Puppet Class: keystone::federation::openidc
- Defined in:
- manifests/federation/openidc.pp
Overview
Class: keystone::federation::openidc
Parameters
- keystone_url
-
(Required) URL to keystone endpoint.
- methods
-
A list of methods used for authentication separated by comma or an array. The allowed values are: ‘external’, ‘password’, ‘token’, ‘oauth1’, ‘saml2’, and ‘openid’ (Required) (string or array value). Note: The external value should be dropped to avoid problems.
- idp_name
-
The name name associated with the IdP in Keystone. (Required) String value.
- openidc_provider_metadata_url
-
The url that points to your OpenID Connect metadata provider (Required) String value.
- openidc_client_id
-
The client ID to use when handshaking with your OpenID Connect provider (Required) String value.
- openidc_client_secret
-
The client secret to use when handshaking with your OpenID Connect provider (Required) String value.
- openidc_crypto_passphrase
-
Secret passphrase to use when encrypting data for OpenID Connect handshake (Optional) String value. Defaults to ‘openstack’
- openidc_response_type
-
Response type to be expected from the OpenID Connect provider. (Optional) String value. Defaults to ‘id_token’
- openidc_response_mode
-
(Optional) mod_auth_openidc response mode. Can be any response type supported by mod_auth_openidc (fragment, query, form_post). Defaults to undef
- openidc_cache_type
-
(Optional) mod_auth_openidc cache type. Can be any cache type supported by mod_auth_openidc (shm, file, memcache, redis). Defaults to undef.
- openidc_cache_shm_max
-
(Optional) The maximum number of name/value pair entries that can be cached when using the ‘shm’ cache type. Defaults to undef.
- openidc_cache_shm_entry_size
-
(Optional) The maximum size for a single shm cache entry in bytes with a minimum of 8464 bytes. Defaults to undef.
- openidc_cache_dir
-
(Optional) Directory that holds cache files; must be writable for the Apache process/user. Defaults to undef.
- openidc_cache_clean_interval
-
(Optional) Cache file clean interval in seconds (only triggered on writes). Defaults to undef.
- openidc_claim_delimiter
-
(Optional) The delimiter to use when setting multi-valued claims. Defaults to undef.
- openidc_enable_oauth
-
(Optional) Set to true to enable oauthsupport. Defaults to false.
- openidc_introspection_endpoint
-
(Required if oauth is enabled and configured for introspection) OAuth introspection endpoint url. Defaults to undef.
- openidc_verify_jwks_uri
-
(Required if oauth is enabled and configured for JWKS based validation) The JWKS URL on which the Identity Provider publishes the keys used to sign its JWT access tokens. Defaults to undef.
- openidc_verify_method
-
(Optional) The method used to verify OAuth tokens. Must be one of introspection or jwks Defaults to introspection
- openidc_pass_userinfo_as
-
Define the way(s) in which the claims resolved from the userinfo endpoint are passed to the application according to OIDCPassClaimsAs. Defaults to undef
- openidc_pass_claim_as
-
Define the way in which the claims and tokens are passed to the application environment: “none”: no claims/tokens are passed “environment”: claims/tokens are passed as environment variables “headers”: claims/tokens are passed in headers (also useful in reverse proxy scenario’s) “both”: claims/tokens are passed as both headers as well as environment variables (default) Defaults to undef
- memcached_servers
-
(Optional) A list of memcache servers. Defaults to undef.
- redis_server
-
(Optional) Specifies the Redis server used for caching as <hostname>. Defaults to undef.
- redis_password
-
(Optional) Password to be used if the Redis server requires authentication. When not specified, no authentication is performed. Defaults to undef.
- remote_id_attribute
-
(Optional) Value to be used to obtain the entity ID of the Identity Provider from the environment. Defaults to undef.
- template_order
-
This number indicates the order for the concat::fragment that will apply the shibboleth configuration to Keystone VirtualHost. The value should The value should be greater than 330 an less then 999, according to: github.com/puppetlabs/puppetlabs-apache/blob/master/manifests/vhost.pp The value 330 corresponds to the order for concat::fragment “$name-filters” and “$name-limits”. The value 999 corresponds to the order for concat::fragment “$name-file_footer”. (Optional) Defaults to 331.
- package_ensure
-
(Optional) Desired ensure state of packages. accepts latest or specific versions. Defaults to present.
136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 |
# File 'manifests/federation/openidc.pp', line 136
class keystone::federation::openidc (
$keystone_url,
$methods,
$idp_name,
$openidc_provider_metadata_url,
$openidc_client_id,
$openidc_client_secret,
$openidc_crypto_passphrase = 'openstack',
$openidc_response_type = 'id_token',
$openidc_response_mode = undef,
$openidc_cache_type = undef,
$openidc_cache_shm_max = undef,
$openidc_cache_shm_entry_size = undef,
$openidc_cache_dir = undef,
$openidc_cache_clean_interval = undef,
$openidc_claim_delimiter = undef,
$openidc_enable_oauth = false,
$openidc_introspection_endpoint = undef,
$openidc_verify_jwks_uri = undef,
$openidc_verify_method = 'introspection',
$openidc_pass_userinfo_as = undef,
$openidc_pass_claim_as = undef,
$memcached_servers = undef,
$redis_server = undef,
$redis_password = undef,
$remote_id_attribute = undef,
$template_order = 331,
$package_ensure = present,
) {
include apache
include apache::mod::authn_core
include apache::mod::authz_user
include keystone::deps
include keystone::params
if !($openidc_verify_method in ['introspection', 'jwks']) {
fail('Unsupported token verification method.' +
' Must be one of "introspection" or "jwks"')
}
if ($openidc_verify_method == 'introspection') {
if $openidc_enable_oauth and !$openidc_introspection_endpoint {
fail('You must set openidc_introspection_endpoint when enabling oauth support' +
' and introspection.')
}
} elsif ($openidc_verify_method == 'jwks') {
if $openidc_enable_oauth and !$openidc_verify_jwks_uri {
fail('You must set openidc_verify_jwks_uri when enabling oauth support' +
' and local signature verification using a JWKS URL')
}
}
if $openidc_pass_userinfo_as != undef {
if !($openidc_pass_userinfo_as in ['claims', 'json', 'jwt']) {
fail('Unsupported OIDCPassUserInfoAs. Must be one of: claims, json or jwt')
}
}
if $openidc_pass_claim_as != undef {
if !($openidc_pass_claim_as in ['none', 'environment', 'headers', 'both']) {
fail('Unsupported OIDCPassClaimAs. Must be one of: none, environment, headers, both')
}
}
if $memcached_servers != undef {
$memcached_servers_real = join(any2array($memcached_servers), ' ')
} else {
$memcached_servers_real = undef
}
# Note: if puppet-apache modify these values, this needs to be updated
if $template_order <= 330 or $template_order >= 999 {
fail('The template order should be greater than 330 and less than 999.')
}
if ('external' in $methods ) {
fail('The external method should be dropped to avoid any interference with openid.')
}
if !('openid' in $methods ) {
fail('Methods should contain openid as one of the auth methods.')
}
keystone_config {
'auth/methods': value => join(any2array($methods),',');
'auth/openid': ensure => absent;
}
if $remote_id_attribute {
keystone_config {
'openid/remote_id_attribute': value => $remote_id_attribute;
}
}
ensure_packages([$::keystone::params::openidc_package_name], {
ensure => $package_ensure,
tag => 'keystone-support-package',
})
concat::fragment { 'configure_openidc_keystone':
target => "${keystone::wsgi::apache::priority}-keystone_wsgi.conf",
content => template('keystone/openidc.conf.erb'),
order => $template_order,
}
Concat<| title == "${keystone::wsgi::apache::priority}-keystone_wsgi.conf" |> {
show_diff => false,
}
}
|