Generate credentials in addition to token for new services

2012-03-02 12:46:20 -08:00
parent 7272f3e283
commit ed6a84faac
4 changed files with 46 additions and 7 deletions
--- a/config.yaml
+++ b/config.yaml
@@ -35,7 +35,6 @@ options:
    default: admin
    type: string
    description: "Default admin user to create and manage"
-  # Note: This should only be specified in config for testing purposes.
  admin-password:
    default: None
    type: string
@@ -44,10 +43,18 @@ options:
    default: None
    type: string
    description: "Admin token.  If set, this token will be used for all services instead of being generated per service."
+  admin-role:
+    default: 'Admin'
+    type: string
+    description: 'Admin role to be associated with admin and service users'
  token-expiry:
    default: "2017-02-05T00:00"
    type: string
    description: "Expiration date of generated admin tokens"
+  service-tenant:
+    default: "services"
+    type: string
+    description: "Name of tenant to associate service credentials."
  # Database settings used to request access via shared-db-relation-* relations
  database:
    default: "keystone"
--- a/hooks/keystone-hooks
+++ b/hooks/keystone-hooks
@@ -132,6 +132,7 @@ def identity_changed():
                     public_url=settings['public_url'],
                     admin_url=settings['admin_url'],
                     internal_url=settings['internal_url'])
+        service_username = settings['service']
    else:
        # assemble multiple endpoints from relation data. service name
        # should be prepended to setting name, ie:
@@ -156,6 +157,7 @@ def identity_changed():
            if ep not in  endpoints:
                endpoints[ep] = {}
            endpoints[ep][x] = v
+        services = []
        for ep in endpoints:
            # weed out any unrelated relation stuff Juju might have added
            # by ensuring each possible endpiont has appropriate fields
@@ -167,15 +169,31 @@ def identity_changed():
                             public_url=ep['public_url'],
                             admin_url=ep['admin_url'],
                             internal_url=ep['internal_url'])
+                services.append(ep['service'])
+        service_username = '_'.join(services)

    token = get_admin_token()
-    # we return a token, information about our API endpoints
+
+    juju_log("Creating service credentials for '%s'" % service_username)
+    service_password = execute('pwgen -c 32 1', die=True)[0]
+    create_user(service_username, service_password, config['service-tenant'])
+    grant_role(service_username, config['admin-role'], config['service-tenant'])
+
+    # As of https://review.openstack.org/#change,4675, all nodes hosting
+    # an endpoint(s) needs a service username and password assigned to
+    # the service tenant and granted admin role.
+    # note: config['service-tenant'] is created in utils.ensure_initial_admin()
+    # we return a token, information about our API endpoints, and the generated
+    # service credentials
    relation_data = {
        "admin_token": token,
        "service_host": config["hostname"],
        "service_port": config["service-port"],
        "auth_host": config["hostname"],
-        "auth_port": config["admin-port"]
+        "auth_port": config["admin-port"],
+        "service_username": service_username,
+        "service_password": service_password,
+        "service_tenant": config['service-tenant']
    }
    relation_set(relation_data)

--- a/hooks/utils.py
+++ b/hooks/utils.py
@@ -332,6 +332,20 @@ def create_role(name, user, tenant):
                                    tenant=tenant_id)
    juju_log("Granted role '%s' to '%s'" % (name, user))

+def grant_role(user, role, tenant):
+    """grant user+tenant a specific role"""
+    import manager
+    manager = manager.KeystoneManager(endpoint='http://localhost:35357/v2.0/',
+                                      token=get_admin_token())
+    juju_log("Granting user '%s' role '%s' on tenant ' %s'" %\
+                (user, role, tenant))
+    user_id = manager.resolve_user_id(user)
+    role_id = manager.resolve_role_id(role)
+    tenant_id = manager.resolve_tenant_id(tenant)
+    manager.api.roles.add_user_role(user=user_id,
+                                    role=role_id,
+                                    tenant=tenant_id)
+
 def generate_admin_token(config):
    """ generate and add an admin token """
    import manager
@@ -356,7 +370,7 @@ def ensure_initial_admin(config):
        changes?
    """
    create_tenant("admin")
-
+    create_tenant(config["service-tenant"])
    passwd = ""
    if config["admin-password"] != "None":
        passwd = config["admin-password"]
@@ -368,8 +382,8 @@ def ensure_initial_admin(config):
        passwd = execute("pwgen -c 16 1", die=True)[0]
        open(stored_passwd, 'w+').writelines("%s\n" % passwd)

-    create_user(config["admin-user"], passwd, tenant="admin")
-    create_role("Admin", config["admin-user"], 'admin')
+    create_user(config['admin-user'], passwd, tenant='admin')
+    create_role(config['admin-role'], config['admin-user'], 'admin')
    # TODO(adam_g): The following roles are likely not needed since redux merge
    create_role("KeystoneAdmin", config["admin-user"], 'admin')
    create_role("KeystoneServiceAdmin", config["admin-user"], 'admin')
--- a/2
+++ b/2
@@ -1 +1 @@
-132
+135