2015-01-27 22:21:37 +00:00
|
|
|
import hashlib
|
2015-01-05 17:49:38 +00:00
|
|
|
import os
|
|
|
|
|
|
2014-11-13 22:26:56 +08:00
|
|
|
from charmhelpers.core.hookenv import config
|
2014-09-22 15:23:26 +01:00
|
|
|
|
2015-01-27 22:21:37 +00:00
|
|
|
from charmhelpers.core.host import (
|
|
|
|
|
mkdir,
|
|
|
|
|
write_file,
|
|
|
|
|
service_restart,
|
|
|
|
|
)
|
2014-02-25 12:34:13 +01:00
|
|
|
|
|
|
|
|
from charmhelpers.contrib.openstack import context
|
|
|
|
|
|
|
|
|
|
from charmhelpers.contrib.hahelpers.cluster import (
|
|
|
|
|
determine_apache_port,
|
2015-01-12 12:45:22 +00:00
|
|
|
determine_api_port,
|
2014-02-25 12:34:13 +01:00
|
|
|
)
|
|
|
|
|
|
2015-01-05 17:49:38 +00:00
|
|
|
from charmhelpers.core.hookenv import (
|
|
|
|
|
log,
|
|
|
|
|
INFO,
|
|
|
|
|
)
|
2014-09-22 15:23:26 +01:00
|
|
|
|
2015-02-16 11:38:34 +00:00
|
|
|
from charmhelpers.core.strutils import (
|
|
|
|
|
bool_from_string,
|
|
|
|
|
)
|
|
|
|
|
|
2015-01-05 17:49:38 +00:00
|
|
|
from charmhelpers.contrib.hahelpers.apache import install_ca_cert
|
2014-02-25 12:34:13 +01:00
|
|
|
|
|
|
|
|
CA_CERT_PATH = '/usr/local/share/ca-certificates/keystone_juju_ca_cert.crt'
|
|
|
|
|
|
2014-02-26 17:28:37 +00:00
|
|
|
|
2014-02-25 12:34:13 +01:00
|
|
|
class ApacheSSLContext(context.ApacheSSLContext):
|
|
|
|
|
|
|
|
|
|
interfaces = ['https']
|
|
|
|
|
external_ports = []
|
|
|
|
|
service_namespace = 'keystone'
|
|
|
|
|
|
|
|
|
|
def __call__(self):
|
|
|
|
|
# late import to work around circular dependency
|
2015-01-27 22:21:37 +00:00
|
|
|
from keystone_utils import (
|
|
|
|
|
determine_ports,
|
|
|
|
|
update_hash_from_path,
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
ssl_paths = [CA_CERT_PATH,
|
|
|
|
|
os.path.join('/etc/apache2/ssl/',
|
|
|
|
|
self.service_namespace)]
|
|
|
|
|
|
2014-02-25 12:34:13 +01:00
|
|
|
self.external_ports = determine_ports()
|
2015-01-27 22:21:37 +00:00
|
|
|
before = hashlib.sha256()
|
|
|
|
|
for path in ssl_paths:
|
|
|
|
|
update_hash_from_path(before, path)
|
|
|
|
|
|
|
|
|
|
ret = super(ApacheSSLContext, self).__call__()
|
|
|
|
|
|
|
|
|
|
after = hashlib.sha256()
|
|
|
|
|
for path in ssl_paths:
|
|
|
|
|
update_hash_from_path(after, path)
|
|
|
|
|
|
|
|
|
|
# Ensure that apache2 is restarted if these change
|
|
|
|
|
if before.hexdigest() != after.hexdigest():
|
|
|
|
|
service_restart('apache2')
|
|
|
|
|
|
|
|
|
|
return ret
|
2014-02-25 12:34:13 +01:00
|
|
|
|
2014-09-22 15:23:26 +01:00
|
|
|
def configure_cert(self, cn):
|
2015-01-05 17:49:38 +00:00
|
|
|
from keystone_utils import (
|
|
|
|
|
SSH_USER,
|
|
|
|
|
get_ca,
|
|
|
|
|
ensure_permissions,
|
2015-01-21 16:23:15 +00:00
|
|
|
is_ssl_cert_master,
|
2015-01-27 22:21:37 +00:00
|
|
|
is_ssl_enabled,
|
2015-01-05 17:49:38 +00:00
|
|
|
)
|
|
|
|
|
|
2015-01-27 22:21:37 +00:00
|
|
|
if not is_ssl_enabled():
|
|
|
|
|
return
|
|
|
|
|
|
2015-01-27 23:56:15 +00:00
|
|
|
# Ensure ssl dir exists whether master or not
|
2014-02-25 12:34:13 +01:00
|
|
|
ssl_dir = os.path.join('/etc/apache2/ssl/', self.service_namespace)
|
2015-01-05 17:49:38 +00:00
|
|
|
perms = 0o755
|
|
|
|
|
mkdir(path=ssl_dir, owner=SSH_USER, group='keystone', perms=perms)
|
|
|
|
|
# Ensure accessible by keystone ssh user and group (for sync)
|
|
|
|
|
ensure_permissions(ssl_dir, user=SSH_USER, group='keystone',
|
|
|
|
|
perms=perms)
|
|
|
|
|
|
2015-01-27 23:56:15 +00:00
|
|
|
if not is_ssl_cert_master():
|
|
|
|
|
log("Not ssl-cert-master - skipping apache cert config until "
|
|
|
|
|
"master is elected", level=INFO)
|
|
|
|
|
return
|
|
|
|
|
|
2015-01-05 17:49:38 +00:00
|
|
|
log("Creating apache ssl certs in %s" % (ssl_dir), level=INFO)
|
|
|
|
|
|
2014-02-25 12:34:13 +01:00
|
|
|
ca = get_ca(user=SSH_USER)
|
2014-09-22 15:23:26 +01:00
|
|
|
cert, key = ca.get_cert_and_key(common_name=cn)
|
|
|
|
|
write_file(path=os.path.join(ssl_dir, 'cert_{}'.format(cn)),
|
2015-01-05 17:49:38 +00:00
|
|
|
content=cert, owner=SSH_USER, group='keystone', perms=0o644)
|
2014-09-22 15:23:26 +01:00
|
|
|
write_file(path=os.path.join(ssl_dir, 'key_{}'.format(cn)),
|
2015-01-05 17:49:38 +00:00
|
|
|
content=key, owner=SSH_USER, group='keystone', perms=0o644)
|
2014-09-22 15:23:26 +01:00
|
|
|
|
|
|
|
|
def configure_ca(self):
|
2015-01-05 17:49:38 +00:00
|
|
|
from keystone_utils import (
|
|
|
|
|
SSH_USER,
|
|
|
|
|
get_ca,
|
|
|
|
|
ensure_permissions,
|
2015-01-21 16:23:15 +00:00
|
|
|
is_ssl_cert_master,
|
2015-01-27 22:21:37 +00:00
|
|
|
is_ssl_enabled,
|
2015-01-05 17:49:38 +00:00
|
|
|
)
|
|
|
|
|
|
2015-01-27 22:21:37 +00:00
|
|
|
if not is_ssl_enabled():
|
|
|
|
|
return
|
|
|
|
|
|
2015-01-21 16:23:15 +00:00
|
|
|
if not is_ssl_cert_master():
|
2015-01-27 22:21:37 +00:00
|
|
|
log("Not ssl-cert-master - skipping apache ca config until "
|
|
|
|
|
"master is elected", level=INFO)
|
2015-01-05 17:49:38 +00:00
|
|
|
return
|
|
|
|
|
|
2014-09-22 15:23:26 +01:00
|
|
|
ca = get_ca(user=SSH_USER)
|
|
|
|
|
install_ca_cert(ca.get_ca_bundle())
|
2015-01-05 17:49:38 +00:00
|
|
|
# Ensure accessible by keystone ssh user and group (unison)
|
|
|
|
|
ensure_permissions(CA_CERT_PATH, user=SSH_USER, group='keystone',
|
|
|
|
|
perms=0o0644)
|
2014-09-22 15:23:26 +01:00
|
|
|
|
|
|
|
|
def canonical_names(self):
|
2014-11-14 10:16:38 +08:00
|
|
|
addresses = self.get_network_addresses()
|
2014-11-13 22:26:56 +08:00
|
|
|
addrs = []
|
|
|
|
|
for address, endpoint in addresses:
|
|
|
|
|
addrs.append(endpoint)
|
|
|
|
|
|
|
|
|
|
return list(set(addrs))
|
2014-02-25 12:34:13 +01:00
|
|
|
|
|
|
|
|
|
|
|
|
|
class HAProxyContext(context.HAProxyContext):
|
|
|
|
|
interfaces = []
|
|
|
|
|
|
|
|
|
|
def __call__(self):
|
|
|
|
|
'''
|
|
|
|
|
Extends the main charmhelpers HAProxyContext with a port mapping
|
|
|
|
|
specific to this charm.
|
|
|
|
|
Also used to extend nova.conf context with correct api_listening_ports
|
|
|
|
|
'''
|
|
|
|
|
from keystone_utils import api_port
|
|
|
|
|
ctxt = super(HAProxyContext, self).__call__()
|
|
|
|
|
|
|
|
|
|
# determine which port api processes should bind to, depending
|
|
|
|
|
# on existence of haproxy + apache frontends
|
|
|
|
|
listen_ports = {}
|
|
|
|
|
listen_ports['admin_port'] = api_port('keystone-admin')
|
|
|
|
|
listen_ports['public_port'] = api_port('keystone-public')
|
|
|
|
|
|
|
|
|
|
# Apache ports
|
2014-11-25 10:19:07 +00:00
|
|
|
a_admin_port = determine_apache_port(api_port('keystone-admin'),
|
|
|
|
|
singlenode_mode=True)
|
|
|
|
|
a_public_port = determine_apache_port(api_port('keystone-public'),
|
|
|
|
|
singlenode_mode=True)
|
2014-02-25 12:34:13 +01:00
|
|
|
|
|
|
|
|
port_mapping = {
|
|
|
|
|
'admin-port': [
|
|
|
|
|
api_port('keystone-admin'), a_admin_port],
|
|
|
|
|
'public-port': [
|
|
|
|
|
api_port('keystone-public'), a_public_port],
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
# for haproxy.conf
|
|
|
|
|
ctxt['service_ports'] = port_mapping
|
|
|
|
|
# for keystone.conf
|
|
|
|
|
ctxt['listen_ports'] = listen_ports
|
|
|
|
|
return ctxt
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
class KeystoneContext(context.OSContextGenerator):
|
|
|
|
|
interfaces = []
|
|
|
|
|
|
|
|
|
|
def __call__(self):
|
2014-09-21 18:57:48 +01:00
|
|
|
from keystone_utils import (
|
|
|
|
|
api_port, set_admin_token,
|
|
|
|
|
endpoint_url, resolve_address,
|
|
|
|
|
PUBLIC, ADMIN
|
|
|
|
|
)
|
2014-02-25 12:34:13 +01:00
|
|
|
ctxt = {}
|
2014-03-28 11:34:38 +00:00
|
|
|
ctxt['token'] = set_admin_token(config('admin-token'))
|
2014-11-25 10:19:07 +00:00
|
|
|
ctxt['admin_port'] = determine_api_port(api_port('keystone-admin'),
|
|
|
|
|
singlenode_mode=True)
|
|
|
|
|
ctxt['public_port'] = determine_api_port(api_port('keystone-public'),
|
|
|
|
|
singlenode_mode=True)
|
2015-02-16 11:38:34 +00:00
|
|
|
|
|
|
|
|
debug = config('debug')
|
|
|
|
|
ctxt['debug'] = debug and bool_from_string(debug)
|
|
|
|
|
verbose = config('verbose')
|
|
|
|
|
ctxt['verbose'] = verbose and bool_from_string(verbose)
|
|
|
|
|
|
2014-08-11 17:23:45 +08:00
|
|
|
ctxt['identity_backend'] = config('identity-backend')
|
|
|
|
|
ctxt['assignment_backend'] = config('assignment-backend')
|
|
|
|
|
if config('identity-backend') == 'ldap':
|
|
|
|
|
ctxt['ldap_server'] = config('ldap-server')
|
|
|
|
|
ctxt['ldap_user'] = config('ldap-user')
|
|
|
|
|
ctxt['ldap_password'] = config('ldap-password')
|
|
|
|
|
ctxt['ldap_suffix'] = config('ldap-suffix')
|
2014-08-12 13:39:51 +08:00
|
|
|
ctxt['ldap_readonly'] = config('ldap-readonly')
|
2014-08-11 17:23:45 +08:00
|
|
|
ldap_flags = config('ldap-config-flags')
|
|
|
|
|
if ldap_flags:
|
|
|
|
|
flags = context.config_flags_parser(ldap_flags)
|
|
|
|
|
ctxt['ldap_config_flags'] = flags
|
|
|
|
|
|
2015-02-16 11:38:34 +00:00
|
|
|
enable_pki = config('enable-pki')
|
|
|
|
|
if enable_pki and bool_from_string(enable_pki):
|
2014-02-25 12:34:13 +01:00
|
|
|
ctxt['signing'] = True
|
2014-09-21 18:57:48 +01:00
|
|
|
|
2014-09-22 09:32:02 +01:00
|
|
|
# Base endpoint URL's which are used in keystone responses
|
|
|
|
|
# to unauthenticated requests to redirect clients to the
|
|
|
|
|
# correct auth URL.
|
|
|
|
|
ctxt['public_endpoint'] = endpoint_url(
|
|
|
|
|
resolve_address(PUBLIC),
|
2014-09-22 09:39:54 +01:00
|
|
|
api_port('keystone-public')).rstrip('v2.0')
|
2014-09-22 09:32:02 +01:00
|
|
|
ctxt['admin_endpoint'] = endpoint_url(
|
|
|
|
|
resolve_address(ADMIN),
|
2014-09-22 09:39:54 +01:00
|
|
|
api_port('keystone-admin')).rstrip('v2.0')
|
2014-02-25 12:34:13 +01:00
|
|
|
return ctxt
|
2015-01-19 10:45:41 +00:00
|
|
|
|
|
|
|
|
|
|
|
|
|
class KeystoneLoggingContext(context.OSContextGenerator):
|
|
|
|
|
|
|
|
|
|
def __call__(self):
|
|
|
|
|
ctxt = {}
|
|
|
|
|
debug = config('debug')
|
2015-02-16 11:38:34 +00:00
|
|
|
if debug and bool_from_string(debug):
|
2015-01-19 10:45:41 +00:00
|
|
|
ctxt['root_level'] = 'DEBUG'
|
|
|
|
|
|
|
|
|
|
return ctxt
|
