X-Git-Url: https://gerrit.akraino.org/r/gitweb?a=blobdiff_plain;f=roles%2Faccess-management%2Ftasks%2Fbasic.yaml;fp=roles%2Faccess-management%2Ftasks%2Fbasic.yaml;h=5812418af1c14cf39df2887bbd753d0c6dda0e9c;hb=74a49ba6ef2ea715fa492db0bcd85c30398688e8;hp=0000000000000000000000000000000000000000;hpb=a936af362724cca0c5dc2c424902d398f9833410;p=ta%2Finfra-ansible.git diff --git a/roles/access-management/tasks/basic.yaml b/roles/access-management/tasks/basic.yaml new file mode 100644 index 0000000..5812418 --- /dev/null +++ b/roles/access-management/tasks/basic.yaml @@ -0,0 +1,216 @@ +# Copyright 2019 Nokia + +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +- name: Ensures AM Configuration dir exists + file: + dest: "{{ am_server_config_dir }}" + state: directory + +- name: Ensures AM temp dir exists + file: + dest: "{{ am_server_temp_dir }}" + state: directory + tags: + - am_dbfiller + - am_rc + +- name: Ensures AM values dir exists + file: + dest: "{{ am_server_values_dir }}" + state: directory + tags: + - am_dbfiller + +- name: AM backend log file creation and rights set + file: + path: "{{ am_config.Logging.logdir }}/am.log" + owner: access-manager + group: access-manager + mode: 0600 + state: touch + +- name: Patch log file creation and rights set + file: + path: "{{ am_config.Logging.logdir }}/keystone_users_patch.log" + owner: access-manager + group: access-manager + mode: 0600 + state: touch + +- name: Create AM Plugin Config + template: + src: am.plugin.conf.j2 + dest: "{{ am_plugin_config_path }}" + owner: restapi + group: restapi + mode: 0400 + +- name: Create AM Backend Config + template: + src: am.backend.conf.j2 + dest: "{{ am_backend_config_path }}" + owner: access-manager + group: access-manager + mode: 0400 + +- name: Ensure project for um_admin exists + run_once: true + keystone: + command: ensure_project + project_name: "{{ am_project_name }}" + domain_name: "{{ am_project_domain }}" + login_user: "{{ keystone_admin_user_name }}" + login_password: "{{ keystone_auth_admin_password }}" + login_project_name: "{{ keystone_admin_tenant_name }}" + endpoint: "{{ keystone_service_adminurl }}" + insecure: "{{ keystone_service_adminuri_insecure }}" + +- name: Ensure um_admin user + run_once: true + keystone: + command: "ensure_user" + endpoint: "{{ keystone_service_adminurl }}" + login_user: "{{ keystone_admin_user_name }}" + login_password: "{{ keystone_auth_admin_password }}" + login_project_name: "{{ keystone_admin_tenant_name }}" + user_name: "{{ infrastructure_admin_user_name }}" + tenant_name: "{{ am_project_name }}" + password: "{{ infrastructure_admin_password }}" + insecure: "{{ keystone_service_adminuri_insecure }}" + register: um_admin_uuid + until: um_admin_uuid|success + retries: 5 + delay: 10 + +- name: Ensure UM admin user added to admin role + run_once: true + keystone: + command: "ensure_user_role" + endpoint: "{{ keystone_service_adminurl }}" + login_user: "{{ keystone_admin_user_name }}" + login_password: "{{ keystone_auth_admin_password }}" + login_project_name: "{{ keystone_admin_tenant_name }}" + user_name: "{{ infrastructure_admin_user_name }}" + tenant_name: "{{ am_project_name }}" + role_name: "{{ am_admin_role_name }}" + insecure: "{{ keystone_service_adminuri_insecure }}" + register: add_service + until: add_service|success + retries: 5 + delay: 10 + +- name: Ensure keystone admin user added to member role + run_once: true + keystone: + command: "ensure_user_role" + endpoint: "{{ keystone_service_adminurl }}" + login_user: "{{ keystone_admin_user_name }}" + login_password: "{{ keystone_auth_admin_password }}" + login_project_name: "{{ keystone_admin_tenant_name }}" + user_name: "{{ keystone_admin_user_name }}" + tenant_name: "{{ am_project_name }}" + role_name: "{{ am_member_role_name }}" + insecure: "{{ keystone_service_adminuri_insecure }}" + register: add_service + until: add_service|success + retries: 5 + delay: 10 + +- name: Set default project for keystone admin user + run_once: true + command: openstack user set {{ keystone_admin_user_name }} --project {{ am_project_name }} --os-cloud default + +- name: Add the security_compliance section to keystone.conf + ini_file: + path: /etc/keystone/keystone.conf + section: security_compliance + option: "{{ item.option }}" + value: "{{ item.value }}" + with_items: + - { option: "lockout_failure_attempts", value: "{{ host_os.failed_login_attempts | default(5) }}" } + - { option: "lockout_duration", value: "{{ host_os.lockout_time | default(300) }}" } + - { option: "change_password_upon_first_use", value: "True" } + - { option: "password_expires_days", value: "90" } + - { option: "unique_last_password_count", value: "12" } + - { option: "minimum_password_age", value: "0" } + - { option: "password_regex", value: "^(?=.*?[A-Z])(?=.*?[0-9])(?=.*?[][.,:;/(){}<>~\\!?@#$%^&*_=+-])[][a-zA-Z0-9.,:;/(){}<>~\\!?@#$%^&*_=+-]{8,255}$" } + - { option: "password_regex_description", value: "The password must have a minimum length of 8 characters (maximum is 255 characters). The allowed characters are lower case letters (a-z), upper case letters (A-Z), digits (0-9), and special characters (.,:;/(){}<>~\\!?@#$%^&*_=+-). The password must contain at least one upper case letter, one digit and one special character." } + +- name: Restart Keystone WSGI services + service: + name: "{{ item }}" + enabled: yes + state: "restarted" + daemon_reload: "{{ (ansible_service_mgr == 'systemd') | ternary('yes', omit) }}" + register: _start1 + until: _start1 | success + retries: 5 + delay: 3 + with_items: + - keystone-wsgi-public + - keystone-wsgi-admin + +- name: Wait for Keystone WSGI services to restart + wait_for: + port: "{{ item }}" + host: "{{ extra_hosts_entries.haproxyvip }}" + timeout: 25 + delay: 10 + with_items: + - "{{ keystone_service_port }}" + - "{{ keystone_admin_port }}" + register: _wait_check1 + until: _wait_check1 | success + retries: 5 + +- name: Wait for Keystone WSGI services to respond + shell: openstack user list --os-cloud default + register: result + until: result | success + delay: 2 + retries: 5 + +- name: Create OpenStack client configuration directory + file: + dest: "{{ openrc_openstack_client_config_dir_dest }}" + owner: "{{ openrc_openstack_client_config_dir_owner }}" + group: "{{ openrc_openstack_client_config_dir_group }}" + state: directory + +- name: Change authorization in YARF config + lineinfile: + path: "/etc/yarf/config.ini" + regexp: "auth_method=.*" + line: "auth_method=access_management.backend.am_auth.AMAuth" + +- name: Restart YARF service + service: + name: restapi + enabled: yes + state: "restarted" + daemon_reload: "{{ (ansible_service_mgr == 'systemd') | ternary('yes', omit) }}" + register: _start2 + until: _start2 | success + retries: 5 + delay: 3 + +- name: Wait for YARF service to restart + wait_for: + port: "{{ restful_service_port }}" + host: "{{ extra_hosts_entries.haproxyvip }}" + timeout: 25 + delay: 10 + register: _wait_check2 + until: _wait_check2 | success + retries: 5