Use service_domain in [service_user] section
Sync from charm-helpers to update [service_user] config to use the service domain. The keystone charm currently creates two service users, one for the service domain (for v3 authentication), and the other for the default domain (for v2 authentication). The [service_user] config needs to use the service domain. Closes-Bug: #2026202 Change-Id: Ia1329a6c53cc4b532436751f0396149139a88172
This commit is contained in:
parent
3c53110282
commit
1e4112d1d6
@ -221,6 +221,13 @@ def https():
|
|||||||
return True
|
return True
|
||||||
if config_get('ssl_cert') and config_get('ssl_key'):
|
if config_get('ssl_cert') and config_get('ssl_key'):
|
||||||
return True
|
return True
|
||||||
|
# Local import to avoid ciruclar dependency.
|
||||||
|
import charmhelpers.contrib.openstack.cert_utils as cert_utils
|
||||||
|
if (
|
||||||
|
cert_utils.get_certificate_request() and not
|
||||||
|
cert_utils.get_requests_for_local_unit("certificates")
|
||||||
|
):
|
||||||
|
return False
|
||||||
for r_id in relation_ids('certificates'):
|
for r_id in relation_ids('certificates'):
|
||||||
for unit in relation_list(r_id):
|
for unit in relation_list(r_id):
|
||||||
ca = relation_get('ca', rid=r_id, unit=unit)
|
ca = relation_get('ca', rid=r_id, unit=unit)
|
||||||
|
@ -409,6 +409,9 @@ def get_requests_for_local_unit(relation_name=None):
|
|||||||
relation_name = relation_name or 'certificates'
|
relation_name = relation_name or 'certificates'
|
||||||
bundles = []
|
bundles = []
|
||||||
for rid in relation_ids(relation_name):
|
for rid in relation_ids(relation_name):
|
||||||
|
sent = relation_get(rid=rid, unit=local_unit())
|
||||||
|
legacy_keys = ['certificate_name', 'common_name']
|
||||||
|
is_legacy_request = set(sent).intersection(legacy_keys)
|
||||||
for unit in related_units(rid):
|
for unit in related_units(rid):
|
||||||
data = relation_get(rid=rid, unit=unit)
|
data = relation_get(rid=rid, unit=unit)
|
||||||
if data.get(raw_certs_key):
|
if data.get(raw_certs_key):
|
||||||
@ -416,6 +419,14 @@ def get_requests_for_local_unit(relation_name=None):
|
|||||||
'ca': data['ca'],
|
'ca': data['ca'],
|
||||||
'chain': data.get('chain'),
|
'chain': data.get('chain'),
|
||||||
'certs': json.loads(data[raw_certs_key])})
|
'certs': json.loads(data[raw_certs_key])})
|
||||||
|
elif is_legacy_request:
|
||||||
|
bundles.append({
|
||||||
|
'ca': data['ca'],
|
||||||
|
'chain': data.get('chain'),
|
||||||
|
'certs': {sent['common_name']:
|
||||||
|
{'cert': data.get(local_name + '.server.cert'),
|
||||||
|
'key': data.get(local_name + '.server.key')}}})
|
||||||
|
|
||||||
return bundles
|
return bundles
|
||||||
|
|
||||||
|
|
||||||
|
@ -1748,6 +1748,9 @@ class WSGIWorkerConfigContext(WorkerConfigContext):
|
|||||||
|
|
||||||
def __call__(self):
|
def __call__(self):
|
||||||
total_processes = _calculate_workers()
|
total_processes = _calculate_workers()
|
||||||
|
enable_wsgi_rotation = config('wsgi-rotation')
|
||||||
|
if enable_wsgi_rotation is None:
|
||||||
|
enable_wsgi_rotation = True
|
||||||
ctxt = {
|
ctxt = {
|
||||||
"service_name": self.service_name,
|
"service_name": self.service_name,
|
||||||
"user": self.user,
|
"user": self.user,
|
||||||
@ -1761,6 +1764,7 @@ class WSGIWorkerConfigContext(WorkerConfigContext):
|
|||||||
"public_processes": int(math.ceil(self.public_process_weight *
|
"public_processes": int(math.ceil(self.public_process_weight *
|
||||||
total_processes)),
|
total_processes)),
|
||||||
"threads": 1,
|
"threads": 1,
|
||||||
|
"wsgi_rotation": enable_wsgi_rotation,
|
||||||
}
|
}
|
||||||
return ctxt
|
return ctxt
|
||||||
|
|
||||||
|
@ -12,6 +12,8 @@ signing_dir = {{ signing_dir }}
|
|||||||
{% if service_type -%}
|
{% if service_type -%}
|
||||||
service_type = {{ service_type }}
|
service_type = {{ service_type }}
|
||||||
{% endif -%}
|
{% endif -%}
|
||||||
|
{% if admin_role -%}
|
||||||
service_token_roles = {{ admin_role }}
|
service_token_roles = {{ admin_role }}
|
||||||
service_token_roles_required = True
|
service_token_roles_required = True
|
||||||
{% endif -%}
|
{% endif -%}
|
||||||
|
{% endif -%}
|
||||||
|
@ -22,6 +22,8 @@ signing_dir = {{ signing_dir }}
|
|||||||
{% if use_memcache == true %}
|
{% if use_memcache == true %}
|
||||||
memcached_servers = {{ memcache_url }}
|
memcached_servers = {{ memcache_url }}
|
||||||
{% endif -%}
|
{% endif -%}
|
||||||
|
{% if admin_role -%}
|
||||||
service_token_roles = {{ admin_role }}
|
service_token_roles = {{ admin_role }}
|
||||||
service_token_roles_required = True
|
service_token_roles_required = True
|
||||||
{% endif -%}
|
{% endif -%}
|
||||||
|
{% endif -%}
|
||||||
|
@ -3,8 +3,8 @@
|
|||||||
send_service_user_token = true
|
send_service_user_token = true
|
||||||
auth_type = password
|
auth_type = password
|
||||||
auth_url = {{ auth_protocol }}://{{ auth_host }}:{{ auth_port }}
|
auth_url = {{ auth_protocol }}://{{ auth_host }}:{{ auth_port }}
|
||||||
project_domain_id = default
|
project_domain_name = service_domain
|
||||||
user_domain_id = default
|
user_domain_name = service_domain
|
||||||
project_name = {{ admin_tenant_name }}
|
project_name = {{ admin_tenant_name }}
|
||||||
username = {{ admin_user }}
|
username = {{ admin_user }}
|
||||||
password = {{ admin_password }}
|
password = {{ admin_password }}
|
||||||
|
@ -12,6 +12,12 @@ Listen {{ admin_port }}
|
|||||||
Listen {{ public_port }}
|
Listen {{ public_port }}
|
||||||
{% endif -%}
|
{% endif -%}
|
||||||
|
|
||||||
|
{% if wsgi_rotation -%}
|
||||||
|
WSGISocketRotation On
|
||||||
|
{% else -%}
|
||||||
|
WSGISocketRotation Off
|
||||||
|
{% endif -%}
|
||||||
|
|
||||||
{% if port -%}
|
{% if port -%}
|
||||||
<VirtualHost *:{{ port }}>
|
<VirtualHost *:{{ port }}>
|
||||||
WSGIDaemonProcess {{ service_name }} processes={{ processes }} threads={{ threads }} user={{ user }} group={{ group }} \
|
WSGIDaemonProcess {{ service_name }} processes={{ processes }} threads={{ threads }} user={{ user }} group={{ group }} \
|
||||||
|
@ -12,6 +12,12 @@ Listen {{ admin_port }}
|
|||||||
Listen {{ public_port }}
|
Listen {{ public_port }}
|
||||||
{% endif -%}
|
{% endif -%}
|
||||||
|
|
||||||
|
{% if wsgi_rotation -%}
|
||||||
|
WSGISocketRotation On
|
||||||
|
{% else -%}
|
||||||
|
WSGISocketRotation Off
|
||||||
|
{% endif -%}
|
||||||
|
|
||||||
{% if port -%}
|
{% if port -%}
|
||||||
<VirtualHost *:{{ port }}>
|
<VirtualHost *:{{ port }}>
|
||||||
WSGIDaemonProcess {{ service_name }} processes={{ processes }} threads={{ threads }} user={{ user }} group={{ group }} \
|
WSGIDaemonProcess {{ service_name }} processes={{ processes }} threads={{ threads }} user={{ user }} group={{ group }} \
|
||||||
|
@ -957,7 +957,7 @@ def os_requires_version(ostack_release, pkg):
|
|||||||
def wrap(f):
|
def wrap(f):
|
||||||
@wraps(f)
|
@wraps(f)
|
||||||
def wrapped_f(*args):
|
def wrapped_f(*args):
|
||||||
if os_release(pkg) < ostack_release:
|
if CompareOpenStackReleases(os_release(pkg)) < ostack_release:
|
||||||
raise Exception("This hook is not supported on releases"
|
raise Exception("This hook is not supported on releases"
|
||||||
" before %s" % ostack_release)
|
" before %s" % ostack_release)
|
||||||
f(*args)
|
f(*args)
|
||||||
|
@ -28,7 +28,6 @@ import os
|
|||||||
import shutil
|
import shutil
|
||||||
import json
|
import json
|
||||||
import time
|
import time
|
||||||
import uuid
|
|
||||||
|
|
||||||
from subprocess import (
|
from subprocess import (
|
||||||
check_call,
|
check_call,
|
||||||
@ -1677,6 +1676,10 @@ class CephBrokerRq(object):
|
|||||||
The API is versioned and defaults to version 1.
|
The API is versioned and defaults to version 1.
|
||||||
"""
|
"""
|
||||||
|
|
||||||
|
# The below hash is the result of running
|
||||||
|
# `hashlib.sha1('[]'.encode()).hexdigest()`
|
||||||
|
EMPTY_LIST_SHA = '97d170e1550eee4afc0af065b78cda302a97674c'
|
||||||
|
|
||||||
def __init__(self, api_version=1, request_id=None, raw_request_data=None):
|
def __init__(self, api_version=1, request_id=None, raw_request_data=None):
|
||||||
"""Initialize CephBrokerRq object.
|
"""Initialize CephBrokerRq object.
|
||||||
|
|
||||||
@ -1685,8 +1688,12 @@ class CephBrokerRq(object):
|
|||||||
|
|
||||||
:param api_version: API version for request (default: 1).
|
:param api_version: API version for request (default: 1).
|
||||||
:type api_version: Optional[int]
|
:type api_version: Optional[int]
|
||||||
:param request_id: Unique identifier for request.
|
:param request_id: Unique identifier for request. The identifier will
|
||||||
(default: string representation of generated UUID)
|
be updated as ops are added or removed from the
|
||||||
|
broker request. This ensures that Ceph will
|
||||||
|
correctly process requests where operations are
|
||||||
|
added after the initial request is processed.
|
||||||
|
(default: sha1 of operations)
|
||||||
:type request_id: Optional[str]
|
:type request_id: Optional[str]
|
||||||
:param raw_request_data: JSON-encoded string to build request from.
|
:param raw_request_data: JSON-encoded string to build request from.
|
||||||
:type raw_request_data: Optional[str]
|
:type raw_request_data: Optional[str]
|
||||||
@ -1695,16 +1702,20 @@ class CephBrokerRq(object):
|
|||||||
if raw_request_data:
|
if raw_request_data:
|
||||||
request_data = json.loads(raw_request_data)
|
request_data = json.loads(raw_request_data)
|
||||||
self.api_version = request_data['api-version']
|
self.api_version = request_data['api-version']
|
||||||
self.request_id = request_data['request-id']
|
|
||||||
self.set_ops(request_data['ops'])
|
self.set_ops(request_data['ops'])
|
||||||
|
self.request_id = request_data['request-id']
|
||||||
else:
|
else:
|
||||||
self.api_version = api_version
|
self.api_version = api_version
|
||||||
if request_id:
|
if request_id:
|
||||||
self.request_id = request_id
|
self.request_id = request_id
|
||||||
else:
|
else:
|
||||||
self.request_id = str(uuid.uuid1())
|
self.request_id = CephBrokerRq.EMPTY_LIST_SHA
|
||||||
self.ops = []
|
self.ops = []
|
||||||
|
|
||||||
|
def _hash_ops(self):
|
||||||
|
"""Return the sha1 of the requested Broker ops."""
|
||||||
|
return hashlib.sha1(json.dumps(self.ops, sort_keys=True).encode()).hexdigest()
|
||||||
|
|
||||||
def add_op(self, op):
|
def add_op(self, op):
|
||||||
"""Add an op if it is not already in the list.
|
"""Add an op if it is not already in the list.
|
||||||
|
|
||||||
@ -1713,6 +1724,7 @@ class CephBrokerRq(object):
|
|||||||
"""
|
"""
|
||||||
if op not in self.ops:
|
if op not in self.ops:
|
||||||
self.ops.append(op)
|
self.ops.append(op)
|
||||||
|
self.request_id = self._hash_ops()
|
||||||
|
|
||||||
def add_op_request_access_to_group(self, name, namespace=None,
|
def add_op_request_access_to_group(self, name, namespace=None,
|
||||||
permission=None, key_name=None,
|
permission=None, key_name=None,
|
||||||
@ -1991,6 +2003,7 @@ class CephBrokerRq(object):
|
|||||||
to allow comparisons to ensure validity.
|
to allow comparisons to ensure validity.
|
||||||
"""
|
"""
|
||||||
self.ops = ops
|
self.ops = ops
|
||||||
|
self.request_id = self._hash_ops()
|
||||||
|
|
||||||
@property
|
@property
|
||||||
def request(self):
|
def request(self):
|
||||||
|
@ -591,7 +591,7 @@ def _get_key_by_keyid(keyid):
|
|||||||
curl_cmd = ['curl', keyserver_url.format(keyid)]
|
curl_cmd = ['curl', keyserver_url.format(keyid)]
|
||||||
# use proxy server settings in order to retrieve the key
|
# use proxy server settings in order to retrieve the key
|
||||||
return subprocess.check_output(curl_cmd,
|
return subprocess.check_output(curl_cmd,
|
||||||
env=env_proxy_settings(['https']))
|
env=env_proxy_settings(['https', 'no_proxy']))
|
||||||
|
|
||||||
|
|
||||||
def _dearmor_gpg_key(key_asc):
|
def _dearmor_gpg_key(key_asc):
|
||||||
|
@ -122,13 +122,12 @@ class Cache(object):
|
|||||||
:raises: subprocess.CalledProcessError
|
:raises: subprocess.CalledProcessError
|
||||||
"""
|
"""
|
||||||
pkgs = {}
|
pkgs = {}
|
||||||
cmd = ['dpkg-query', '--list']
|
cmd = [
|
||||||
|
'dpkg-query', '--show',
|
||||||
|
'--showformat',
|
||||||
|
r'${db:Status-Abbrev}\t${Package}\t${Version}\t${Architecture}\t${binary:Summary}\n'
|
||||||
|
]
|
||||||
cmd.extend(packages)
|
cmd.extend(packages)
|
||||||
if locale.getlocale() == (None, None):
|
|
||||||
# subprocess calls out to locale.getpreferredencoding(False) to
|
|
||||||
# determine encoding. Workaround for Trusty where the
|
|
||||||
# environment appears to not be set up correctly.
|
|
||||||
locale.setlocale(locale.LC_ALL, 'en_US.UTF-8')
|
|
||||||
try:
|
try:
|
||||||
output = subprocess.check_output(cmd,
|
output = subprocess.check_output(cmd,
|
||||||
stderr=subprocess.STDOUT,
|
stderr=subprocess.STDOUT,
|
||||||
@ -140,24 +139,17 @@ class Cache(object):
|
|||||||
if cp.returncode != 1:
|
if cp.returncode != 1:
|
||||||
raise
|
raise
|
||||||
output = cp.output
|
output = cp.output
|
||||||
headings = []
|
|
||||||
for line in output.splitlines():
|
for line in output.splitlines():
|
||||||
if line.startswith('||/'):
|
# only process lines for successfully installed packages
|
||||||
headings = line.split()
|
if not (line.startswith('ii ') or line.startswith('hi ')):
|
||||||
headings.pop(0)
|
|
||||||
continue
|
continue
|
||||||
elif (line.startswith('|') or line.startswith('+') or
|
status, name, version, arch, desc = line.split('\t', 4)
|
||||||
line.startswith('dpkg-query:')):
|
pkgs[name] = {
|
||||||
continue
|
'name': name,
|
||||||
else:
|
'version': version,
|
||||||
data = line.split(None, 4)
|
'architecture': arch,
|
||||||
status = data.pop(0)
|
'description': desc,
|
||||||
if status not in ('ii', 'hi'):
|
}
|
||||||
continue
|
|
||||||
pkg = {}
|
|
||||||
pkg.update({k.lower(): v for k, v in zip(headings, data)})
|
|
||||||
if 'name' in pkg:
|
|
||||||
pkgs.update({pkg['name']: pkg})
|
|
||||||
return pkgs
|
return pkgs
|
||||||
|
|
||||||
def _apt_cache_show(self, packages):
|
def _apt_cache_show(self, packages):
|
||||||
|
Loading…
Reference in New Issue
Block a user