Adds support for multi-region

Change-Id: Ib85fe7cb375692b04aca4c46f61ba7e1fbfa501b
Implements: blueprint multi-region
This commit is contained in:
Bartosz Górski 2014-02-28 14:15:19 +01:00
parent c06c9e1f90
commit 0abde393c5
18 changed files with 392 additions and 397 deletions

View File

@ -330,6 +330,25 @@ which includes the following, with the IP address of the above controller node:
Q_HOST=$SERVICE_HOST
MATCHMAKER_REDIS_HOST=$SERVICE_HOST
# Multi-Region Setup
We want to setup two devstack (RegionOne and RegionTwo) with shared keystone
(same users and services) and horizon.
Keystone and Horizon will be located in RegionOne.
Full spec is available at:
https://wiki.openstack.org/wiki/Heat/Blueprints/Multi_Region_Support_for_Heat.
In RegionOne:
REGION_NAME=RegionOne
In RegionTwo:
disable_service horizon
KEYSTONE_SERVICE_HOST=<KEYSTONE_IP_ADDRESS_FROM_REGION_ONE>
KEYSTONE_AUTH_HOST=<KEYSTONE_IP_ADDRESS_FROM_REGION_ONE>
REGION_NAME=RegionTwo
# Cells
Cells is a new scaling option with a full spec at:

View File

@ -719,6 +719,109 @@ function policy_add {
mv ${tmpfile} ${policy_file}
}
# Gets or creates user
# Usage: get_or_create_user <username> <password> <project> <email>
function get_or_create_user {
# Gets user id
USER_ID=$(
# Gets user id
openstack user show $1 -f value -c id 2>/dev/null ||
# Creates new user
openstack user create \
$1 \
--password "$2" \
--project $3 \
--email $4 \
-f value -c id
)
echo $USER_ID
}
# Gets or creates project
# Usage: get_or_create_project <name>
function get_or_create_project {
# Gets project id
PROJECT_ID=$(
# Gets project id
openstack project show $1 -f value -c id 2>/dev/null ||
# Creates new project if not exists
openstack project create $1 -f value -c id
)
echo $PROJECT_ID
}
# Gets or creates role
# Usage: get_or_create_role <name>
function get_or_create_role {
ROLE_ID=$(
# Gets role id
openstack role show $1 -f value -c id 2>/dev/null ||
# Creates role if not exists
openstack role create $1 -f value -c id
)
echo $ROLE_ID
}
# Gets or adds user role
# Usage: get_or_add_user_role <role> <user> <project>
function get_or_add_user_role {
# Gets user role id
USER_ROLE_ID=$(openstack user role list \
$2 \
--project $3 \
--column "ID" \
--column "Name" \
| grep " $1 " | get_field 1)
if [[ -z "$USER_ROLE_ID" ]]; then
# Adds role to user
USER_ROLE_ID=$(openstack role add \
$1 \
--user $2 \
--project $3 \
| grep " id " | get_field 2)
fi
echo $USER_ROLE_ID
}
# Gets or creates service
# Usage: get_or_create_service <name> <type> <description>
function get_or_create_service {
# Gets service id
SERVICE_ID=$(
# Gets service id
openstack service show $1 -f value -c id 2>/dev/null ||
# Creates new service if not exists
openstack service create \
$1 \
--type=$2 \
--description="$3" \
-f value -c id
)
echo $SERVICE_ID
}
# Gets or creates endpoint
# Usage: get_or_create_endpoint <service> <region> <publicurl> <adminurl> <internalurl>
function get_or_create_endpoint {
# Gets endpoint id
ENDPOINT_ID=$(openstack endpoint list \
--column "ID" \
--column "Region" \
--column "Service Name" \
| grep " $2 " \
| grep " $1 " | get_field 1)
if [[ -z "$ENDPOINT_ID" ]]; then
# Creates new endpoint
ENDPOINT_ID=$(openstack endpoint create \
$1 \
--region $2 \
--publicurl $3 \
--adminurl $4 \
--internalurl $5 \
| grep " id " | get_field 2)
fi
echo $ENDPOINT_ID
}
# Package Functions
# =================

View File

@ -81,35 +81,22 @@ create_ceilometer_accounts() {
# Ceilometer
if [[ "$ENABLED_SERVICES" =~ "ceilometer-api" ]]; then
CEILOMETER_USER=$(openstack user create \
ceilometer \
--password "$SERVICE_PASSWORD" \
--project $SERVICE_TENANT \
--email ceilometer@example.com \
| grep " id " | get_field 2)
openstack role add \
$ADMIN_ROLE \
--project $SERVICE_TENANT \
--user $CEILOMETER_USER
CEILOMETER_USER=$(get_or_create_user "ceilometer" \
"$SERVICE_PASSWORD" $SERVICE_TENANT "ceilometer@example.com")
get_or_add_user_role $ADMIN_ROLE $CEILOMETER_USER $SERVICE_TENANT
if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
CEILOMETER_SERVICE=$(openstack service create \
ceilometer \
--type=metering \
--description="OpenStack Telemetry Service" \
| grep " id " | get_field 2)
openstack endpoint create \
$CEILOMETER_SERVICE \
--region RegionOne \
--publicurl "$CEILOMETER_SERVICE_PROTOCOL://$CEILOMETER_SERVICE_HOST:$CEILOMETER_SERVICE_PORT/" \
--adminurl "$CEILOMETER_SERVICE_PROTOCOL://$CEILOMETER_SERVICE_HOST:$CEILOMETER_SERVICE_PORT/" \
--internalurl "$CEILOMETER_SERVICE_PROTOCOL://$CEILOMETER_SERVICE_HOST:$CEILOMETER_SERVICE_PORT/"
CEILOMETER_SERVICE=$(get_or_create_service "ceilometer" \
"metering" "OpenStack Telemetry Service")
get_or_create_endpoint $CEILOMETER_SERVICE \
"$REGION_NAME" \
"$CEILOMETER_SERVICE_PROTOCOL://$CEILOMETER_SERVICE_HOST:$CEILOMETER_SERVICE_PORT/" \
"$CEILOMETER_SERVICE_PROTOCOL://$CEILOMETER_SERVICE_HOST:$CEILOMETER_SERVICE_PORT/" \
"$CEILOMETER_SERVICE_PROTOCOL://$CEILOMETER_SERVICE_HOST:$CEILOMETER_SERVICE_PORT/"
fi
if is_service_enabled swift; then
# Ceilometer needs ResellerAdmin role to access swift account stats.
openstack role add \
--project $SERVICE_TENANT_NAME \
--user ceilometer \
ResellerAdmin
get_or_add_user_role "ResellerAdmin" "ceilometer" $SERVICE_TENANT_NAME
fi
fi
}

View File

@ -339,39 +339,26 @@ function create_cinder_accounts {
# Cinder
if [[ "$ENABLED_SERVICES" =~ "c-api" ]]; then
CINDER_USER=$(openstack user create \
cinder \
--password "$SERVICE_PASSWORD" \
--project $SERVICE_TENANT \
--email cinder@example.com \
| grep " id " | get_field 2)
openstack role add \
$ADMIN_ROLE \
--project $SERVICE_TENANT \
--user $CINDER_USER
CINDER_USER=$(get_or_create_user "cinder" \
"$SERVICE_PASSWORD" $SERVICE_TENANT "cinder@example.com")
get_or_add_user_role $ADMIN_ROLE $CINDER_USER $SERVICE_TENANT
if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
CINDER_SERVICE=$(openstack service create \
cinder \
--type=volume \
--description="Cinder Volume Service" \
| grep " id " | get_field 2)
openstack endpoint create \
$CINDER_SERVICE \
--region RegionOne \
--publicurl "$CINDER_SERVICE_PROTOCOL://$CINDER_SERVICE_HOST:$CINDER_SERVICE_PORT/v1/\$(tenant_id)s" \
--adminurl "$CINDER_SERVICE_PROTOCOL://$CINDER_SERVICE_HOST:$CINDER_SERVICE_PORT/v1/\$(tenant_id)s" \
--internalurl "$CINDER_SERVICE_PROTOCOL://$CINDER_SERVICE_HOST:$CINDER_SERVICE_PORT/v1/\$(tenant_id)s"
CINDER_V2_SERVICE=$(openstack service create \
cinderv2 \
--type=volumev2 \
--description="Cinder Volume Service V2" \
| grep " id " | get_field 2)
openstack endpoint create \
$CINDER_V2_SERVICE \
--region RegionOne \
--publicurl "$CINDER_SERVICE_PROTOCOL://$CINDER_SERVICE_HOST:$CINDER_SERVICE_PORT/v2/\$(tenant_id)s" \
--adminurl "$CINDER_SERVICE_PROTOCOL://$CINDER_SERVICE_HOST:$CINDER_SERVICE_PORT/v2/\$(tenant_id)s" \
--internalurl "$CINDER_SERVICE_PROTOCOL://$CINDER_SERVICE_HOST:$CINDER_SERVICE_PORT/v2/\$(tenant_id)s"
CINDER_SERVICE=$(get_or_create_service "cinder" \
"volume" "Cinder Volume Service")
get_or_create_endpoint $CINDER_SERVICE "$REGION_NAME" \
"$CINDER_SERVICE_PROTOCOL://$CINDER_SERVICE_HOST:$CINDER_SERVICE_PORT/v1/\$(tenant_id)s" \
"$CINDER_SERVICE_PROTOCOL://$CINDER_SERVICE_HOST:$CINDER_SERVICE_PORT/v1/\$(tenant_id)s" \
"$CINDER_SERVICE_PROTOCOL://$CINDER_SERVICE_HOST:$CINDER_SERVICE_PORT/v1/\$(tenant_id)s"
CINDER_V2_SERVICE=$(get_or_create_service "cinderv2" \
"volumev2" "Cinder Volume Service V2")
get_or_create_endpoint $CINDER_V2_SERVICE "$REGION_NAME" \
"$CINDER_SERVICE_PROTOCOL://$CINDER_SERVICE_HOST:$CINDER_SERVICE_PORT/v2/\$(tenant_id)s" \
"$CINDER_SERVICE_PROTOCOL://$CINDER_SERVICE_HOST:$CINDER_SERVICE_PORT/v2/\$(tenant_id)s" \
"$CINDER_SERVICE_PROTOCOL://$CINDER_SERVICE_HOST:$CINDER_SERVICE_PORT/v2/\$(tenant_id)s"
fi
fi
}

View File

@ -164,36 +164,28 @@ function configure_glance {
function create_glance_accounts {
if is_service_enabled g-api; then
openstack user create \
--password "$SERVICE_PASSWORD" \
--project $SERVICE_TENANT_NAME \
glance
openstack role add \
--project $SERVICE_TENANT_NAME \
--user glance \
service
GLANCE_USER=$(get_or_create_user "glance" \
"$SERVICE_PASSWORD" $SERVICE_TENANT_NAME "glance@example.com")
get_or_add_user_role service $GLANCE_USER $SERVICE_TENANT_NAME
# required for swift access
if is_service_enabled s-proxy; then
openstack user create \
--password "$SERVICE_PASSWORD" \
--project $SERVICE_TENANT_NAME \
glance-swift
openstack role add \
--project $SERVICE_TENANT_NAME \
--user glance-swift \
ResellerAdmin
GLANCE_SWIFT_USER=$(get_or_create_user "glance-swift" \
"$SERVICE_PASSWORD" $SERVICE_TENANT_NAME "glance-swift@example.com")
get_or_add_user_role "ResellerAdmin" $GLANCE_SWIFT_USER $SERVICE_TENANT_NAME
fi
if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
openstack service create \
--type image \
--description "Glance Image Service" \
glance
openstack endpoint create \
--region RegionOne \
--publicurl "http://$GLANCE_HOSTPORT" \
--adminurl "http://$GLANCE_HOSTPORT" \
--internalurl "http://$GLANCE_HOSTPORT" \
glance
GLANCE_SERVICE=$(get_or_create_service "glance" \
"image" "Glance Image Service")
get_or_create_endpoint $GLANCE_SERVICE \
"$REGION_NAME" \
"http://$GLANCE_HOSTPORT" \
"http://$GLANCE_HOSTPORT" \
"http://$GLANCE_HOSTPORT"
fi
fi
}

View File

@ -98,6 +98,8 @@ function configure_heat {
iniset $HEAT_CONF database connection `database_connection_url heat`
iniset $HEAT_CONF DEFAULT auth_encryption_key `hexdump -n 16 -v -e '/1 "%02x"' /dev/urandom`
iniset $HEAT_CONF DEFAULT region_name_for_services "$REGION_NAME"
# logging
iniset $HEAT_CONF DEFAULT debug $ENABLE_DEBUG_LOG_LEVEL
iniset $HEAT_CONF DEFAULT use_syslog $SYSLOG
@ -214,57 +216,44 @@ function create_heat_accounts {
SERVICE_TENANT=$(openstack project list | awk "/ $SERVICE_TENANT_NAME / { print \$2 }")
ADMIN_ROLE=$(openstack role list | awk "/ admin / { print \$2 }")
HEAT_USER=$(openstack user create \
heat \
--password "$SERVICE_PASSWORD" \
--project $SERVICE_TENANT \
--email heat@example.com \
| grep " id " | get_field 2)
openstack role add \
$ADMIN_ROLE \
--project $SERVICE_TENANT \
--user $HEAT_USER
HEAT_USER=$(get_or_create_user "heat" \
"$SERVICE_PASSWORD" $SERVICE_TENANT "heat@example.com")
get_or_add_user_role $ADMIN_ROLE $HEAT_USER $SERVICE_TENANT
if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
HEAT_SERVICE=$(openstack service create \
heat \
--type=orchestration \
--description="Heat Orchestration Service" \
| grep " id " | get_field 2)
openstack endpoint create \
$HEAT_SERVICE \
--region RegionOne \
--publicurl "$SERVICE_PROTOCOL://$HEAT_API_HOST:$HEAT_API_PORT/v1/\$(tenant_id)s" \
--adminurl "$SERVICE_PROTOCOL://$HEAT_API_HOST:$HEAT_API_PORT/v1/\$(tenant_id)s" \
--internalurl "$SERVICE_PROTOCOL://$HEAT_API_HOST:$HEAT_API_PORT/v1/\$(tenant_id)s"
HEAT_CFN_SERVICE=$(openstack service create \
heat \
--type=cloudformation \
--description="Heat CloudFormation Service" \
| grep " id " | get_field 2)
openstack endpoint create \
$HEAT_CFN_SERVICE \
--region RegionOne \
--publicurl "$SERVICE_PROTOCOL://$HEAT_API_CFN_HOST:$HEAT_API_CFN_PORT/v1" \
--adminurl "$SERVICE_PROTOCOL://$HEAT_API_CFN_HOST:$HEAT_API_CFN_PORT/v1" \
--internalurl "$SERVICE_PROTOCOL://$HEAT_API_CFN_HOST:$HEAT_API_CFN_PORT/v1"
HEAT_SERVICE=$(get_or_create_service "heat" \
"orchestration" "Heat Orchestration Service")
get_or_create_endpoint $HEAT_SERVICE \
"$REGION_NAME" \
"$SERVICE_PROTOCOL://$HEAT_API_HOST:$HEAT_API_PORT/v1/\$(tenant_id)s" \
"$SERVICE_PROTOCOL://$HEAT_API_HOST:$HEAT_API_PORT/v1/\$(tenant_id)s" \
"$SERVICE_PROTOCOL://$HEAT_API_HOST:$HEAT_API_PORT/v1/\$(tenant_id)s"
HEAT_CFN_SERVICE=$(get_or_create_service "heat-cfn" \
"cloudformation" "Heat CloudFormation Service")
get_or_create_endpoint $HEAT_CFN_SERVICE \
"$REGION_NAME" \
"$SERVICE_PROTOCOL://$HEAT_API_CFN_HOST:$HEAT_API_CFN_PORT/v1" \
"$SERVICE_PROTOCOL://$HEAT_API_CFN_HOST:$HEAT_API_CFN_PORT/v1" \
"$SERVICE_PROTOCOL://$HEAT_API_CFN_HOST:$HEAT_API_CFN_PORT/v1"
fi
# heat_stack_user role is for users created by Heat
openstack role create heat_stack_user
get_or_create_role "heat_stack_user"
if [[ $HEAT_DEFERRED_AUTH == trusts ]]; then
# heat_stack_owner role is given to users who create Heat stacks,
# it's the default role used by heat to delegate to the heat service
# user (for performing deferred operations via trusts), see heat.conf
HEAT_OWNER_ROLE=$(openstack role create \
heat_stack_owner \
| grep " id " | get_field 2)
HEAT_OWNER_ROLE=$(get_or_create_role "heat_stack_owner")
# Give the role to the demo and admin users so they can create stacks
# in either of the projects created by devstack
openstack role add $HEAT_OWNER_ROLE --project demo --user demo
openstack role add $HEAT_OWNER_ROLE --project demo --user admin
openstack role add $HEAT_OWNER_ROLE --project admin --user admin
get_or_add_user_role $HEAT_OWNER_ROLE demo demo
get_or_add_user_role $HEAT_OWNER_ROLE admin demo
get_or_add_user_role $HEAT_OWNER_ROLE admin admin
iniset $HEAT_CONF DEFAULT deferred_auth_method trusts
fi
@ -272,6 +261,11 @@ function create_heat_accounts {
# Note we have to pass token/endpoint here because the current endpoint and
# version negotiation in OSC means just --os-identity-api-version=3 won't work
KS_ENDPOINT_V3="$KEYSTONE_SERVICE_URI/v3"
D_ID=$(openstack --os-token $OS_TOKEN --os-url=$KS_ENDPOINT_V3 \
--os-identity-api-version=3 domain list | grep ' heat ' | get_field 1)
if [[ -z "$D_ID" ]]; then
D_ID=$(openstack --os-token $OS_TOKEN --os-url=$KS_ENDPOINT_V3 \
--os-identity-api-version=3 domain create heat \
--description "Owns users and projects created by heat" \
@ -288,6 +282,7 @@ function create_heat_accounts {
iniset $HEAT_CONF DEFAULT stack_domain_admin heat_domain_admin
iniset $HEAT_CONF DEFAULT stack_domain_admin_password $SERVICE_PASSWORD
fi
fi
}
# Restore xtrace

View File

@ -223,28 +223,21 @@ function create_ironic_accounts {
# Ironic
if [[ "$ENABLED_SERVICES" =~ "ir-api" ]]; then
IRONIC_USER=$(openstack user create \
ironic \
--password "$SERVICE_PASSWORD" \
--project $SERVICE_TENANT \
--email ironic@example.com \
| grep " id " | get_field 2)
openstack role add \
$ADMIN_ROLE \
--project $SERVICE_TENANT \
--user $IRONIC_USER
# Get ironic user if exists
IRONIC_USER=$(get_or_create_user "ironic" \
"$SERVICE_PASSWORD" $SERVICE_TENANT "ironic@example.com")
get_or_add_user_role $ADMIN_ROLE $IRONIC_USER $SERVICE_TENANT
if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
IRONIC_SERVICE=$(openstack service create \
ironic \
--type=baremetal \
--description="Ironic baremetal provisioning service" \
| grep " id " | get_field 2)
openstack endpoint create \
$IRONIC_SERVICE \
--region RegionOne \
--publicurl "$IRONIC_SERVICE_PROTOCOL://$IRONIC_HOSTPORT" \
--adminurl "$IRONIC_SERVICE_PROTOCOL://$IRONIC_HOSTPORT" \
--internalurl "$IRONIC_SERVICE_PROTOCOL://$IRONIC_HOSTPORT"
IRONIC_SERVICE=$(get_or_create_service "ironic" \
"baremetal" "Ironic baremetal provisioning service")
get_or_create_endpoint $IRONIC_SERVICE \
"$REGION_NAME" \
"$IRONIC_SERVICE_PROTOCOL://$IRONIC_HOSTPORT" \
"$IRONIC_SERVICE_PROTOCOL://$IRONIC_HOSTPORT" \
"$IRONIC_SERVICE_PROTOCOL://$IRONIC_HOSTPORT"
fi
fi
}

View File

@ -277,6 +277,8 @@ function configure_keystone {
iniset $KEYSTONE_CONF DEFAULT logging_exception_prefix "%(process)d TRACE %(name)s %(instance)s"
_config_keystone_apache_wsgi
fi
iniset $KEYSTONE_CONF DEFAULT max_token_size 16384
}
function configure_keystone_extensions {
@ -315,79 +317,55 @@ function configure_keystone_extensions {
function create_keystone_accounts {
# admin
ADMIN_TENANT=$(openstack project create \
admin \
| grep " id " | get_field 2)
ADMIN_USER=$(openstack user create \
admin \
--project "$ADMIN_TENANT" \
--email admin@example.com \
--password "$ADMIN_PASSWORD" \
| grep " id " | get_field 2)
ADMIN_ROLE=$(openstack role create \
admin \
| grep " id " | get_field 2)
openstack role add \
$ADMIN_ROLE \
--project $ADMIN_TENANT \
--user $ADMIN_USER
ADMIN_TENANT=$(get_or_create_project "admin")
ADMIN_USER=$(get_or_create_user "admin" \
"$ADMIN_PASSWORD" "$ADMIN_TENANT" "admin@example.com")
ADMIN_ROLE=$(get_or_create_role "admin")
get_or_add_user_role $ADMIN_ROLE $ADMIN_USER $ADMIN_TENANT
# Create service project/role
openstack project create $SERVICE_TENANT_NAME
get_or_create_project "$SERVICE_TENANT_NAME"
# Service role, so service users do not have to be admins
openstack role create service
get_or_create_role service
# The ResellerAdmin role is used by Nova and Ceilometer so we need to keep it.
# The admin role in swift allows a user to act as an admin for their tenant,
# but ResellerAdmin is needed for a user to act as any tenant. The name of this
# role is also configurable in swift-proxy.conf
openstack role create ResellerAdmin
get_or_create_role ResellerAdmin
# The Member role is used by Horizon and Swift so we need to keep it:
MEMBER_ROLE=$(openstack role create \
Member \
| grep " id " | get_field 2)
MEMBER_ROLE=$(get_or_create_role "Member")
# ANOTHER_ROLE demonstrates that an arbitrary role may be created and used
# TODO(sleepsonthefloor): show how this can be used for rbac in the future!
ANOTHER_ROLE=$(openstack role create \
anotherrole \
| grep " id " | get_field 2)
ANOTHER_ROLE=$(get_or_create_role "anotherrole")
# invisible tenant - admin can't see this one
INVIS_TENANT=$(openstack project create \
invisible_to_admin \
| grep " id " | get_field 2)
INVIS_TENANT=$(get_or_create_project "invisible_to_admin")
# demo
DEMO_TENANT=$(openstack project create \
demo \
| grep " id " | get_field 2)
DEMO_USER=$(openstack user create \
demo \
--project $DEMO_TENANT \
--email demo@example.com \
--password "$ADMIN_PASSWORD" \
| grep " id " | get_field 2)
DEMO_TENANT=$(get_or_create_project "demo")
DEMO_USER=$(get_or_create_user "demo" \
"$ADMIN_PASSWORD" "$DEMO_TENANT" "demo@example.com")
openstack role add --project $DEMO_TENANT --user $DEMO_USER $MEMBER_ROLE
openstack role add --project $DEMO_TENANT --user $ADMIN_USER $ADMIN_ROLE
openstack role add --project $DEMO_TENANT --user $DEMO_USER $ANOTHER_ROLE
openstack role add --project $INVIS_TENANT --user $DEMO_USER $MEMBER_ROLE
get_or_add_user_role $MEMBER_ROLE $DEMO_USER $DEMO_TENANT
get_or_add_user_role $ADMIN_ROLE $ADMIN_USER $DEMO_TENANT
get_or_add_user_role $ANOTHER_ROLE $DEMO_USER $DEMO_TENANT
get_or_add_user_role $MEMBER_ROLE $DEMO_USER $INVIS_TENANT
# Keystone
if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
KEYSTONE_SERVICE=$(openstack service create \
keystone \
--type identity \
--description "Keystone Identity Service" \
| grep " id " | get_field 2)
openstack endpoint create \
$KEYSTONE_SERVICE \
--region RegionOne \
--publicurl "$KEYSTONE_SERVICE_PROTOCOL://$KEYSTONE_SERVICE_HOST:$KEYSTONE_SERVICE_PORT/v$IDENTITY_API_VERSION" \
--adminurl "$KEYSTONE_AUTH_PROTOCOL://$KEYSTONE_AUTH_HOST:$KEYSTONE_AUTH_PORT/v$IDENTITY_API_VERSION" \
--internalurl "$KEYSTONE_SERVICE_PROTOCOL://$KEYSTONE_SERVICE_HOST:$KEYSTONE_SERVICE_PORT/v$IDENTITY_API_VERSION"
KEYSTONE_SERVICE=$(get_or_create_service "keystone" \
"identity" "Keystone Identity Service")
get_or_create_endpoint $KEYSTONE_SERVICE \
"$REGION_NAME" \
"$KEYSTONE_SERVICE_PROTOCOL://$KEYSTONE_SERVICE_HOST:$KEYSTONE_SERVICE_PORT/v$IDENTITY_API_VERSION" \
"$KEYSTONE_AUTH_PROTOCOL://$KEYSTONE_AUTH_HOST:$KEYSTONE_AUTH_PORT/v$IDENTITY_API_VERSION" \
"$KEYSTONE_SERVICE_PROTOCOL://$KEYSTONE_SERVICE_HOST:$KEYSTONE_SERVICE_PORT/v$IDENTITY_API_VERSION"
fi
}

View File

@ -178,29 +178,19 @@ function create_marconi_accounts {
SERVICE_TENANT=$(openstack project list | awk "/ $SERVICE_TENANT_NAME / { print \$2 }")
ADMIN_ROLE=$(openstack role list | awk "/ admin / { print \$2 }")
MARCONI_USER=$(openstack user create \
marconi \
--password "$SERVICE_PASSWORD" \
--project $SERVICE_TENANT \
--email marconi@example.com \
| grep " id " | get_field 2)
openstack role add \
$ADMIN_ROLE \
--project $SERVICE_TENANT \
--user $MARCONI_USER
MARCONI_USER=$(get_or_create_user "marconi" \
"$SERVICE_PASSWORD" $SERVICE_TENANT "marconi@example.com")
get_or_add_user_role $ADMIN_ROLE $MARCONI_USER $SERVICE_TENANT
if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
MARCONI_SERVICE=$(openstack service create \
marconi \
--type=queuing \
--description="Marconi Service" \
| grep " id " | get_field 2)
openstack endpoint create \
$MARCONI_SERVICE \
--region RegionOne \
--publicurl "$MARCONI_SERVICE_PROTOCOL://$MARCONI_SERVICE_HOST:$MARCONI_SERVICE_PORT" \
--adminurl "$MARCONI_SERVICE_PROTOCOL://$MARCONI_SERVICE_HOST:$MARCONI_SERVICE_PORT" \
--internalurl "$MARCONI_SERVICE_PROTOCOL://$MARCONI_SERVICE_HOST:$MARCONI_SERVICE_PORT"
MARCONI_SERVICE=$(get_or_create_service "marconi" \
"queuing" "Marconi Service")
get_or_create_endpoint $MARCONI_SERVICE \
"$REGION_NAME" \
"$MARCONI_SERVICE_PROTOCOL://$MARCONI_SERVICE_HOST:$MARCONI_SERVICE_PORT" \
"$MARCONI_SERVICE_PROTOCOL://$MARCONI_SERVICE_HOST:$MARCONI_SERVICE_PORT" \
"$MARCONI_SERVICE_PROTOCOL://$MARCONI_SERVICE_HOST:$MARCONI_SERVICE_PORT"
fi
}

View File

@ -307,7 +307,7 @@ function create_nova_conf_neutron {
iniset $NOVA_CONF neutron admin_auth_url "$KEYSTONE_SERVICE_PROTOCOL://$KEYSTONE_SERVICE_HOST:$KEYSTONE_AUTH_PORT/v2.0"
iniset $NOVA_CONF neutron auth_strategy "$Q_AUTH_STRATEGY"
iniset $NOVA_CONF neutron admin_tenant_name "$SERVICE_TENANT_NAME"
iniset $NOVA_CONF neutron region_name "RegionOne"
iniset $NOVA_CONF neutron region_name "$REGION_NAME"
iniset $NOVA_CONF neutron url "http://$Q_HOST:$Q_PORT"
if [[ "$Q_USE_SECGROUP" == "True" ]]; then
@ -350,28 +350,20 @@ function create_neutron_accounts {
ADMIN_ROLE=$(openstack role list | awk "/ admin / { print \$2 }")
if [[ "$ENABLED_SERVICES" =~ "q-svc" ]]; then
NEUTRON_USER=$(openstack user create \
neutron \
--password "$SERVICE_PASSWORD" \
--project $SERVICE_TENANT \
--email neutron@example.com \
| grep " id " | get_field 2)
openstack role add \
$ADMIN_ROLE \
--project $SERVICE_TENANT \
--user $NEUTRON_USER
NEUTRON_USER=$(get_or_create_user "neutron" \
"$SERVICE_PASSWORD" $SERVICE_TENANT "neutron@example.com")
get_or_add_user_role $ADMIN_ROLE $NEUTRON_USER $SERVICE_TENANT
if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
NEUTRON_SERVICE=$(openstack service create \
neutron \
--type=network \
--description="Neutron Service" \
| grep " id " | get_field 2)
openstack endpoint create \
$NEUTRON_SERVICE \
--region RegionOne \
--publicurl "http://$SERVICE_HOST:9696/" \
--adminurl "http://$SERVICE_HOST:9696/" \
--internalurl "http://$SERVICE_HOST:9696/"
NEUTRON_SERVICE=$(get_or_create_service "neutron" \
"network" "Neutron Service")
get_or_create_endpoint $NEUTRON_SERVICE \
"$REGION_NAME" \
"http://$SERVICE_HOST:9696/" \
"http://$SERVICE_HOST:9696/" \
"http://$SERVICE_HOST:9696/"
fi
fi
}

View File

@ -333,39 +333,28 @@ create_nova_accounts() {
# Nova
if [[ "$ENABLED_SERVICES" =~ "n-api" ]]; then
NOVA_USER=$(openstack user create \
nova \
--password "$SERVICE_PASSWORD" \
--project $SERVICE_TENANT \
--email nova@example.com \
| grep " id " | get_field 2)
openstack role add \
$ADMIN_ROLE \
--project $SERVICE_TENANT \
--user $NOVA_USER
NOVA_USER=$(get_or_create_user "nova" \
"$SERVICE_PASSWORD" $SERVICE_TENANT "nova@example.com")
get_or_add_user_role $ADMIN_ROLE $NOVA_USER $SERVICE_TENANT
if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
NOVA_SERVICE=$(openstack service create \
nova \
--type=compute \
--description="Nova Compute Service" \
| grep " id " | get_field 2)
openstack endpoint create \
$NOVA_SERVICE \
--region RegionOne \
--publicurl "$NOVA_SERVICE_PROTOCOL://$NOVA_SERVICE_HOST:$NOVA_SERVICE_PORT/v2/\$(tenant_id)s" \
--adminurl "$NOVA_SERVICE_PROTOCOL://$NOVA_SERVICE_HOST:$NOVA_SERVICE_PORT/v2/\$(tenant_id)s" \
--internalurl "$NOVA_SERVICE_PROTOCOL://$NOVA_SERVICE_HOST:$NOVA_SERVICE_PORT/v2/\$(tenant_id)s"
NOVA_V3_SERVICE=$(openstack service create \
novav3 \
--type=computev3 \
--description="Nova Compute Service V3" \
| grep " id " | get_field 2)
openstack endpoint create \
$NOVA_V3_SERVICE \
--region RegionOne \
--publicurl "$NOVA_SERVICE_PROTOCOL://$NOVA_SERVICE_HOST:$NOVA_SERVICE_PORT/v3" \
--adminurl "$NOVA_SERVICE_PROTOCOL://$NOVA_SERVICE_HOST:$NOVA_SERVICE_PORT/v3" \
--internalurl "$NOVA_SERVICE_PROTOCOL://$NOVA_SERVICE_HOST:$NOVA_SERVICE_PORT/v3"
NOVA_SERVICE=$(get_or_create_service "nova" \
"compute" "Nova Compute Service")
get_or_create_endpoint $NOVA_SERVICE \
"$REGION_NAME" \
"$NOVA_SERVICE_PROTOCOL://$NOVA_SERVICE_HOST:$NOVA_SERVICE_PORT/v2/\$(tenant_id)s" \
"$NOVA_SERVICE_PROTOCOL://$NOVA_SERVICE_HOST:$NOVA_SERVICE_PORT/v2/\$(tenant_id)s" \
"$NOVA_SERVICE_PROTOCOL://$NOVA_SERVICE_HOST:$NOVA_SERVICE_PORT/v2/\$(tenant_id)s"
NOVA_V3_SERVICE=$(get_or_create_service "novav3" \
"computev3" "Nova Compute Service V3")
get_or_create_endpoint $NOVA_V3_SERVICE \
"$REGION_NAME" \
"$NOVA_SERVICE_PROTOCOL://$NOVA_SERVICE_HOST:$NOVA_SERVICE_PORT/v3" \
"$NOVA_SERVICE_PROTOCOL://$NOVA_SERVICE_HOST:$NOVA_SERVICE_PORT/v3" \
"$NOVA_SERVICE_PROTOCOL://$NOVA_SERVICE_HOST:$NOVA_SERVICE_PORT/v3"
fi
fi
@ -374,40 +363,32 @@ create_nova_accounts() {
if is_service_enabled swift; then
# Nova needs ResellerAdmin role to download images when accessing
# swift through the s3 api.
openstack role add \
--project $SERVICE_TENANT_NAME \
--user nova \
ResellerAdmin
get_or_add_user_role ResellerAdmin nova $SERVICE_TENANT_NAME
fi
# EC2
if [[ "$KEYSTONE_CATALOG_BACKEND" = "sql" ]]; then
openstack service create \
--type ec2 \
--description "EC2 Compatibility Layer" \
ec2
openstack endpoint create \
--region RegionOne \
--publicurl "http://$SERVICE_HOST:8773/services/Cloud" \
--adminurl "http://$SERVICE_HOST:8773/services/Admin" \
--internalurl "http://$SERVICE_HOST:8773/services/Cloud" \
ec2
EC2_SERVICE=$(get_or_create_service "ec2" \
"ec2" "EC2 Compatibility Layer")
get_or_create_endpoint $EC2_SERVICE \
"$REGION_NAME" \
"http://$SERVICE_HOST:8773/services/Cloud" \
"http://$SERVICE_HOST:8773/services/Admin" \
"http://$SERVICE_HOST:8773/services/Cloud"
fi
fi
# S3
if is_service_enabled n-obj swift3; then
if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
openstack service create \
--type s3 \
--description "S3" \
s3
openstack endpoint create \
--region RegionOne \
--publicurl "http://$SERVICE_HOST:$S3_SERVICE_PORT" \
--adminurl "http://$SERVICE_HOST:$S3_SERVICE_PORT" \
--internalurl "http://$SERVICE_HOST:$S3_SERVICE_PORT" \
s3
S3_SERVICE=$(get_or_create_service "s3" "s3" "S3")
get_or_create_endpoint $S3_SERVICE \
"$REGION_NAME" \
"http://$SERVICE_HOST:$S3_SERVICE_PORT" \
"http://$SERVICE_HOST:$S3_SERVICE_PORT" \
"http://$SERVICE_HOST:$S3_SERVICE_PORT"
fi
fi
}

View File

@ -60,29 +60,19 @@ function create_sahara_accounts {
SERVICE_TENANT=$(openstack project list | awk "/ $SERVICE_TENANT_NAME / { print \$2 }")
ADMIN_ROLE=$(openstack role list | awk "/ admin / { print \$2 }")
SAHARA_USER=$(openstack user create \
sahara \
--password "$SERVICE_PASSWORD" \
--project $SERVICE_TENANT \
--email sahara@example.com \
| grep " id " | get_field 2)
openstack role add \
$ADMIN_ROLE \
--project $SERVICE_TENANT \
--user $SAHARA_USER
SAHARA_USER=$(get_or_create_user "sahara" \
"$SERVICE_PASSWORD" $SERVICE_TENANT "sahara@example.com")
get_or_add_user_role $ADMIN_ROLE $SAHARA_USER $SERVICE_TENANT
if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
SAHARA_SERVICE=$(openstack service create \
sahara \
--type=data_processing \
--description="Sahara Data Processing" \
| grep " id " | get_field 2)
openstack endpoint create \
$SAHARA_SERVICE \
--region RegionOne \
--publicurl "$SAHARA_SERVICE_PROTOCOL://$SAHARA_SERVICE_HOST:$SAHARA_SERVICE_PORT/v1.1/\$(tenant_id)s" \
--adminurl "$SAHARA_SERVICE_PROTOCOL://$SAHARA_SERVICE_HOST:$SAHARA_SERVICE_PORT/v1.1/\$(tenant_id)s" \
--internalurl "$SAHARA_SERVICE_PROTOCOL://$SAHARA_SERVICE_HOST:$SAHARA_SERVICE_PORT/v1.1/\$(tenant_id)s"
SAHARA_SERVICE=$(get_or_create_service "sahara" \
"data_processing" "Sahara Data Processing")
get_or_create_endpoint $SAHARA_SERVICE \
"$REGION_NAME" \
"$SAHARA_SERVICE_PROTOCOL://$SAHARA_SERVICE_HOST:$SAHARA_SERVICE_PORT/v1.1/\$(tenant_id)s" \
"$SAHARA_SERVICE_PROTOCOL://$SAHARA_SERVICE_HOST:$SAHARA_SERVICE_PORT/v1.1/\$(tenant_id)s" \
"$SAHARA_SERVICE_PROTOCOL://$SAHARA_SERVICE_HOST:$SAHARA_SERVICE_PORT/v1.1/\$(tenant_id)s"
fi
}

View File

@ -542,50 +542,40 @@ function create_swift_accounts {
SERVICE_TENANT=$(openstack project list | awk "/ $SERVICE_TENANT_NAME / { print \$2 }")
ADMIN_ROLE=$(openstack role list | awk "/ admin / { print \$2 }")
SWIFT_USER=$(openstack user create \
swift \
--password "$SERVICE_PASSWORD" \
--project $SERVICE_TENANT \
--email=swift@example.com \
| grep " id " | get_field 2)
openstack role add \
$ADMIN_ROLE \
--project $SERVICE_TENANT \
--user $SWIFT_USER
SWIFT_USER=$(get_or_create_user "swift" \
"$SERVICE_PASSWORD" $SERVICE_TENANT "swift@example.com")
get_or_add_user_role $ADMIN_ROLE $SWIFT_USER $SERVICE_TENANT
if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
SWIFT_SERVICE=$(openstack service create \
swift \
--type="object-store" \
--description="Swift Service" \
| grep " id " | get_field 2)
openstack endpoint create \
$SWIFT_SERVICE \
--region RegionOne \
--publicurl "http://$SERVICE_HOST:8080/v1/AUTH_\$(tenant_id)s" \
--adminurl "http://$SERVICE_HOST:8080" \
--internalurl "http://$SERVICE_HOST:8080/v1/AUTH_\$(tenant_id)s"
SWIFT_SERVICE=$(get_or_create_service "swift" \
"object-store" "Swift Service")
get_or_create_endpoint $SWIFT_SERVICE \
"$REGION_NAME" \
"http://$SERVICE_HOST:8080/v1/AUTH_\$(tenant_id)s" \
"http://$SERVICE_HOST:8080" \
"http://$SERVICE_HOST:8080/v1/AUTH_\$(tenant_id)s"
fi
SWIFT_TENANT_TEST1=$(openstack project create swifttenanttest1 | grep " id " | get_field 2)
SWIFT_TENANT_TEST1=$(get_or_create_project swifttenanttest1)
die_if_not_set $LINENO SWIFT_TENANT_TEST1 "Failure creating SWIFT_TENANT_TEST1"
SWIFT_USER_TEST1=$(openstack user create swiftusertest1 --password=$SWIFTUSERTEST1_PASSWORD \
--project "$SWIFT_TENANT_TEST1" --email=test@example.com | grep " id " | get_field 2)
SWIFT_USER_TEST1=$(get_or_create_user swiftusertest1 $SWIFTUSERTEST1_PASSWORD \
"$SWIFT_TENANT_TEST1" "test@example.com")
die_if_not_set $LINENO SWIFT_USER_TEST1 "Failure creating SWIFT_USER_TEST1"
openstack role add --user $SWIFT_USER_TEST1 --project $SWIFT_TENANT_TEST1 $ADMIN_ROLE
get_or_add_user_role $ADMIN_ROLE $SWIFT_USER_TEST1 $SWIFT_TENANT_TEST1
SWIFT_USER_TEST3=$(openstack user create swiftusertest3 --password=$SWIFTUSERTEST3_PASSWORD \
--project "$SWIFT_TENANT_TEST1" --email=test3@example.com | grep " id " | get_field 2)
SWIFT_USER_TEST3=$(get_or_create_user swiftusertest3 $SWIFTUSERTEST3_PASSWORD \
"$SWIFT_TENANT_TEST1" "test3@example.com")
die_if_not_set $LINENO SWIFT_USER_TEST3 "Failure creating SWIFT_USER_TEST3"
openstack role add --user $SWIFT_USER_TEST3 --project $SWIFT_TENANT_TEST1 $ANOTHER_ROLE
get_or_add_user_role $ANOTHER_ROLE $SWIFT_USER_TEST3 $SWIFT_TENANT_TEST1
SWIFT_TENANT_TEST2=$(openstack project create swifttenanttest2 | grep " id " | get_field 2)
SWIFT_TENANT_TEST2=$(get_or_create_project swifttenanttest2)
die_if_not_set $LINENO SWIFT_TENANT_TEST2 "Failure creating SWIFT_TENANT_TEST2"
SWIFT_USER_TEST2=$(openstack user create swiftusertest2 --password=$SWIFTUSERTEST2_PASSWORD \
--project "$SWIFT_TENANT_TEST2" --email=test2@example.com | grep " id " | get_field 2)
SWIFT_USER_TEST2=$(get_or_create_user swiftusertest2 $SWIFTUSERTEST2_PASSWORD \
"$SWIFT_TENANT_TEST2" "test2@example.com")
die_if_not_set $LINENO SWIFT_USER_TEST2 "Failure creating SWIFT_USER_TEST2"
openstack role add --user $SWIFT_USER_TEST2 --project $SWIFT_TENANT_TEST2 $ADMIN_ROLE
get_or_add_user_role $ADMIN_ROLE $SWIFT_USER_TEST2 $SWIFT_TENANT_TEST2
}
# init_swift() - Initialize rings

View File

@ -397,16 +397,9 @@ function create_tempest_accounts {
if is_service_enabled tempest; then
# Tempest has some tests that validate various authorization checks
# between two regular users in separate tenants
openstack project create \
alt_demo
openstack user create \
--project alt_demo \
--password "$ADMIN_PASSWORD" \
alt_demo
openstack role add \
--project alt_demo \
--user alt_demo \
Member
get_or_create_project alt_demo
get_or_create_user alt_demo "$ADMIN_PASSWORD" alt_demo "alt_demo@example.com"
get_or_add_user_role Member alt_demo alt_demo
fi
}

View File

@ -82,28 +82,20 @@ function create_trove_accounts {
SERVICE_ROLE=$(openstack role list | awk "/ admin / { print \$2 }")
if [[ "$ENABLED_SERVICES" =~ "trove" ]]; then
TROVE_USER=$(openstack user create \
trove \
--password "$SERVICE_PASSWORD" \
--project $SERVICE_TENANT \
--email trove@example.com \
| grep " id " | get_field 2)
openstack role add \
$SERVICE_ROLE \
--project $SERVICE_TENANT \
--user $TROVE_USER
TROVE_USER=$(get_or_create_user "trove" \
"$SERVICE_PASSWORD" $SERVICE_TENANT "trove@example.com")
get_or_add_user_role $SERVICE_ROLE $TROVE_USER $SERVICE_TENANT
if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
TROVE_SERVICE=$(openstack service create \
trove \
--type=database \
--description="Trove Service" \
| grep " id " | get_field 2)
openstack endpoint create \
$TROVE_SERVICE \
--region RegionOne \
--publicurl "http://$SERVICE_HOST:8779/v1.0/\$(tenant_id)s" \
--adminurl "http://$SERVICE_HOST:8779/v1.0/\$(tenant_id)s" \
--internalurl "http://$SERVICE_HOST:8779/v1.0/\$(tenant_id)s"
TROVE_SERVICE=$(get_or_create_service "trove" \
"database" "Trove Service")
get_or_create_endpoint $TROVE_SERVICE \
"$REGION_NAME" \
"http://$SERVICE_HOST:8779/v1.0/\$(tenant_id)s" \
"http://$SERVICE_HOST:8779/v1.0/\$(tenant_id)s" \
"http://$SERVICE_HOST:8779/v1.0/\$(tenant_id)s"
fi
fi
}

6
openrc
View File

@ -53,12 +53,16 @@ export OS_PASSWORD=${ADMIN_PASSWORD:-secrete}
# easier with this off.
export OS_NO_CACHE=${OS_NO_CACHE:-1}
# Region
export OS_REGION_NAME=${REGION_NAME:-RegionOne}
# Set api HOST_IP endpoint. SERVICE_HOST may also be used to specify the endpoint,
# which is convenient for some localrc configurations.
HOST_IP=${HOST_IP:-127.0.0.1}
SERVICE_HOST=${SERVICE_HOST:-$HOST_IP}
SERVICE_PROTOCOL=${SERVICE_PROTOCOL:-http}
KEYSTONE_AUTH_PROTOCOL=${KEYSTONE_AUTH_PROTOCOL:-$SERVICE_PROTOCOL}
KEYSTONE_AUTH_HOST=${KEYSTONE_AUTH_HOST:-$SERVICE_HOST}
# Some exercises call glance directly. On a single-node installation, Glance
# should be listening on HOST_IP. If its running elsewhere, it can be set here
@ -72,7 +76,7 @@ export OS_IDENTITY_API_VERSION=${IDENTITY_API_VERSION:-2.0}
# the user/tenant has access to - including nova, glance, keystone, swift, ...
# We currently recommend using the 2.0 *identity api*.
#
export OS_AUTH_URL=$KEYSTONE_AUTH_PROTOCOL://$SERVICE_HOST:5000/v${OS_IDENTITY_API_VERSION}
export OS_AUTH_URL=$KEYSTONE_AUTH_PROTOCOL://$KEYSTONE_AUTH_HOST:5000/v${OS_IDENTITY_API_VERSION}
# Set the pointer to our CA certificate chain. Harmless if TLS is not used.
export OS_CACERT=${OS_CACERT:-$INT_CA_DIR/ca-chain.pem}

View File

@ -726,8 +726,10 @@ git_clone $OPENSTACKCLIENT_REPO $OPENSTACKCLIENT_DIR $OPENSTACKCLIENT_BRANCH
setup_develop $OPENSTACKCLIENT_DIR
if is_service_enabled key; then
if [ "$KEYSTONE_AUTH_HOST" == "$SERVICE_HOST" ]; then
install_keystone
configure_keystone
fi
fi
if is_service_enabled s-proxy; then
@ -926,8 +928,11 @@ fi
if is_service_enabled key; then
echo_summary "Starting Keystone"
if [ "$KEYSTONE_AUTH_HOST" == "$SERVICE_HOST" ]; then
init_keystone
start_keystone
fi
# Set up a temporary admin URI for Keystone
SERVICE_ENDPOINT=$KEYSTONE_AUTH_URI/v2.0
@ -968,6 +973,7 @@ if is_service_enabled key; then
export OS_TENANT_NAME=admin
export OS_USERNAME=admin
export OS_PASSWORD=$ADMIN_PASSWORD
export OS_REGION_NAME=$REGION_NAME
fi

View File

@ -19,6 +19,9 @@ else
STACK_USER=$(whoami)
fi
# Specify region name Region
REGION_NAME=${REGION_NAME:-RegionOne}
# Specify which services to launch. These generally correspond to
# screen tabs. To change the default list, use the ``enable_service`` and
# ``disable_service`` functions in ``local.conf``.