forked from ISTI-ansible-roles/ansible-roles
rimosso library/roles/ghn-gcore/gcore-authorization/ che è un duplicato di un ruolo già esistente
This commit is contained in:
parent
550254e96a
commit
0e9ff4633b
|
@ -1,32 +0,0 @@
|
||||||
---
|
|
||||||
#authorization_service_install: False
|
|
||||||
#authorization_service_upgrade: False
|
|
||||||
authorization_service_name: authorization-service
|
|
||||||
#authorization_service_file: '{{ authorization_service_name }}-2.0.0-20160927.120833-1.war'
|
|
||||||
#authorization_service_url: 'http://maven.research-infrastructures.eu/nexus/content/repositories/gcube-snapshots/org/gcube/common/authorization-service/2.0.0-SNAPSHOT/{{ authorization_service_file }}'
|
|
||||||
#
|
|
||||||
#authorization_version: "2.0.1-4.2.0-134808"
|
|
||||||
authorization_service_version: "2.0.1-4.2.0-134808"
|
|
||||||
|
|
||||||
repo: "gcube-staging"
|
|
||||||
authorization_service_file: '{{ authorization_service_name }}-{{ authorization_service_version }}.war'
|
|
||||||
authorization_service_url: 'http://maven.research-infrastructures.eu/nexus/content/repositories/{{ repo }}/org/gcube/common/authorization-service/{{ authorization_service_version }}/{{ authorization_service_file }}'
|
|
||||||
authorization_service_persistence_dest: WEB-INF/classes/META-INF/persistence.xml
|
|
||||||
authorization_service_config_dest: WEB-INF/AuthorizationConfiguration.xml
|
|
||||||
#auth_user: '{{ d4science_user }}'
|
|
||||||
tomcat_user: "tomcat"
|
|
||||||
tomcat_document_root: "/usr/share/tomcat/"
|
|
||||||
authorization_service_loglevel: INFO
|
|
||||||
authorization_service_root_loglevel: WARN
|
|
||||||
#authorization_service_http_port: 8080
|
|
||||||
authorization_service_http_port: 80
|
|
||||||
authorized_ips:
|
|
||||||
# - 127.0.0.1
|
|
||||||
- 0.0.0.0
|
|
||||||
|
|
||||||
auth_postgresql_host: "localhost"
|
|
||||||
psql_db_name: "gcoreauthz"
|
|
||||||
psql_db_user: "gcoreauthz"
|
|
||||||
authorization_db_pwd: "gcore-authz"
|
|
||||||
postgres_port: "5431"
|
|
||||||
pgpool_port: "5432"
|
|
|
@ -1,4 +0,0 @@
|
||||||
dependencies:
|
|
||||||
- role: tomcat
|
|
||||||
- role: postgresql
|
|
||||||
- role: pgpool
|
|
|
@ -1,75 +0,0 @@
|
||||||
---
|
|
||||||
- block:
|
|
||||||
- name: Ensure that postgres is running
|
|
||||||
service: name=postgresql state=started
|
|
||||||
|
|
||||||
- name: Create postgres database {{ psql_db_name }} and user {{ psql_db_user }}
|
|
||||||
shell: sudo -u postgres createdb {{ psql_db_name }} && sudo -u postgres createuser -s {{ psql_db_user }}
|
|
||||||
ignore_errors: True
|
|
||||||
|
|
||||||
- name: Set password for user {{ psql_db_user }} and grant all privileges on database {{ psql_db_name }}
|
|
||||||
shell: sudo -u postgres psql -c "ALTER USER {{ psql_db_user }} WITH PASSWORD '{{ authorization_db_pwd }}';" && sudo -u postgres psql -c "GRANT ALL PRIVILEGES ON DATABASE {{ psql_db_name }} TO {{ psql_db_user }}";
|
|
||||||
ignore_errors: True
|
|
||||||
|
|
||||||
- name: Change postgres authentication method to password for localhost
|
|
||||||
lineinfile: dest=/var/lib/pgsql/data/pg_hba.conf state=present regexp='^host all all 127.0.0.1/32' line='host all all 127.0.0.1/32 password'
|
|
||||||
|
|
||||||
- name: Change postgres authentication method to password for localhost ipv6
|
|
||||||
lineinfile: dest=/var/lib/pgsql/data/pg_hba.conf state=present regexp='^host all all ::1/128' line='host all all ::1/128 password'
|
|
||||||
|
|
||||||
- name: Change postgres port to {{ postgres_port }}
|
|
||||||
lineinfile: dest="/usr/lib/systemd/system/postgresql.service" state=present regexp='^Environment=PGPORT=' line='Environment=PGPORT={{ postgres_port }}'
|
|
||||||
|
|
||||||
- name: Change pgpool port to {{ pgpool_port }}
|
|
||||||
lineinfile: dest="/etc/pgpool-II/pgpool.conf" state=present regexp='^port =' line='port = {{ pgpool_port }}'
|
|
||||||
|
|
||||||
- name: Tell pgpool to connect to postgreqsl on port {{ postgres_port }}
|
|
||||||
lineinfile: dest="/etc/pgpool-II/pgpool.conf" state=present regexp='^backend_port0 =' line='backend_port0 = {{ postgres_port }}'
|
|
||||||
|
|
||||||
- name: Tell pgpool to enable ssl
|
|
||||||
lineinfile: dest="/etc/pgpool-II/pgpool.conf" state=present regexp='^ssl = on' line='ssl = on'
|
|
||||||
|
|
||||||
- name: Running semanage to enable postgres to bind port {{ postgres_port }}
|
|
||||||
seport: ports={{ postgres_port }} proto=tcp setype=postgresql_port_t state=present reload=yes
|
|
||||||
|
|
||||||
- name: Running setsebool to allow tcp connections to the db
|
|
||||||
seboolean: name=httpd_can_network_connect_db state=yes persistent=yes
|
|
||||||
|
|
||||||
# - name: restart postgres
|
|
||||||
# service: name=postgresql state=restarted
|
|
||||||
|
|
||||||
#### on CentOS 7 we need to tell systemd to reload the service file since we made changes there
|
|
||||||
- name: restart postgresql
|
|
||||||
systemd: name=postgresql state=restarted enabled=yes daemon_reload=yes
|
|
||||||
|
|
||||||
- name: restart pgpool
|
|
||||||
service: name=pgpool state=restarted
|
|
||||||
|
|
||||||
- name: Stop tomcat when upgrading
|
|
||||||
service: name=tomcat state=stopped
|
|
||||||
|
|
||||||
- name: Create the authorization service webapp directory
|
|
||||||
file: dest={{ tomcat_document_root }}/webapps/authorization-service state=directory owner={{ tomcat_user }} group={{ tomcat_user }}
|
|
||||||
|
|
||||||
- name: Get and unpack the authorization war file
|
|
||||||
unarchive: copy=no src={{ authorization_service_url }} dest={{ tomcat_document_root }}/webapps/authorization-service owner={{ tomcat_user }} group={{ tomcat_user }}
|
|
||||||
args:
|
|
||||||
creates: '{{ tomcat_document_root }}/webapps/authorization-service/WEB-INF/AuthorizationConfiguration.xml'
|
|
||||||
|
|
||||||
- name: Install the authorization service AuthorizationConfiguration.xml template
|
|
||||||
template: src=AuthorizationConfiguration.xml.j2 dest={{ tomcat_document_root }}/webapps/authorization-service/{{ authorization_service_config_dest }} mode=0440 owner={{ tomcat_user }} group={{ tomcat_user }}
|
|
||||||
|
|
||||||
- name: Install the authorization service persistence.xml template
|
|
||||||
template: src=persistence.xml.j2 dest={{ tomcat_document_root }}/webapps/authorization-service/{{ authorization_service_persistence_dest }} mode=0440 owner={{ tomcat_user }} group={{ tomcat_user }}
|
|
||||||
|
|
||||||
- name: Install the logback configuration
|
|
||||||
template: src=logback.xml.j2 dest={{ tomcat_document_root }}/lib/logback.xml mode=0644 owner={{ tomcat_user }} group={{ tomcat_user }}
|
|
||||||
|
|
||||||
# - name: restore ownership
|
|
||||||
# file: dest={{ tomcat_document_root }} owner=root group=tomcat recurse=yes
|
|
||||||
|
|
||||||
- name: Start tomcat
|
|
||||||
service: name=tomcat state=started
|
|
||||||
|
|
||||||
become: true
|
|
||||||
become_user: root
|
|
|
@ -1,24 +0,0 @@
|
||||||
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
|
|
||||||
<Configuration>
|
|
||||||
<Rule path="/token/user" requiresToken="false">
|
|
||||||
{% for ip in authorized_ips %}
|
|
||||||
<Entity type="IP" value="{{ ip }}" />
|
|
||||||
{% endfor %}
|
|
||||||
</Rule>
|
|
||||||
|
|
||||||
<Rule path="/apikey" requiresToken="true" acceptedTokenTypes="USER"/>
|
|
||||||
<Rule path="/policyManager" requiresToken="true">
|
|
||||||
{% for ip in authorized_ips %}
|
|
||||||
<Entity type="IP" value="{{ ip }}" />
|
|
||||||
{% endfor %}
|
|
||||||
</Rule>
|
|
||||||
<Rule path="/token/external" requiresToken="true" acceptedTokenTypes="USER" />
|
|
||||||
<Rule path="/token/node" requiresToken="false" />
|
|
||||||
<Rule path="/token/service" requiresToken="true" acceptedTokenTypes="CONTAINER"/>
|
|
||||||
<Rule path="/token/resolve" requiresToken="false">
|
|
||||||
{% for ip in authorized_ips %}
|
|
||||||
<Entity type="IP" value="{{ ip }}" />
|
|
||||||
{% endfor %}
|
|
||||||
</Rule>
|
|
||||||
</Configuration>
|
|
||||||
|
|
|
@ -1,24 +0,0 @@
|
||||||
|
|
||||||
<configuration>
|
|
||||||
|
|
||||||
<appender name="FILE" class="ch.qos.logback.core.rolling.RollingFileAppender">
|
|
||||||
<file>${catalina.base}/logs/ghn.log</file>
|
|
||||||
<append>true</append>
|
|
||||||
<encoder>
|
|
||||||
<pattern>%d{HH:mm:ss.SSS} [%thread] %-5level %logger{0}: %msg%n
|
|
||||||
</pattern>
|
|
||||||
</encoder>
|
|
||||||
<rollingPolicy class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy">
|
|
||||||
<fileNamePattern>${catalina.base}/logs/ghn.%d{yyyy-MM-dd}.log</fileNamePattern>
|
|
||||||
<maxHistory>30</maxHistory>
|
|
||||||
</rollingPolicy>
|
|
||||||
</appender>
|
|
||||||
|
|
||||||
<logger name="org.gcube" level="{{ authorization_service_loglevel }}" />
|
|
||||||
<logger name="org.gcube.common.authorizationservice" level="{{ authorization_service_loglevel }}" />
|
|
||||||
<logger name="org.gcube.common" level="{{ authorization_service_loglevel }}" />
|
|
||||||
|
|
||||||
<root level="{{ authorization_service_root_loglevel }}">
|
|
||||||
<appender-ref ref="FILE" />
|
|
||||||
</root>
|
|
||||||
</configuration>
|
|
|
@ -1,33 +0,0 @@
|
||||||
<persistence xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
|
|
||||||
xsi:schemaLocation="http://java.sun.com/xml/ns/persistence http://java.sun.com/xml/ns/persistence/persistence_2_0.xsd"
|
|
||||||
version="2.0" xmlns="http://java.sun.com/xml/ns/persistence">
|
|
||||||
|
|
||||||
<!-- change here if you want name of unit different -->
|
|
||||||
<persistence-unit name="authorization" transaction-type="RESOURCE_LOCAL">
|
|
||||||
<provider>org.eclipse.persistence.jpa.PersistenceProvider</provider>
|
|
||||||
|
|
||||||
<!-- Converters -->
|
|
||||||
<class>org.gcube.common.authorizationservice.persistence.entities.converters.StringListConverter</class>
|
|
||||||
|
|
||||||
|
|
||||||
<!-- Entities -->
|
|
||||||
<class>org.gcube.common.authorizationservice.persistence.entities.AuthorizationEntity</class>
|
|
||||||
<class>org.gcube.common.authorizationservice.persistence.entities.ServiceAuthorizationEntity</class>
|
|
||||||
<class>org.gcube.common.authorizationservice.persistence.entities.UserAuthorizationEntity</class>
|
|
||||||
<class>org.gcube.common.authorizationservice.persistence.entities.ExternalServiceAuthorizationEntity</class>
|
|
||||||
<class>org.gcube.common.authorizationservice.persistence.entities.NodeAuthorizationEntity</class>
|
|
||||||
<class>org.gcube.common.authorizationservice.persistence.entities.PolicyEntity</class>
|
|
||||||
<class>org.gcube.common.authorizationservice.persistence.entities.ServicePolicyEntity</class>
|
|
||||||
<class>org.gcube.common.authorizationservice.persistence.entities.UserPolicyEntity</class>
|
|
||||||
<properties>
|
|
||||||
<property name="javax.persistence.jdbc.url"
|
|
||||||
value="jdbc:postgresql://{{ auth_postgresql_host }}/{{ psql_db_name }}" />
|
|
||||||
<property name="javax.persistence.jdbc.driver" value="org.postgresql.Driver" />
|
|
||||||
<property name="javax.persistence.jdbc.user" value="{{ psql_db_user }}" />
|
|
||||||
<property name="javax.persistence.jdbc.password" value="{{ authorization_db_pwd }}" />
|
|
||||||
<property name="eclipselink.ddl-generation" value="create-tables" />
|
|
||||||
<property name="eclipselink.ddl-generation.output-mode"
|
|
||||||
value="database" />
|
|
||||||
</properties>
|
|
||||||
</persistence-unit>
|
|
||||||
</persistence>
|
|
Loading…
Reference in New Issue