openstack/charm-keystone
Code Issues Proposed changes
b22142ee63
charm-keystone/hooks/keystone-hooks

485 lines
18 KiB
Plaintext
Raw Normal View History

init
2011-12-08 09:52:12 -08:00
#!/usr/bin/python
Import manager from functions that use it instead of globally
2012-02-29 11:59:37 -08:00
init
2011-12-08 09:52:12 -08:00
import sys
Import manager from functions that use it instead of globally
2012-02-29 11:59:37 -08:00
import time
Add 'keystone_https' relation flag. Use url hostname as endpoint hostname, instead of private-address.
2013-02-14 15:20:54 -08:00
import urlparse
Factor out common code. Allow upgrades Essex -> Folsom.
2012-10-02 17:36:25 -07:00
First pass single-node ssl master.
2013-02-07 21:03:44 -08:00
from base64 import b64encode
Factor out common code. Allow upgrades Essex -> Folsom.
2012-10-02 17:36:25 -07:00
init
2011-12-08 09:52:12 -08:00
from utils import *
Add file synchronization via unison/ssh.
2013-02-12 21:56:39 -08:00
Factor out common code. Allow upgrades Essex -> Folsom.
2012-10-02 17:36:25 -07:00
from lib.openstack_common import *
Add file synchronization via unison/ssh.
2013-02-12 21:56:39 -08:00
import lib.unison as unison
init
2011-12-08 09:52:12 -08:00
config = config_get()
Add file synchronization via unison/ssh.
2013-02-12 21:56:39 -08:00
packages = "keystone python-mysqldb pwgen haproxy python-jinja2 openssl unison"
init
2011-12-08 09:52:12 -08:00
service = "keystone"
# used to verify joined services are valid openstack components.
A bit of cleanup
2011-12-23 17:34:15 -08:00
# this should reflect the current "core" components of openstack
# and be expanded as we add support for them as a distro
init
2011-12-08 09:52:12 -08:00
valid_services = {
"nova": {
"type": "compute",
"desc": "Nova Compute Service"
},
Add nova-volume service, add noop hook work around for services that need a relation but nothing published in catalog
2012-03-08 14:38:36 -08:00
"nova-volume": {
"type": "volume",
"desc": "Nova Volume Service"
},
Factor out common code. Allow upgrades Essex -> Folsom.
2012-10-02 17:36:25 -07:00
"cinder": {
"type": "volume",
"desc": "Cinder Volume Service"
},
Use config file backed admin token
2012-03-01 12:35:39 -08:00
"ec2": {
"type": "ec2",
"desc": "EC2 Compatibility Layer"
},
init
2011-12-08 09:52:12 -08:00
"glance": {
"type": "image",
"desc": "Glance Image Service"
Add swift to list of valid services
2011-12-21 15:29:31 -08:00
},
Add s3 as a valid service entry
2012-04-13 17:24:56 -07:00
"s3": {
"type": "s3",
"desc": "S3 Compatible object-store"
},
Add swift to list of valid services
2011-12-21 15:29:31 -08:00
"swift": {
Use correct service type for swift endpoints.
2012-12-11 12:25:11 -08:00
"type": "object-store",
Add swift to list of valid services
2011-12-21 15:29:31 -08:00
"desc": "Swift Object Storage Service"
Add support for quantum networking
2012-12-03 15:34:43 +00:00
},
"quantum": {
"type": "network",
"desc": "Quantum Networking Service"
Add endpoint definition for oxygen image service
2013-01-21 09:05:12 -06:00
},
"oxygen": {
"type": "oxygen",
"desc": "Oxygen Cloud Image Service"
added ceilometer service
2013-01-31 12:55:04 +01:00
},
"ceilometer": {
"type": "metering",
"desc": "Ceilometer Metering Service"
init
2011-12-08 09:52:12 -08:00
}
}
def install_hook():
Rename config option for consistency across charms: keystone-release -> openstack-origin.
2012-10-12 10:26:48 -07:00
if config["openstack-origin"] != "distro":
configure_installation_source(config["openstack-origin"])
A bit of cleanup
2011-12-23 17:34:15 -08:00
execute("apt-get update", die=True)
Add setup_ppa() to setup alternative installation source, silence logging execute() when not needed, add some doc strings
2011-12-22 10:21:23 -08:00
execute("apt-get -y install %s" % packages, die=True, echo=True)
Redux port pt. 1
2012-02-28 17:18:17 -08:00
update_config_block('DEFAULT', public_port=config["service-port"])
update_config_block('DEFAULT', admin_port=config["admin-port"])
Factor out common code. Allow upgrades Essex -> Folsom.
2012-10-02 17:36:25 -07:00
set_admin_token(config['admin-token'])
Use config file backed admin token
2012-03-01 12:35:39 -08:00
Redux port pt. 1
2012-02-28 17:18:17 -08:00
# set all backends to use sql+sqlite, if they are not already by default
update_config_block('sql',
connection='sqlite:////var/lib/keystone/keystone.db')
update_config_block('identity',
driver='keystone.identity.backends.sql.Identity')
update_config_block('catalog',
driver='keystone.catalog.backends.sql.Catalog')
update_config_block('token',
driver='keystone.token.backends.sql.Token')
update_config_block('ec2',
driver='keystone.contrib.ec2.backends.sql.Ec2')
Add clustered leader support. Ensures only the leader of the cluster (or service unit if multi nodes but no hacluster) manages the data stored in the database. The leader is also responsible for synchrnoizing on-disk copies of credentials to all peers.
2013-01-30 16:48:51 -08:00
Sync database at install (sqlite) and during db-changed (mysql)
2012-01-10 23:21:57 -08:00
execute("service keystone stop", echo=True)
Redux port pt. 1
2012-02-28 17:18:17 -08:00
execute("keystone-manage db_sync")
Sync database at install (sqlite) and during db-changed (mysql)
2012-01-10 23:21:57 -08:00
execute("service keystone start", echo=True)
First pass single-node ssl master.
2013-02-07 21:03:44 -08:00
Add file synchronization via unison/ssh.
2013-02-12 21:56:39 -08:00
# ensure /var/lib/keystone is g+wrx for peer relations that
# may be syncing data there via SSH_USER.
execute("chmod -R g+wrx /var/lib/keystone/")
First pass single-node ssl master.
2013-02-07 21:03:44 -08:00
Import manager from functions that use it instead of globally
2012-02-29 11:59:37 -08:00
time.sleep(5)
init
2011-12-08 09:52:12 -08:00
ensure_initial_admin(config)
Add clustered leader support. Ensures only the leader of the cluster (or service unit if multi nodes but no hacluster) manages the data stored in the database. The leader is also responsible for synchrnoizing on-disk copies of credentials to all peers.
2013-01-30 16:48:51 -08:00
init
2011-12-08 09:52:12 -08:00
def db_joined():
relation_data = { "database": config["database"],
"username": config["database-user"],
"hostname": config["hostname"] }
relation_set(relation_data)
def db_changed():
Factor out common code. Allow upgrades Essex -> Folsom.
2012-10-02 17:36:25 -07:00
relation_data = relation_get_dict()
if ('password' not in relation_data or
Support use of the VIP with mysql
2013-02-15 12:23:41 -05:00
'db_host' not in relation_data):
juju_log("db_host or password not set. Peer not ready, exit 0")
init
2011-12-08 09:52:12 -08:00
exit(0)
Add file synchronization via unison/ssh.
2013-02-12 21:56:39 -08:00
Redux port pt. 1
2012-02-28 17:18:17 -08:00
update_config_block('sql', connection="mysql://%s:%s@%s/%s" %
init
2011-12-08 09:52:12 -08:00
(config["database-user"],
relation_data["password"],
Support use of the VIP with mysql
2013-02-15 12:23:41 -05:00
relation_data["db_host"],
init
2011-12-08 09:52:12 -08:00
config["database"]))
Add clustered leader support. Ensures only the leader of the cluster (or service unit if multi nodes but no hacluster) manages the data stored in the database. The leader is also responsible for synchrnoizing on-disk copies of credentials to all peers.
2013-01-30 16:48:51 -08:00
Sync database at install (sqlite) and during db-changed (mysql)
2012-01-10 23:21:57 -08:00
execute("service keystone stop", echo=True)
Add clustered leader support. Ensures only the leader of the cluster (or service unit if multi nodes but no hacluster) manages the data stored in the database. The leader is also responsible for synchrnoizing on-disk copies of credentials to all peers.
2013-01-30 16:48:51 -08:00
if not eligible_leader():
juju_log('Deferring DB initialization to service leader.')
execute("service keystone start")
return
Redux port pt. 1
2012-02-28 17:18:17 -08:00
execute("keystone-manage db_sync", echo=True)
Sync database at install (sqlite) and during db-changed (mysql)
2012-01-10 23:21:57 -08:00
execute("service keystone start")
Import manager from functions that use it instead of globally
2012-02-29 11:59:37 -08:00
time.sleep(5)
ensure_initial_admin(config)
init
2011-12-08 09:52:12 -08:00
Allow service entries to be recreated after new database relation. This eliminates the need for services in an Openstack deployment to be deployed in order. Previously, keystone <-> mysql relation needed to be established before anything else. With this change, existing service entries are recreated in the new database for existing relations.
2012-09-17 17:39:51 -07:00
# If the backend database has been switched to something new and there
# are existing identity-service relations,, service entries need to be
# recreated in the new database. Re-executing identity-service-changed
# will do this.
for id in relation_ids(relation_name='identity-service'):
for unit in relation_list(relation_id=id):
juju_log("Re-exec'ing identity-service-changed for: %s - %s" %
(id, unit))
identity_changed(relation_id=id, remote_unit=unit)
First pass single-node ssl master.
2013-02-07 21:03:44 -08:00
def ensure_valid_service(service):
if service not in valid_services.keys():
juju_log("WARN: Invalid service requested: '%s'" % service)
realtion_set({ "admin_token": -1 })
return
def add_endpoint(region, service, public_url, admin_url, internal_url):
desc = valid_services[service]["desc"]
service_type = valid_services[service]["type"]
create_service_entry(service, service_type, desc)
create_endpoint_template(region=region, service=service,
public_url=public_url,
admin_url=admin_url,
internal_url=internal_url)
init
2011-12-08 09:52:12 -08:00
def identity_joined():
""" Do nothing until we get information about requested service """
pass
Allow service entries to be recreated after new database relation. This eliminates the need for services in an Openstack deployment to be deployed in order. Previously, keystone <-> mysql relation needed to be established before anything else. With this change, existing service entries are recreated in the new database for existing relations.
2012-09-17 17:39:51 -07:00
def identity_changed(relation_id=None, remote_unit=None):
""" A service has advertised its API endpoints, create an entry in the
service catalog.
Optionally allow this hook to be re-fired for an existing
relation+unit, for context see see db_changed().
"""
Support receiving multiple endpoints in identity_changed()
2012-03-01 12:37:18 -08:00
def ensure_valid_service(service):
if service not in valid_services.keys():
juju_log("WARN: Invalid service requested: '%s'" % service)
realtion_set({ "admin_token": -1 })
return
Update endpoint arguments to match those of keystoneclient.
2012-10-28 11:08:49 +01:00
def add_endpoint(region, service, publicurl, adminurl, internalurl):
Support receiving multiple endpoints in identity_changed()
2012-03-01 12:37:18 -08:00
desc = valid_services[service]["desc"]
service_type = valid_services[service]["type"]
create_service_entry(service, service_type, desc)
create_endpoint_template(region=region, service=service,
Update endpoint arguments to match those of keystoneclient.
2012-10-28 11:08:49 +01:00
publicurl=publicurl,
adminurl=adminurl,
internalurl=internalurl)
Support receiving multiple endpoints in identity_changed()
2012-03-01 12:37:18 -08:00
Add clustered leader support. Ensures only the leader of the cluster (or service unit if multi nodes but no hacluster) manages the data stored in the database. The leader is also responsible for synchrnoizing on-disk copies of credentials to all peers.
2013-01-30 16:48:51 -08:00
if not eligible_leader():
juju_log('Deferring identity_changed() to service leader.')
Further refinement for clustering support
2012-12-18 12:00:48 +00:00
return
Allow service entries to be recreated after new database relation. This eliminates the need for services in an Openstack deployment to be deployed in order. Previously, keystone <-> mysql relation needed to be established before anything else. With this change, existing service entries are recreated in the new database for existing relations.
2012-09-17 17:39:51 -07:00
settings = relation_get_dict(relation_id=relation_id,
remote_unit=remote_unit)
Support receiving multiple endpoints in identity_changed()
2012-03-01 12:37:18 -08:00
identity_changed: Move role creation earlier in hook. Allows endpoint-less services to also request role creation.
2013-01-11 14:12:41 -08:00
# Allow the remote service to request creation of any additional roles.
# Currently used by Swift.
if 'requested_roles' in settings and settings['requested_roles'] != 'None':
roles = settings['requested_roles'].split(',')
juju_log("Creating requested roles: %s" % roles)
for role in roles:
create_role(role, user=config['admin-user'], tenant='admin')
Support receiving multiple endpoints in identity_changed()
2012-03-01 12:37:18 -08:00
# the minimum settings needed per endpoint
single = set(['service', 'region', 'public_url', 'admin_url',
'internal_url'])
if single.issubset(settings):
# other end of relation advertised only one endpoint
Add nova-volume service, add noop hook work around for services that need a relation but nothing published in catalog
2012-03-08 14:38:36 -08:00
if 'None' in [v for k,v in settings.iteritems()]:
Allow service entries to be recreated after new database relation. This eliminates the need for services in an Openstack deployment to be deployed in order. Previously, keystone <-> mysql relation needed to be established before anything else. With this change, existing service entries are recreated in the new database for existing relations.
2012-09-17 17:39:51 -07:00
# Some backend services advertise no endpoint but require a
# hook execution to update auth strategy.
Pass keystone information to services which just need to access keystone
2013-02-14 14:30:47 +00:00
relation_data = {}
# Check if clustered and use vip + haproxy ports if so
if is_clustered():
relation_data["auth_host"] = config['vip']
relation_data["auth_port"] = SERVICE_PORTS['keystone_admin']
relation_data["service_host"] = config['vip']
relation_data["service_port"] = SERVICE_PORTS['keystone_service']
else:
relation_data["auth_host"] = config['hostname']
SSH based hook syncing
2013-03-11 09:10:47 +00:00
relation_data["auth_port"] = config['admin-port']
Pass keystone information to services which just need to access keystone
2013-02-14 14:30:47 +00:00
relation_data["service_host"] = config['hostname']
relation_data["service_port"] = config['service-port']
relation_set(relation_data)
Add nova-volume service, add noop hook work around for services that need a relation but nothing published in catalog
2012-03-08 14:38:36 -08:00
return
Pass keystone information to services which just need to access keystone
2013-02-14 14:30:47 +00:00
Support receiving multiple endpoints in identity_changed()
2012-03-01 12:37:18 -08:00
ensure_valid_service(settings['service'])
First pass single-node ssl master.
2013-02-07 21:03:44 -08:00
Support receiving multiple endpoints in identity_changed()
2012-03-01 12:37:18 -08:00
add_endpoint(region=settings['region'], service=settings['service'],
Update endpoint arguments to match those of keystoneclient.
2012-10-28 11:08:49 +01:00
publicurl=settings['public_url'],
adminurl=settings['admin_url'],
internalurl=settings['internal_url'])
Generate credentials in addition to token for new services
2012-03-02 12:46:20 -08:00
service_username = settings['service']
Also use hostname for ssl cn with multi-endpoint services.
2013-02-19 17:41:43 -08:00
https_cn = urlparse.urlparse(settings['internal_url'])
https_cn = https_cn.hostname
Support receiving multiple endpoints in identity_changed()
2012-03-01 12:37:18 -08:00
else:
# assemble multiple endpoints from relation data. service name
# should be prepended to setting name, ie:
# realtion-set ec2_service=$foo ec2_region=$foo ec2_public_url=$foo
# relation-set nova_service=$foo nova_region=$foo nova_public_url=$foo
# Results in a dict that looks like:
# { 'ec2': {
# 'service': $foo
# 'region': $foo
# 'public_url': $foo
# }
# 'nova': {
# 'service': $foo
# 'region': $foo
# 'public_url': $foo
# }
# }
endpoints = {}
for k,v in settings.iteritems():
ep = k.split('_')[0]
x = '_'.join(k.split('_')[1:])
Also use hostname for ssl cn with multi-endpoint services.
2013-02-19 17:41:43 -08:00
if ep not in endpoints:
Support receiving multiple endpoints in identity_changed()
2012-03-01 12:37:18 -08:00
endpoints[ep] = {}
endpoints[ep][x] = v
Generate credentials in addition to token for new services
2012-03-02 12:46:20 -08:00
services = []
Also use hostname for ssl cn with multi-endpoint services.
2013-02-19 17:41:43 -08:00
https_cn = None
Support receiving multiple endpoints in identity_changed()
2012-03-01 12:37:18 -08:00
for ep in endpoints:
# weed out any unrelated relation stuff Juju might have added
# by ensuring each possible endpiont has appropriate fields
# ['service', 'region', 'public_url', 'admin_url', 'internal_url']
if single.issubset(endpoints[ep]):
ep = endpoints[ep]
ensure_valid_service(ep['service'])
add_endpoint(region=ep['region'], service=ep['service'],
Update endpoint arguments to match those of keystoneclient.
2012-10-28 11:08:49 +01:00
publicurl=ep['public_url'],
adminurl=ep['admin_url'],
internalurl=ep['internal_url'])
Generate credentials in addition to token for new services
2012-03-02 12:46:20 -08:00
services.append(ep['service'])
Also use hostname for ssl cn with multi-endpoint services.
2013-02-19 17:41:43 -08:00
if not https_cn:
https_cn = urlparse.urlparse(ep['internal_url'])
https_cn = https_cn.hostname
Generate credentials in addition to token for new services
2012-03-02 12:46:20 -08:00
service_username = '_'.join(services)
init
2011-12-08 09:52:12 -08:00
Add nova-volume service, add noop hook work around for services that need a relation but nothing published in catalog
2012-03-08 14:38:36 -08:00
if 'None' in [v for k,v in settings.iteritems()]:
return
if not service_username:
return
Generate credentials in addition to token for new services
2012-03-02 12:46:20 -08:00
Add nova-volume service, add noop hook work around for services that need a relation but nothing published in catalog
2012-03-08 14:38:36 -08:00
token = get_admin_token()
Generate credentials in addition to token for new services
2012-03-02 12:46:20 -08:00
juju_log("Creating service credentials for '%s'" % service_username)
Track service_passwds on disk
2012-03-09 14:56:59 -08:00
Add clustered leader support. Ensures only the leader of the cluster (or service unit if multi nodes but no hacluster) manages the data stored in the database. The leader is also responsible for synchrnoizing on-disk copies of credentials to all peers.
2013-01-30 16:48:51 -08:00
service_password = get_service_password(service_username)
Generate credentials in addition to token for new services
2012-03-02 12:46:20 -08:00
create_user(service_username, service_password, config['service-tenant'])
grant_role(service_username, config['admin-role'], config['service-tenant'])
# As of https://review.openstack.org/#change,4675, all nodes hosting
# an endpoint(s) needs a service username and password assigned to
# the service tenant and granted admin role.
# note: config['service-tenant'] is created in utils.ensure_initial_admin()
# we return a token, information about our API endpoints, and the generated
# service credentials
init
2011-12-08 09:52:12 -08:00
relation_data = {
"admin_token": token,
"service_host": config["hostname"],
"service_port": config["service-port"],
"auth_host": config["hostname"],
Generate credentials in addition to token for new services
2012-03-02 12:46:20 -08:00
"auth_port": config["admin-port"],
"service_username": service_username,
"service_password": service_password,
Add 'keystone_https' relation flag. Use url hostname as endpoint hostname, instead of private-address.
2013-02-14 15:20:54 -08:00
"service_tenant": config['service-tenant'],
"https_keystone": "False",
"ssl_cert": "",
"ssl_key": "",
"ca_cert": ""
init
2011-12-08 09:52:12 -08:00
}
First pass single-node ssl master.
2013-02-07 21:03:44 -08:00
Add 'keystone_https' relation flag. Use url hostname as endpoint hostname, instead of private-address.
2013-02-14 15:20:54 -08:00
if relation_id:
relation_data['rid'] = relation_id
Ripple clustering changes to related services
2012-12-17 15:42:52 +00:00
# Check if clustered and use vip + haproxy ports if so
if is_clustered():
relation_data["auth_host"] = config['vip']
relation_data["auth_port"] = SERVICE_PORTS['keystone_admin']
relation_data["service_host"] = config['vip']
relation_data["service_port"] = SERVICE_PORTS['keystone_service']
Add file synchronization via unison/ssh.
2013-02-12 21:56:39 -08:00
# generate or get a new cert/key for service if set to manage certs.
First pass single-node ssl master.
2013-02-07 21:03:44 -08:00
if config['https-service-endpoints'] in ['True', 'true']:
Ensure crt/key/csr perms are correct for bidirectional/post-failover file syncing.
2013-02-19 20:35:04 -08:00
ca = get_ca(user=SSH_USER)
First pass single-node ssl master.
2013-02-07 21:03:44 -08:00
service = os.getenv('JUJU_REMOTE_UNIT').split('/')[0]
Also use hostname for ssl cn with multi-endpoint services.
2013-02-19 17:41:43 -08:00
cert, key = ca.get_cert_and_key(common_name=https_cn)
First pass single-node ssl master.
2013-02-07 21:03:44 -08:00
ca_bundle= ca.get_ca_bundle()
relation_data['ssl_cert'] = b64encode(cert)
relation_data['ssl_key'] = b64encode(key)
relation_data['ca_cert'] = b64encode(ca_bundle)
Add 'keystone_https' relation flag. Use url hostname as endpoint hostname, instead of private-address.
2013-02-14 15:20:54 -08:00
relation_data['https_keystone'] = 'True'
Add file synchronization via unison/ssh.
2013-02-12 21:56:39 -08:00
unison.sync_to_peers(peer_interface='cluster',
paths=[SSL_DIR], user=SSH_USER, verbose=True)
Add 'keystone_https' relation flag. Use url hostname as endpoint hostname, instead of private-address.
2013-02-14 15:20:54 -08:00
relation_set_2(**relation_data)
Add clustered leader support. Ensures only the leader of the cluster (or service unit if multi nodes but no hacluster) manages the data stored in the database. The leader is also responsible for synchrnoizing on-disk copies of credentials to all peers.
2013-01-30 16:48:51 -08:00
synchronize_service_credentials()
init
2011-12-08 09:52:12 -08:00
Allow reconfiguration of admin user credentials via 'juju set' This adds the ability to update a users' password via keystoneclient. This is called for every run of ensure_initial_admin(). A basic config-changed hook is added to call ensure_initial_admin(), allowing: - Changing the current admin user's password via 'juju set admin-password=foo' - Defining a new admin user in the system via 'juju set admin-user=newadmin admin-password=foo'. Note, when creating a new admin user, the previous admin user is not deleted from the system. The new admin user can manage existing users thru the dashboard or keystoneclient.
2012-08-08 16:17:52 -07:00
def config_changed():
Factor out common code. Allow upgrades Essex -> Folsom.
2012-10-02 17:36:25 -07:00
# Determine whether or not we should do an upgrade, based on the
# the version offered in keyston-release.
Rename config option for consistency across charms: keystone-release -> openstack-origin.
2012-10-12 10:26:48 -07:00
available = get_os_codename_install_source(config['openstack-origin'])
Factor out common code. Allow upgrades Essex -> Folsom.
2012-10-02 17:36:25 -07:00
installed = get_os_codename_package('keystone')
Fix some spacing.
2012-12-18 19:39:14 -08:00
if (available and
get_os_version_codename(available) > get_os_version_codename(installed)):
Rename config option for consistency across charms: keystone-release -> openstack-origin.
2012-10-12 10:26:48 -07:00
do_openstack_upgrade(config['openstack-origin'], packages)
Factor out common code. Allow upgrades Essex -> Folsom.
2012-10-02 17:36:25 -07:00
move now-generic save_script_rc to lib/openstack_common.py. Update health scripts to be more flexible based on OPENSTACK_PORT* and OPENSTACK_SERVICE* environment variables
2013-02-22 12:20:54 -07:00
env_vars = {'OPENSTACK_SERVICE_KEYSTONE': 'keystone',
'OPENSTACK_PORT_ADMIN': config['admin-port'],
'OPENSTACK_PORT_PUBLIC': config['service-port']}
update service_* health scripts to source ../scriptsrc to obtain service specific variables. bump revision
2013-02-21 09:42:08 -07:00
save_script_rc(**env_vars)
Factor out common code. Allow upgrades Essex -> Folsom.
2012-10-02 17:36:25 -07:00
set_admin_token(config['admin-token'])
Further refinement for clustering support
2012-12-18 12:00:48 +00:00
Add clustered leader support. Ensures only the leader of the cluster (or service unit if multi nodes but no hacluster) manages the data stored in the database. The leader is also responsible for synchrnoizing on-disk copies of credentials to all peers.
2013-01-30 16:48:51 -08:00
if eligible_leader():
Further refinement for clustering support
2012-12-18 12:00:48 +00:00
juju_log('Cluster leader - ensuring endpoint configuration is up to date')
ensure_initial_admin(config)
Allow reconfiguration of admin user credentials via 'juju set' This adds the ability to update a users' password via keystoneclient. This is called for every run of ensure_initial_admin(). A basic config-changed hook is added to call ensure_initial_admin(), allowing: - Changing the current admin user's password via 'juju set admin-password=foo' - Defining a new admin user in the system via 'juju set admin-user=newadmin admin-password=foo'. Note, when creating a new admin user, the previous admin user is not deleted from the system. The new admin user can manage existing users thru the dashboard or keystoneclient.
2012-08-08 16:17:52 -07:00
Allow setting log-level via config, drop horrid config parsing in favor of ConfigParser use.
2012-12-17 23:16:26 -08:00
update_config_block('logger_root', level=config['log-level'],
file='/etc/keystone/logging.conf')
Add placeholder for PKI configuration, default to UUID for now.
2012-12-18 17:29:14 -08:00
if get_os_version_package('keystone') >= '2013.1':
# PKI introduced in Grizzly
configure_pki_tokens(config)
Allow setting log-level via config, drop horrid config parsing in favor of ConfigParser use.
2012-12-17 23:16:26 -08:00
execute("service keystone restart", echo=True)
Refactored to use alternative ports for haproxy
2012-12-17 13:45:58 +00:00
cluster_changed()
def upgrade_charm():
cluster_changed()
Add clustered leader support. Ensures only the leader of the cluster (or service unit if multi nodes but no hacluster) manages the data stored in the database. The leader is also responsible for synchrnoizing on-disk copies of credentials to all peers.
2013-01-30 16:48:51 -08:00
if eligible_leader():
Further refinement for clustering support
2012-12-18 12:00:48 +00:00
juju_log('Cluster leader - ensuring endpoint configuration is up to date')
ensure_initial_admin(config)
Refactored to use alternative ports for haproxy
2012-12-17 13:45:58 +00:00
SERVICE_PORTS = {
"keystone_admin": int(config['admin-port']) + 1,
"keystone_service": int(config['service-port']) + 1
}
Add file synchronization via unison/ssh.
2013-02-12 21:56:39 -08:00
def cluster_joined():
unison.ssh_authorized_peers(user=SSH_USER,
group='keystone',
peer_interface='cluster',
ensure_user=True)
Refactored to use alternative ports for haproxy
2012-12-17 13:45:58 +00:00
def cluster_changed():
Add file synchronization via unison/ssh.
2013-02-12 21:56:39 -08:00
unison.ssh_authorized_peers(user=SSH_USER,
group='keystone',
peer_interface='cluster',
ensure_user=True)
Refactored to use alternative ports for haproxy
2012-12-17 13:45:58 +00:00
cluster_hosts = {}
cluster_hosts['self'] = config['hostname']
for r_id in relation_ids('cluster'):
for unit in relation_list(r_id):
utils.py: Fix unison import.
2013-02-13 13:06:02 -08:00
# trigger identity-changed to reconfigure HTTPS
# as necessary.
identity_changed(relation_id=r_id, remote_unit=unit)
Refactored to use alternative ports for haproxy
2012-12-17 13:45:58 +00:00
cluster_hosts[unit.replace('/','-')] = \
relation_get_dict(relation_id=r_id,
remote_unit=unit)['private-address']
configure_haproxy(cluster_hosts,
SERVICE_PORTS)
Add clustered leader support. Ensures only the leader of the cluster (or service unit if multi nodes but no hacluster) manages the data stored in the database. The leader is also responsible for synchrnoizing on-disk copies of credentials to all peers.
2013-01-30 16:48:51 -08:00
synchronize_service_credentials()
Add 'keystone_https' relation flag. Use url hostname as endpoint hostname, instead of private-address.
2013-02-14 15:20:54 -08:00
for r_id in relation_ids('identity-service'):
for unit in relation_list(r_id):
# trigger identity-changed to reconfigure HTTPS as necessary
identity_changed(relation_id=r_id, remote_unit=unit)
Refactored to use alternative ports for haproxy
2012-12-17 13:45:58 +00:00
def ha_relation_changed():
Ripple clustering changes to related services
2012-12-17 15:42:52 +00:00
relation_data = relation_get_dict()
Further refinement for clustering support
2012-12-18 12:00:48 +00:00
if ('clustered' in relation_data and
is_leader()):
juju_log('Cluster configured, notifying other services and updating'
'keystone endpoint configuration')
# Update keystone endpoint to point at VIP
ensure_initial_admin(config)
Ripple clustering changes to related services
2012-12-17 15:42:52 +00:00
# Tell all related services to start using
# the VIP and haproxy ports instead
for r_id in relation_ids('identity-service'):
relation_set_2(rid=r_id,
auth_host=config['vip'],
service_host=config['vip'],
service_port=SERVICE_PORTS['keystone_service'],
auth_port=SERVICE_PORTS['keystone_admin'])
Refactored to use alternative ports for haproxy
2012-12-17 13:45:58 +00:00
def ha_relation_joined():
# Obtain the config values necessary for the cluster config. These
# include multicast port and interface to bind to.
corosync_bindiface = config['ha-bindiface']
corosync_mcastport = config['ha-mcastport']
# Obtain resources
resources = {
'res_ks_vip':'ocf:heartbeat:IPaddr2',
'res_ks_haproxy':'lsb:haproxy'
}
# TODO: Obtain netmask and nic where to place VIP.
resource_params = {
merge latest cluster changes with jamespage's branch
2012-12-17 14:52:47 -05:00
'res_ks_vip':'params ip="%s" cidr_netmask="%s" nic="%s"' % (config['vip'],
config['vip_cidr'], config['vip_iface']),
Refactored to use alternative ports for haproxy
2012-12-17 13:45:58 +00:00
'res_ks_haproxy':'op monitor interval="5s"'
}
init_services = {
'res_ks_haproxy':'haproxy'
}
groups = {
'grp_ks_haproxy':'res_ks_vip res_ks_haproxy'
}
#clones = {
# 'cln_ks_haproxy':'res_ks_haproxy meta globally-unique="false" interleave="true"'
# }
#orders = {
# 'ord_vip_before_haproxy':'inf: res_ks_vip res_ks_haproxy'
# }
#colocations = {
# 'col_vip_on_haproxy':'inf: res_ks_haproxy res_ks_vip'
# }
relation_set_2(init_services=init_services,
corosync_bindiface=corosync_bindiface,
corosync_mcastport=corosync_mcastport,
resources=resources,
resource_params=resource_params,
groups=groups)
init
2011-12-08 09:52:12 -08:00
hooks = {
"install": install_hook,
"shared-db-relation-joined": db_joined,
"shared-db-relation-changed": db_changed,
"identity-service-relation-joined": identity_joined,
Allow reconfiguration of admin user credentials via 'juju set' This adds the ability to update a users' password via keystoneclient. This is called for every run of ensure_initial_admin(). A basic config-changed hook is added to call ensure_initial_admin(), allowing: - Changing the current admin user's password via 'juju set admin-password=foo' - Defining a new admin user in the system via 'juju set admin-user=newadmin admin-password=foo'. Note, when creating a new admin user, the previous admin user is not deleted from the system. The new admin user can manage existing users thru the dashboard or keystoneclient.
2012-08-08 16:17:52 -07:00
"identity-service-relation-changed": identity_changed,
Refactored to use alternative ports for haproxy
2012-12-17 13:45:58 +00:00
"config-changed": config_changed,
Add file synchronization via unison/ssh.
2013-02-12 21:56:39 -08:00
"cluster-relation-joined": cluster_joined,
Refactored to use alternative ports for haproxy
2012-12-17 13:45:58 +00:00
"cluster-relation-changed": cluster_changed,
"cluster-relation-departed": cluster_changed,
"ha-relation-joined": ha_relation_joined,
"ha-relation-changed": ha_relation_changed,
"upgrade-charm": upgrade_charm
init
2011-12-08 09:52:12 -08:00
}
A bit of cleanup
2011-12-23 17:34:15 -08:00
# keystone-hooks gets called by symlink corresponding to the requested relation
# hook.
Add clustered leader support. Ensures only the leader of the cluster (or service unit if multi nodes but no hacluster) manages the data stored in the database. The leader is also responsible for synchrnoizing on-disk copies of credentials to all peers.
2013-01-30 16:48:51 -08:00
hook = os.path.basename(sys.argv[0])
if hook not in hooks.keys():
error_out("Unsupported hook: %s" % hook)
hooks[hook]()
Copy Permalink