
+ login_password: "{{ keystone_auth_admin_password }}"
+ login_project_name: "{{ keystone_admin_tenant_name }}"
+ user_name: "{{ infrastructure_admin_user_name }}"
+ tenant_name: "{{ am_project_name }}"
+ role_name: "{{ am_admin_role_name }}"
+ insecure: "{{ keystone_service_adminuri_insecure }}"
+ register: add_service
+ until: add_service|success
+ retries: 5
+ delay: 10
+
+- name: Ensure keystone admin user added to member role
+ run_once: true
+ keystone:
+ command: "ensure_user_role"
+ endpoint: "{{ keystone_service_adminurl }}"
+ login_user: "{{ keystone_admin_user_name }}"
+ login_password: "{{ keystone_auth_admin_password }}"
+ login_project_name: "{{ keystone_admin_tenant_name }}"
+ user_name: "{{ keystone_admin_user_name }}"
+ tenant_name: "{{ am_project_name }}"
+ role_name: "{{ am_member_role_name }}"
+ insecure: "{{ keystone_service_adminuri_insecure }}"
+ register: add_service
+ until: add_service|success
+ retries: 5
+ delay: 10
+
+- name: Set default project for keystone admin user
+ run_once: true
+ command: openstack user set {{ keystone_admin_user_name }} --project {{ am_project_name }} --os-cloud default
+
+- name: Add the security_compliance section to keystone.conf
+ ini_file:
+ path: /etc/keystone/keystone.conf
+ section: security_compliance
+ option: "{{ item.option }}"
+ value: "{{ item.value }}"
+ with_items:
+ - { option: "lockout_failure_attempts", value: "{{ host_os.failed_login_attempts | default(5) }}" }
+ - { option: "lockout_duration", value: "{{ host_os.lockout_time | default(300) }}" }
+ - { option: "change_password_upon_first_use", value: "True" }
+ - { option: "password_expires_days", value: "90" }
+ - { option: "unique_last_password_count", value: "12" }
+ - { option: "minimum_password_age", value: "0" }
+ - { option: "password_regex", value: "^(?=.*?[A-Z])(?=.*?[0-9])(?=.*?[][.,:;/(){}<>~\\!?@#$%^&*_=+-])[][a-zA-Z0-9.,:;/(){}<>~\\!?@#$%^&*_=+-]{8,255}$" }
+ - { option: "password_regex_description", value: "The password must have a minimum length of 8 characters (maximum is 255 characters). The allowed characters are lower case letters (a-z), upper case letters (A-Z), digits (0-9), and special characters (.,:;/(){}<>~\\!?@#$%^&*_=+-). The password must contain at least one upper case letter, one digit and one special character." }
+
+- name: Restart Keystone WSGI services
+ service:
+ name: "{{ item }}"
+ enabled: yes
+ state: "restarted"
+ daemon_reload: "{{ (ansible_service_mgr == 'systemd') | ternary('yes', omit) }}"
+ register: _start1
+ until: _start1 | success
+ retries: 5
+ delay: 3
+ with_items:
+ - keystone-wsgi-public
+ - keystone-wsgi-admin
+
+- name: Wait for Keystone WSGI services to restart
+ wait_for:
+ port: "{{ item }}"
+ host: "{{ extra_hosts_entries.haproxyvip }}"
+ timeout: 25
+ delay: 10
+ with_items:
+ - "{{ keystone_service_port }}"
+ - "{{ keystone_admin_port }}"
+ register: _wait_check1
+ until: _wait_check1 | success
+ retries: 5
+
+- name: Wait for Keystone WSGI services to respond
+ shell: openstack user list --os-cloud default
+ register: result
+ until: result | success
+ delay: 2
+ retries: 5
+
+- name: Create OpenStack client configuration directory
+ file:
+ dest: "{{ openrc_openstack_client_config_dir_dest }}"
+ owner: "{{ openrc_openstack_client_config_dir_owner }}"
+ group: "{{ openrc_openstack_client_config_dir_group }}"
+ state: directory
+
+- name: Change authorization in YARF config
+ lineinfile:
+ path: "/etc/yarf/config.ini"
+ regexp: "auth_method=.*"
+ line: "auth_method=access_management.backend.am_auth.AMAuth"
+
+- name: Restart YARF service
+ service:
+ name: restapi
+ enabled: yes
+ state: "restarted"
+ daemon_reload: "{{ (ansible_service_mgr == 'systemd') | ternary('yes', omit) }}"
+ register: _start2
+ until: _start2 | success
+ retries: 5
+ delay: 3
+
+- name: Wait for YARF service to restart
+ wait_for:
+ port: "{{ restful_service_port }}"
+ host: "{{ extra_hosts_entries.haproxyvip }}"
+ timeout: 25
+ delay: 10
+ register: _wait_check2
+ until: _wait_check2 | success
+ retries: 5