Initial commit
[ta/infra-ansible.git] / roles / access-management / tasks / basic.yaml
diff --git a/roles/access-management/tasks/basic.yaml b/roles/access-management/tasks/basic.yaml
new file mode 100644 (file)
index 0000000..5812418
--- /dev/null
@@ -0,0 +1,216 @@
+# Copyright 2019 Nokia
+
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+- name: Ensures AM Configuration dir exists
+  file:
+    dest: "{{ am_server_config_dir }}"
+    state: directory
+
+- name: Ensures AM temp dir exists
+  file:
+    dest: "{{ am_server_temp_dir }}"
+    state: directory
+  tags:
+    - am_dbfiller
+    - am_rc
+
+- name: Ensures AM values dir exists
+  file:
+    dest: "{{ am_server_values_dir }}"
+    state: directory
+  tags:
+    - am_dbfiller
+
+- name: AM backend log file creation and rights set
+  file:
+    path: "{{ am_config.Logging.logdir }}/am.log"
+    owner: access-manager
+    group: access-manager
+    mode: 0600
+    state: touch
+
+- name: Patch log file creation and rights set
+  file:
+    path: "{{ am_config.Logging.logdir }}/keystone_users_patch.log"
+    owner: access-manager
+    group: access-manager
+    mode: 0600
+    state: touch
+
+- name: Create AM Plugin Config
+  template:
+    src: am.plugin.conf.j2
+    dest: "{{ am_plugin_config_path }}"
+    owner: restapi
+    group: restapi
+    mode: 0400
+
+- name: Create AM Backend Config
+  template:
+    src: am.backend.conf.j2
+    dest: "{{ am_backend_config_path }}"
+    owner: access-manager
+    group: access-manager
+    mode: 0400
+
+- name: Ensure project for um_admin exists
+  run_once: true
+  keystone:
+    command: ensure_project
+    project_name: "{{ am_project_name }}"
+    domain_name: "{{ am_project_domain }}"
+    login_user: "{{ keystone_admin_user_name }}"
+    login_password: "{{ keystone_auth_admin_password }}"
+    login_project_name: "{{ keystone_admin_tenant_name }}"
+    endpoint: "{{ keystone_service_adminurl }}"
+    insecure: "{{ keystone_service_adminuri_insecure }}"
+
+- name: Ensure um_admin user
+  run_once: true
+  keystone:
+    command: "ensure_user"
+    endpoint: "{{ keystone_service_adminurl }}"
+    login_user: "{{ keystone_admin_user_name }}"
+    login_password: "{{ keystone_auth_admin_password }}"
+    login_project_name: "{{ keystone_admin_tenant_name }}"
+    user_name: "{{ infrastructure_admin_user_name }}"
+    tenant_name: "{{ am_project_name }}"
+    password: "{{ infrastructure_admin_password }}"
+    insecure: "{{ keystone_service_adminuri_insecure }}"
+  register: um_admin_uuid
+  until: um_admin_uuid|success
+  retries: 5
+  delay: 10
+
+- name: Ensure UM admin user added to admin role
+  run_once: true
+  keystone:
+    command: "ensure_user_role"
+    endpoint: "{{ keystone_service_adminurl }}"
+    login_user: "{{ keystone_admin_user_name }}"
+    login_password: "{{ keystone_auth_admin_password }}"
+    login_project_name: "{{ keystone_admin_tenant_name }}"
+    user_name: "{{ infrastructure_admin_user_name }}"
+    tenant_name: "{{ am_project_name }}"
+    role_name: "{{ am_admin_role_name }}"
+    insecure: "{{ keystone_service_adminuri_insecure }}"
+  register: add_service
+  until: add_service|success
+  retries: 5
+  delay: 10
+
+- name: Ensure keystone admin user added to member role
+  run_once: true
+  keystone:
+    command: "ensure_user_role"
+    endpoint: "{{ keystone_service_adminurl }}"
+    login_user: "{{ keystone_admin_user_name }}"
+    login_password: "{{ keystone_auth_admin_password }}"
+    login_project_name: "{{ keystone_admin_tenant_name }}"
+    user_name: "{{ keystone_admin_user_name }}"
+    tenant_name: "{{ am_project_name }}"
+    role_name: "{{ am_member_role_name }}"
+    insecure: "{{ keystone_service_adminuri_insecure }}"
+  register: add_service
+  until: add_service|success
+  retries: 5
+  delay: 10
+
+- name: Set default project for keystone admin user
+  run_once: true
+  command: openstack user set {{ keystone_admin_user_name }} --project {{ am_project_name }} --os-cloud default
+
+- name: Add the security_compliance section to keystone.conf
+  ini_file:
+    path: /etc/keystone/keystone.conf
+    section: security_compliance
+    option: "{{ item.option }}"
+    value: "{{ item.value }}"
+  with_items:
+    - { option: "lockout_failure_attempts", value: "{{ host_os.failed_login_attempts | default(5) }}" }
+    - { option: "lockout_duration", value: "{{ host_os.lockout_time | default(300) }}" }
+    - { option: "change_password_upon_first_use", value: "True" }
+    - { option: "password_expires_days", value: "90" }
+    - { option: "unique_last_password_count", value: "12" }
+    - { option: "minimum_password_age", value: "0" }
+    - { option: "password_regex", value: "^(?=.*?[A-Z])(?=.*?[0-9])(?=.*?[][.,:;/(){}<>~\\!?@#$%^&*_=+-])[][a-zA-Z0-9.,:;/(){}<>~\\!?@#$%^&*_=+-]{8,255}$" }
+    - { option: "password_regex_description", value: "The password must have a minimum length of 8 characters (maximum is 255 characters). The allowed characters are lower case letters (a-z), upper case letters (A-Z), digits (0-9), and special characters (.,:;/(){}<>~\\!?@#$%^&*_=+-). The password must contain at least one upper case letter, one digit and one special character." }
+
+- name: Restart Keystone WSGI services
+  service:
+    name: "{{ item }}"
+    enabled: yes
+    state: "restarted"
+    daemon_reload: "{{ (ansible_service_mgr == 'systemd') | ternary('yes', omit) }}"
+  register: _start1
+  until: _start1 | success
+  retries: 5
+  delay: 3
+  with_items:
+    - keystone-wsgi-public
+    - keystone-wsgi-admin
+
+- name: Wait for Keystone WSGI services to restart
+  wait_for:
+    port: "{{ item }}"
+    host: "{{ extra_hosts_entries.haproxyvip }}"
+    timeout: 25
+    delay: 10
+  with_items:
+    - "{{ keystone_service_port }}"
+    - "{{ keystone_admin_port }}"
+  register: _wait_check1
+  until: _wait_check1 | success
+  retries: 5
+
+- name:  Wait for Keystone WSGI services to respond
+  shell: openstack user list --os-cloud default
+  register: result
+  until: result | success
+  delay: 2
+  retries: 5
+
+- name: Create OpenStack client configuration directory
+  file:
+    dest: "{{ openrc_openstack_client_config_dir_dest }}"
+    owner: "{{ openrc_openstack_client_config_dir_owner }}"
+    group: "{{ openrc_openstack_client_config_dir_group }}"
+    state: directory
+
+- name: Change authorization in YARF config
+  lineinfile:
+    path: "/etc/yarf/config.ini"
+    regexp: "auth_method=.*"
+    line: "auth_method=access_management.backend.am_auth.AMAuth"
+
+- name: Restart YARF service
+  service:
+    name: restapi
+    enabled: yes
+    state: "restarted"
+    daemon_reload: "{{ (ansible_service_mgr == 'systemd') | ternary('yes', omit) }}"
+  register: _start2
+  until: _start2 | success
+  retries: 5
+  delay: 3
+
+- name: Wait for YARF service to restart
+  wait_for:
+    port: "{{ restful_service_port }}"
+    host: "{{ extra_hosts_entries.haproxyvip }}"
+    timeout: 25
+    delay: 10
+  register: _wait_check2
+  until: _wait_check2 | success
+  retries: 5