File: disable_admin_token_auth.pp

package info (click to toggle)
puppet-module-keystone 13.1.0-1
  • links: PTS, VCS
  • area: main
  • in suites: buster
  • size: 1,576 kB
  • sloc: ruby: 10,066; pascal: 916; python: 40; makefile: 17; sh: 15
file content (46 lines) | stat: -rw-r--r-- 1,787 bytes parent folder | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
#
# Class to manage and secure the keystone-paste.ini pipeline configuration.
#
# The keystone module uses the admin_token parameter in keystone.conf to
# bootstrap the basic setup of an admin user, project, and domain. However, the
# admin_token provides an easy vector of attack for production keystone
# installations. Including this class will remove the admin_token_auth
# from the paste pipeline to improve security. After this class is run,
# future puppet runs must have an openrc file with valid keystone v3
# admin credentials in /root/openrc available, or else must be run with
# valid keystone v3 credentials set as environment variables.
#
class keystone::disable_admin_token_auth {

  require ::keystone::roles::admin

  Keystone::Resource::Service_identity<||> -> Class['::keystone::disable_admin_token_auth']

  ini_subsetting { 'public_api/admin_token_auth':
    ensure     => absent,
    path       => '/etc/keystone/keystone-paste.ini',
    section    => 'pipeline:public_api',
    setting    => 'pipeline',
    subsetting => 'admin_token_auth',
    tag        => 'disable-admin-token-auth',
  }
  ini_subsetting { 'admin_api/admin_token_auth':
    ensure     => absent,
    path       => '/etc/keystone/keystone-paste.ini',
    section    => 'pipeline:admin_api',
    setting    => 'pipeline',
    subsetting => 'admin_token_auth',
    tag        => 'disable-admin-token-auth',
  }
  ini_subsetting { 'api_v3/admin_token_auth':
    ensure     => absent,
    path       => '/etc/keystone/keystone-paste.ini',
    section    => 'pipeline:api_v3',
    setting    => 'pipeline',
    subsetting => 'admin_token_auth',
    tag        => 'disable-admin-token-auth',
  }

  Ini_subsetting <| tag == 'disable-admin-token-auth' |>
    ~> Exec<| name == 'restart_keystone' |>
}