Code Review / ta / infra-ansible.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | review | tree
raw | inline | side by side
Initial commit
[ta/infra-ansible.git] / roles / access-management / tasks / basic.yaml
diff --git a/roles/access-management/tasks/basic.yaml b/roles/access-management/tasks/basic.yaml
new file mode 100644 (file)
index 0000000..5812418
--- /dev/null
+++ b/roles/access-management/tasks/basic.yaml
@@ -0,0 +1,216 @@
+# Copyright 2019 Nokia
+
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+- name: Ensures AM Configuration dir exists
+  file:
+    dest: "{{ am_server_config_dir }}"
+    state: directory
+
+- name: Ensures AM temp dir exists
+  file:
+    dest: "{{ am_server_temp_dir }}"
+    state: directory
+  tags:
+    - am_dbfiller
+    - am_rc
+
+- name: Ensures AM values dir exists
+  file:
+    dest: "{{ am_server_values_dir }}"
+    state: directory
+  tags:
+    - am_dbfiller
+
+- name: AM backend log file creation and rights set
+  file:
+    path: "{{ am_config.Logging.logdir }}/am.log"
+    owner: access-manager
+    group: access-manager
+    mode: 0600
+    state: touch
+
+- name: Patch log file creation and rights set
+  file:
+    path: "{{ am_config.Logging.logdir }}/keystone_users_patch.log"
+    owner: access-manager
+    group: access-manager
+    mode: 0600
+    state: touch
+
+- name: Create AM Plugin Config
+  template:
+    src: am.plugin.conf.j2
+    dest: "{{ am_plugin_config_path }}"
+    owner: restapi
+    group: restapi
+    mode: 0400
+
+- name: Create AM Backend Config
+  template:
+    src: am.backend.conf.j2
+    dest: "{{ am_backend_config_path }}"
+    owner: access-manager
+    group: access-manager
+    mode: 0400
+
+- name: Ensure project for um_admin exists
+  run_once: true
+  keystone:
+    command: ensure_project
+    project_name: "{{ am_project_name }}"
+    domain_name: "{{ am_project_domain }}"
+    login_user: "{{ keystone_admin_user_name }}"
+    login_password: "{{ keystone_auth_admin_password }}"
+    login_project_name: "{{ keystone_admin_tenant_name }}"
+    endpoint: "{{ keystone_service_adminurl }}"
+    insecure: "{{ keystone_service_adminuri_insecure }}"
+
+- name: Ensure um_admin user
+  run_once: true
+  keystone:
+    command: "ensure_user"
+    endpoint: "{{ keystone_service_adminurl }}"
+    login_user: "{{ keystone_admin_user_name }}"
+    login_password: "{{ keystone_auth_admin_password }}"
+    login_project_name: "{{ keystone_admin_tenant_name }}"
+    user_name: "{{ infrastructure_admin_user_name }}"
+    tenant_name: "{{ am_project_name }}"
+    password: "{{ infrastructure_admin_password }}"
+    insecure: "{{ keystone_service_adminuri_insecure }}"
+  register: um_admin_uuid
+  until: um_admin_uuid|success
+  retries: 5
+  delay: 10
+
+- name: Ensure UM admin user added to admin role
+  run_once: true
+  keystone:
+    command: "ensure_user_role"
+    endpoint: "{{ keystone_service_adminurl }}"
+    login_user: "{{ keystone_admin_user_name }}"
+    login_password: "{{ keystone_auth_admin_password }}"
+    login_project_name: "{{ keystone_admin_tenant_name }}"
+    user_name: "{{ infrastructure_admin_user_name }}"
+    tenant_name: "{{ am_project_name }}"
+    role_name: "{{ am_admin_role_name }}"
+    insecure: "{{ keystone_service_adminuri_insecure }}"
+  register: add_service
+  until: add_service|success
+  retries: 5
+  delay: 10
+
+- name: Ensure keystone admin user added to member role
+  run_once: true
+  keystone:
+    command: "ensure_user_role"
+    endpoint: "{{ keystone_service_adminurl }}"
+    login_user: "{{ keystone_admin_user_name }}"
+    login_password: "{{ keystone_auth_admin_password }}"
+    login_project_name: "{{ keystone_admin_tenant_name }}"
+    user_name: "{{ keystone_admin_user_name }}"
+    tenant_name: "{{ am_project_name }}"
+    role_name: "{{ am_member_role_name }}"
+    insecure: "{{ keystone_service_adminuri_insecure }}"
+  register: add_service
+  until: add_service|success
+  retries: 5
+  delay: 10
+
+- name: Set default project for keystone admin user
+  run_once: true
+  command: openstack user set {{ keystone_admin_user_name }} --project {{ am_project_name }} --os-cloud default
+
+- name: Add the security_compliance section to keystone.conf
+  ini_file:
+    path: /etc/keystone/keystone.conf
+    section: security_compliance
+    option: "{{ item.option }}"
+    value: "{{ item.value }}"
+  with_items:
+    - { option: "lockout_failure_attempts", value: "{{ host_os.failed_login_attempts | default(5) }}" }
+    - { option: "lockout_duration", value: "{{ host_os.lockout_time | default(300) }}" }
+    - { option: "change_password_upon_first_use", value: "True" }
+    - { option: "password_expires_days", value: "90" }
+    - { option: "unique_last_password_count", value: "12" }
+    - { option: "minimum_password_age", value: "0" }
+    - { option: "password_regex", value: "^(?=.*?[A-Z])(?=.*?[0-9])(?=.*?[][.,:;/(){}<>~\\!?@#$%^&*_=+-])[][a-zA-Z0-9.,:;/(){}<>~\\!?@#$%^&*_=+-]{8,255}$" }
+    - { option: "password_regex_description", value: "The password must have a minimum length of 8 characters (maximum is 255 characters). The allowed characters are lower case letters (a-z), upper case letters (A-Z), digits (0-9), and special characters (.,:;/(){}<>~\\!?@#$%^&*_=+-). The password must contain at least one upper case letter, one digit and one special character." }
+
+- name: Restart Keystone WSGI services
+  service:
+    name: "{{ item }}"
+    enabled: yes
+    state: "restarted"
+    daemon_reload: "{{ (ansible_service_mgr == 'systemd') | ternary('yes', omit) }}"
+  register: _start1
+  until: _start1 | success
+  retries: 5
+  delay: 3
+  with_items:
+    - keystone-wsgi-public
+    - keystone-wsgi-admin
+
+- name: Wait for Keystone WSGI services to restart
+  wait_for:
+    port: "{{ item }}"
+    host: "{{ extra_hosts_entries.haproxyvip }}"
+    timeout: 25
+    delay: 10
+  with_items:
+    - "{{ keystone_service_port }}"
+    - "{{ keystone_admin_port }}"
+  register: _wait_check1
+  until: _wait_check1 | success
+  retries: 5
+
+- name:  Wait for Keystone WSGI services to respond
+  shell: openstack user list --os-cloud default
+  register: result
+  until: result | success
+  delay: 2
+  retries: 5
+
+- name: Create OpenStack client configuration directory
+  file:
+    dest: "{{ openrc_openstack_client_config_dir_dest }}"
+    owner: "{{ openrc_openstack_client_config_dir_owner }}"
+    group: "{{ openrc_openstack_client_config_dir_group }}"
+    state: directory
+
+- name: Change authorization in YARF config
+  lineinfile:
+    path: "/etc/yarf/config.ini"
+    regexp: "auth_method=.*"
+    line: "auth_method=access_management.backend.am_auth.AMAuth"
+
+- name: Restart YARF service
+  service:
+    name: restapi
+    enabled: yes
+    state: "restarted"
+    daemon_reload: "{{ (ansible_service_mgr == 'systemd') | ternary('yes', omit) }}"
+  register: _start2
+  until: _start2 | success
+  retries: 5
+  delay: 3
+
+- name: Wait for YARF service to restart
+  wait_for:
+    port: "{{ restful_service_port }}"
+    host: "{{ extra_hosts_entries.haproxyvip }}"
+    timeout: 25
+    delay: 10
+  register: _wait_check2
+  until: _wait_check2 | success
+  retries: 5
This repository contains all the generic deployment playbooks, which configure services running directly on the host. Includes playbooks for disk partitioning, Ceph configuration, hardening, security, SSH, operating system level user management etc.