3 # Licensed under the Apache License, Version 2.0 (the "License");
4 # you may not use this file except in compliance with the License.
5 # You may obtain a copy of the License at
7 # http://www.apache.org/licenses/LICENSE-2.0
9 # Unless required by applicable law or agreed to in writing, software
10 # distributed under the License is distributed on an "AS IS" BASIS,
11 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 # See the License for the specific language governing permissions and
13 # limitations under the License.
15 - name: Ensures AM Configuration dir exists
17 dest: "{{ am_server_config_dir }}"
20 - name: Ensures AM temp dir exists
22 dest: "{{ am_server_temp_dir }}"
28 - name: Ensures AM values dir exists
30 dest: "{{ am_server_values_dir }}"
35 - name: AM backend log file creation and rights set
37 path: "{{ am_config.Logging.logdir }}/am.log"
43 - name: Patch log file creation and rights set
45 path: "{{ am_config.Logging.logdir }}/keystone_users_patch.log"
51 - name: Create AM Plugin Config
53 src: am.plugin.conf.j2
54 dest: "{{ am_plugin_config_path }}"
59 - name: Create AM Backend Config
61 src: am.backend.conf.j2
62 dest: "{{ am_backend_config_path }}"
67 - name: Ensure project for um_admin exists
70 command: ensure_project
71 project_name: "{{ am_project_name }}"
72 domain_name: "{{ am_project_domain }}"
73 login_user: "{{ keystone_admin_user_name }}"
74 login_password: "{{ keystone_auth_admin_password }}"
75 login_project_name: "{{ keystone_admin_tenant_name }}"
76 endpoint: "{{ keystone_service_adminurl }}"
77 insecure: "{{ keystone_service_adminuri_insecure }}"
79 - name: Ensure um_admin user
82 command: "ensure_user"
83 endpoint: "{{ keystone_service_adminurl }}"
84 login_user: "{{ keystone_admin_user_name }}"
85 login_password: "{{ keystone_auth_admin_password }}"
86 login_project_name: "{{ keystone_admin_tenant_name }}"
87 user_name: "{{ infrastructure_admin_user_name }}"
88 tenant_name: "{{ am_project_name }}"
89 password: "{{ infrastructure_admin_password }}"
90 insecure: "{{ keystone_service_adminuri_insecure }}"
91 register: um_admin_uuid
92 until: um_admin_uuid|success
96 - name: Ensure UM admin user added to admin role
99 command: "ensure_user_role"
100 endpoint: "{{ keystone_service_adminurl }}"
101 login_user: "{{ keystone_admin_user_name }}"
102 login_password: "{{ keystone_auth_admin_password }}"
103 login_project_name: "{{ keystone_admin_tenant_name }}"
104 user_name: "{{ infrastructure_admin_user_name }}"
105 tenant_name: "{{ am_project_name }}"
106 role_name: "{{ am_admin_role_name }}"
107 insecure: "{{ keystone_service_adminuri_insecure }}"
108 register: add_service
109 until: add_service|success
113 - name: Ensure keystone admin user added to member role
116 command: "ensure_user_role"
117 endpoint: "{{ keystone_service_adminurl }}"
118 login_user: "{{ keystone_admin_user_name }}"
119 login_password: "{{ keystone_auth_admin_password }}"
120 login_project_name: "{{ keystone_admin_tenant_name }}"
121 user_name: "{{ keystone_admin_user_name }}"
122 tenant_name: "{{ am_project_name }}"
123 role_name: "{{ am_member_role_name }}"
124 insecure: "{{ keystone_service_adminuri_insecure }}"
125 register: add_service
126 until: add_service|success
130 - name: Set default project for keystone admin user
132 command: openstack user set {{ keystone_admin_user_name }} --project {{ am_project_name }} --os-cloud default
134 - name: Add the security_compliance section to keystone.conf
136 path: /etc/keystone/keystone.conf
137 section: security_compliance
138 option: "{{ item.option }}"
139 value: "{{ item.value }}"
141 - { option: "lockout_failure_attempts", value: "{{ host_os.failed_login_attempts | default(5) }}" }
142 - { option: "lockout_duration", value: "{{ host_os.lockout_time | default(300) }}" }
143 - { option: "change_password_upon_first_use", value: "True" }
144 - { option: "password_expires_days", value: "90" }
145 - { option: "unique_last_password_count", value: "12" }
146 - { option: "minimum_password_age", value: "0" }
147 - { option: "password_regex", value: "^(?=.*?[A-Z])(?=.*?[0-9])(?=.*?[][.,:;/(){}<>~\\!?@#$%^&*_=+-])[][a-zA-Z0-9.,:;/(){}<>~\\!?@#$%^&*_=+-]{8,255}$" }
148 - { option: "password_regex_description", value: "The password must have a minimum length of 8 characters (maximum is 255 characters). The allowed characters are lower case letters (a-z), upper case letters (A-Z), digits (0-9), and special characters (.,:;/(){}<>~\\!?@#$%^&*_=+-). The password must contain at least one upper case letter, one digit and one special character." }
150 - name: Restart Keystone WSGI services
155 daemon_reload: "{{ (ansible_service_mgr == 'systemd') | ternary('yes', omit) }}"
157 until: _start1 | success
161 - keystone-wsgi-public
162 - keystone-wsgi-admin
164 - name: Wait for Keystone WSGI services to restart
167 host: "{{ extra_hosts_entries.haproxyvip }}"
171 - "{{ keystone_service_port }}"
172 - "{{ keystone_admin_port }}"
173 register: _wait_check1
174 until: _wait_check1 | success
177 - name: Wait for Keystone WSGI services to respond
178 shell: openstack user list --os-cloud default
180 until: result | success
184 - name: Create OpenStack client configuration directory
186 dest: "{{ openrc_openstack_client_config_dir_dest }}"
187 owner: "{{ openrc_openstack_client_config_dir_owner }}"
188 group: "{{ openrc_openstack_client_config_dir_group }}"
191 - name: Change authorization in YARF config
193 path: "/etc/yarf/config.ini"
194 regexp: "auth_method=.*"
195 line: "auth_method=access_management.backend.am_auth.AMAuth"
197 - name: Restart YARF service
202 daemon_reload: "{{ (ansible_service_mgr == 'systemd') | ternary('yes', omit) }}"
204 until: _start2 | success
208 - name: Wait for YARF service to restart
210 port: "{{ restful_service_port }}"
211 host: "{{ extra_hosts_entries.haproxyvip }}"
214 register: _wait_check2
215 until: _wait_check2 | success
Code Review / ta / infra-ansible.git / blob