diff --git a/attributes/default.rb b/attributes/default.rb index 4ce2217..4306b0b 100644 --- a/attributes/default.rb +++ b/attributes/default.rb @@ -8,6 +8,7 @@ # Copyright 2013, IBM Corp. # Copyright 2017, x-ion GmbH # Copyright 2018, Workday, Inc. +# Copyright 2019, x-ion GmbH # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -55,19 +56,7 @@ default['openstack']['identity']['token']['backend'] = 'sql' # will be used (keystone-paste.ini.erb) default['openstack']['identity']['pastefile_url'] = nil -# This specify the pipeline of the keystone public API, -# all Identity public API requests will be processed by the order of the pipeline. -# this value will be used in the templated version of keystone-paste.ini -# The last item in this pipeline must be public_service or an equivalent -# application. It cannot be a filter. -default['openstack']['identity']['pipeline']['public_api'] = 'healthcheck cors sizelimit http_proxy_to_wsgi osprofiler url_normalize request_id build_auth_context token_auth json_body ec2_extension public_service' -# This specify the pipeline of the keystone admin API, -# all Identity admin API requests will be processed by the order of the pipeline. -# this value will be used in the templated version of keystone-paste.ini -# The last item in this pipeline must be admin_service or an equivalent -# application. It cannot be a filter. -default['openstack']['identity']['pipeline']['admin_api'] = 'healthcheck cors sizelimit http_proxy_to_wsgi osprofiler url_normalize request_id build_auth_context token_auth json_body ec2_extension s3_extension admin_service' -# This specify the pipeline of the keystone V3 API, +# This specifies the pipeline of the keystone V3 API, # all Identity V3 API requests will be processed by the order of the pipeline. # this value will be used in the templated version of keystone-paste.ini # The last item in this pipeline must be service_v3 or an equivalent diff --git a/recipes/registration.rb b/recipes/registration.rb index 0cb885b..81de878 100644 --- a/recipes/registration.rb +++ b/recipes/registration.rb @@ -38,15 +38,20 @@ auth_url = ::URI.decode identity_internal_endpoint.to_s admin_project = node['openstack']['identity']['admin_project'] admin_user = node['openstack']['identity']['admin_user'] admin_pass = get_password 'user', node['openstack']['identity']['admin_user'] -admin_role = node['openstack']['identity']['admin_role'] admin_domain = node['openstack']['identity']['admin_domain_name'] +# endpoint type to use when creating resources +# NOTE(frickler): fog-openstack defaults to the 'admin' endpoint for +# Identity operations, so we need to override this after we dropped that one +endpoint_type = node['openstack']['identity']['endpoint_type'] + connection_params = { - openstack_auth_url: "#{auth_url}/auth/tokens", - openstack_username: admin_user, - openstack_api_key: admin_pass, - openstack_project_name: admin_project, - openstack_domain_id: admin_domain, + openstack_auth_url: "#{auth_url}/auth/tokens", + openstack_username: admin_user, + openstack_api_key: admin_pass, + openstack_project_name: admin_project, + openstack_domain_id: admin_domain, + openstack_endpoint_type: endpoint_type, } ruby_block 'wait for identity endpoint' do @@ -65,31 +70,13 @@ ruby_block 'wait for identity endpoint' do end end -openstack_domain 'identity' do - connection_params connection_params -end - -openstack_user admin_user do - domain_name admin_domain - role_name admin_role - connection_params connection_params - action :grant_domain -end - # create default service role openstack_role 'service' do connection_params connection_params end -# create default role for horizon dashboard login -openstack_role '_member_' do - connection_params connection_params -end - -node.normal['openstack']['identity']['adminURL'] = identity_internal_endpoint.to_s node.normal['openstack']['identity']['internalURL'] = identity_internal_endpoint.to_s node.normal['openstack']['identity']['publicURL'] = identity_endpoint.to_s -Chef::Log.info "Keystone AdminURL: #{identity_internal_endpoint}" Chef::Log.info "Keystone InternalURL: #{identity_internal_endpoint}" Chef::Log.info "Keystone PublicURL: #{identity_endpoint}" diff --git a/recipes/server-apache.rb b/recipes/server-apache.rb index 0df8cc3..86603dd 100644 --- a/recipes/server-apache.rb +++ b/recipes/server-apache.rb @@ -170,7 +170,6 @@ end # set keystone config parameters for endpoints, memcache node.default['openstack']['identity']['conf'].tap do |conf| conf['DEFAULT']['public_endpoint'] = api_endpoint - conf['DEFAULT']['admin_endpoint'] = api_endpoint conf['memcache']['servers'] = memcache_servers if memcache_servers end @@ -204,6 +203,7 @@ execute 'keystone-manage db_sync' do end # bootstrap keystone after keystone.conf is generated +# TODO(frickler): drop admin endpoint once keystonemiddleware is fixed execute 'bootstrap_keystone' do command "keystone-manage bootstrap \\ --bootstrap-password #{admin_pass} \\ diff --git a/spec/registration_spec.rb b/spec/registration_spec.rb index bbb6568..02ddef6 100644 --- a/spec/registration_spec.rb +++ b/spec/registration_spec.rb @@ -17,11 +17,8 @@ describe 'openstack-identity::registration' do openstack_api_key: 'admin', openstack_project_name: 'admin', openstack_domain_id: 'default', + openstack_endpoint_type: 'internalURL', } - service_user = 'admin' - role_name = 'admin' - admin_domain_name = 'default' - domain_name = 'identity' describe 'keystone bootstrap' do context 'default values' do @@ -29,24 +26,6 @@ describe 'openstack-identity::registration' do expect(chef_run).to run_ruby_block('wait for identity endpoint') end - it "registers #{domain_name} domain" do - expect(chef_run).to create_openstack_domain( - domain_name - ).with( - connection_params: connection_params - ) - end - - it "grants #{service_user} user to #{domain_name} domain" do - expect(chef_run).to grant_domain_openstack_user( - service_user - ).with( - domain_name: admin_domain_name, - role_name: role_name, - connection_params: connection_params - ) - end - it 'create service role' do expect(chef_run).to create_openstack_role( 'service' @@ -54,14 +33,6 @@ describe 'openstack-identity::registration' do connection_params: connection_params ) end - - it 'create service role' do - expect(chef_run).to create_openstack_role( - '_member_' - ).with( - connection_params: connection_params - ) - end end end end diff --git a/spec/server-apache_spec.rb b/spec/server-apache_spec.rb index 4fe36a4..ce5a5d1 100644 --- a/spec/server-apache_spec.rb +++ b/spec/server-apache_spec.rb @@ -20,9 +20,7 @@ describe 'openstack-identity::server-apache' do project_name = 'admin' role_name = 'admin' password = 'admin' - admin_url = 'http://127.0.0.1:5000/v3' public_url = 'http://127.0.0.1:5000/v3' - internal_url = 'http://127.0.0.1:5000/v3' it 'runs logging recipe if node attributes say to' do node.override['openstack']['identity']['syslog']['use'] = true @@ -53,9 +51,9 @@ describe 'openstack-identity::server-apache' do --bootstrap-role-name #{role_name} \\ --bootstrap-service-name #{service_name} \\ --bootstrap-region-id #{region} \\ - --bootstrap-admin-url #{admin_url} \\ + --bootstrap-admin-url #{public_url} \\ --bootstrap-public-url #{public_url} \\ - --bootstrap-internal-url #{internal_url}") + --bootstrap-internal-url #{public_url}") end describe '/etc/keystone' do @@ -241,26 +239,13 @@ describe 'openstack-identity::server-apache' do let(:path) { '/etc/keystone/keystone-paste.ini' } it 'has default api pipeline values' do - expect(chef_run).to render_config_file(path).with_section_content( - 'pipeline:public_api', - /^pipeline = healthcheck cors sizelimit http_proxy_to_wsgi osprofiler url_normalize request_id build_auth_context token_auth json_body ec2_extension public_service$/ - ) - expect(chef_run).to render_config_file(path).with_section_content( - 'pipeline:admin_api', - /^pipeline = healthcheck cors sizelimit http_proxy_to_wsgi osprofiler url_normalize request_id build_auth_context token_auth json_body ec2_extension s3_extension admin_service$/ - ) expect(chef_run).to render_config_file(path).with_section_content( 'pipeline:api_v3', /^pipeline = healthcheck cors sizelimit http_proxy_to_wsgi osprofiler url_normalize request_id build_auth_context token_auth json_body ec2_extension_v3 s3_extension service_v3$/ ) end it 'template api pipeline set correct' do - node.override['openstack']['identity']['pipeline']['public_api'] = 'public_service' node.override['openstack']['identity']['pipeline']['api_v3'] = 'service_v3' - expect(chef_run).to render_config_file(path).with_section_content( - 'pipeline:public_api', - /^pipeline = public_service$/ - ) expect(chef_run).to render_config_file(path).with_section_content( 'pipeline:api_v3', /^pipeline = service_v3$/ diff --git a/templates/default/keystone-paste.ini.erb b/templates/default/keystone-paste.ini.erb index 5e78296..9a36edb 100644 --- a/templates/default/keystone-paste.ini.erb +++ b/templates/default/keystone-paste.ini.erb @@ -51,42 +51,20 @@ use = egg:keystone#public_service [app:service_v3] use = egg:keystone#service_v3 -[app:admin_service] -use = egg:keystone#admin_service - -[pipeline:public_api] -pipeline = <%=node['openstack']['identity']['pipeline']['public_api'] %> - -[pipeline:admin_api] -pipeline = <%=node['openstack']['identity']['pipeline']['admin_api'] %> - [pipeline:api_v3] pipeline = <%=node['openstack']['identity']['pipeline']['api_v3'] %> [app:public_version_service] use = egg:keystone#public_version_service -[app:admin_version_service] -use = egg:keystone#admin_version_service - [pipeline:public_version_api] pipeline = healthcheck cors sizelimit osprofiler url_normalize public_version_service -[pipeline:admin_version_api] -pipeline = healthcheck cors sizelimit osprofiler url_normalize admin_version_service - [composite:main] use = egg:Paste#urlmap -/v2.0 = public_api /v3 = api_v3 / = public_version_api -[composite:admin] -use = egg:Paste#urlmap -/v2.0 = admin_api -/v3 = api_v3 -/ = admin_version_api - <% if node['openstack']['identity']['misc_paste'] %> <% node['openstack']['identity']['misc_paste'].each do |m| %> <%= m %>