bootstrap keystone using new bootstrap command

Be gone ADMIN_TOKEN, long live keystone-manage bootstrap.

This patch reworks the initial setup for keystone by using
the new bootstrap command. After a minimal service catalog
has been created, using this process, we simply authenticate
as usual.

implements bp: bootstrap
Depends-On: I113c6934b6b83ceff23a94101967a6df1126873f
Change-Id: Ia1475d461eab60b68c6a0356714b21c7f92e0194
This commit is contained in:
Steve Martinelli 2015-12-20 00:24:19 -05:00
parent 8df31a107d
commit 923be5f791
3 changed files with 81 additions and 60 deletions

View File

@ -12,7 +12,6 @@
# - ``IDENTITY_API_VERSION`` # - ``IDENTITY_API_VERSION``
# - ``BASE_SQL_CONN`` # - ``BASE_SQL_CONN``
# - ``SERVICE_HOST``, ``SERVICE_PROTOCOL`` # - ``SERVICE_HOST``, ``SERVICE_PROTOCOL``
# - ``SERVICE_TOKEN``
# - ``S3_SERVICE_PORT`` (template backend only) # - ``S3_SERVICE_PORT`` (template backend only)
# ``stack.sh`` calls the entry points in this order: # ``stack.sh`` calls the entry points in this order:
@ -22,6 +21,7 @@
# - _config_keystone_apache_wsgi # - _config_keystone_apache_wsgi
# - init_keystone # - init_keystone
# - start_keystone # - start_keystone
# - bootstrap_keystone
# - create_keystone_accounts # - create_keystone_accounts
# - stop_keystone # - stop_keystone
# - cleanup_keystone # - cleanup_keystone
@ -230,8 +230,6 @@ function configure_keystone {
iniset $KEYSTONE_CONF DEFAULT admin_endpoint $KEYSTONE_AUTH_URI iniset $KEYSTONE_CONF DEFAULT admin_endpoint $KEYSTONE_AUTH_URI
fi fi
iniset $KEYSTONE_CONF DEFAULT admin_token "$SERVICE_TOKEN"
if [[ "$KEYSTONE_TOKEN_FORMAT" != "" ]]; then if [[ "$KEYSTONE_TOKEN_FORMAT" != "" ]]; then
iniset $KEYSTONE_CONF token provider $KEYSTONE_TOKEN_FORMAT iniset $KEYSTONE_CONF token provider $KEYSTONE_TOKEN_FORMAT
fi fi
@ -324,14 +322,16 @@ function configure_keystone {
# Migrated from keystone_data.sh # Migrated from keystone_data.sh
function create_keystone_accounts { function create_keystone_accounts {
# admin # The keystone bootstrapping process (performed via keystone-manage bootstrap)
# creates an admin user, admin role and admin project. As a sanity check
# we exercise the CLI to retrieve the IDs for these values.
local admin_tenant local admin_tenant
admin_tenant=$(get_or_create_project "admin" default) admin_tenant=$(openstack project show "admin" -f value -c id)
local admin_user local admin_user
admin_user=$(get_or_create_user "admin" "$ADMIN_PASSWORD" default) admin_user=$(openstack user show "admin" -f value -c id)
local admin_role local admin_role
admin_role=$(get_or_create_role "admin") admin_role=$(openstack role show "admin" -f value -c id)
get_or_add_user_project_role $admin_role $admin_user $admin_tenant
get_or_add_user_domain_role $admin_role $admin_user default get_or_add_user_domain_role $admin_role $admin_user default
# Create service project/role # Create service project/role
@ -381,17 +381,6 @@ function create_keystone_accounts {
get_or_add_group_project_role $member_role $non_admin_group $demo_tenant get_or_add_group_project_role $member_role $non_admin_group $demo_tenant
get_or_add_group_project_role $another_role $non_admin_group $demo_tenant get_or_add_group_project_role $another_role $non_admin_group $demo_tenant
get_or_add_group_project_role $admin_role $admin_group $admin_tenant get_or_add_group_project_role $admin_role $admin_group $admin_tenant
# Keystone
if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
get_or_create_service "keystone" "identity" "Keystone Identity Service"
get_or_create_endpoint "identity" \
"$REGION_NAME" \
"$KEYSTONE_SERVICE_PROTOCOL://$KEYSTONE_SERVICE_HOST:$KEYSTONE_SERVICE_PORT/v$IDENTITY_API_VERSION" \
"$KEYSTONE_AUTH_PROTOCOL://$KEYSTONE_AUTH_HOST:$KEYSTONE_AUTH_PORT/v$IDENTITY_API_VERSION" \
"$KEYSTONE_SERVICE_PROTOCOL://$KEYSTONE_SERVICE_HOST:$KEYSTONE_SERVICE_PORT/v$IDENTITY_API_VERSION"
fi
} }
# Create a user that is capable of verifying keystone tokens for use with auth_token middleware. # Create a user that is capable of verifying keystone tokens for use with auth_token middleware.
@ -565,6 +554,55 @@ function stop_keystone {
stop_process key stop_process key
} }
# bootstrap_keystone() - Initialize user, role and project
# This function uses the following GLOBAL variables:
# - ``KEYSTONE_BIN_DIR``
# - ``ADMIN_PASSWORD``
# - ``IDENTITY_API_VERSION``
# - ``KEYSTONE_CATALOG_BACKEND``
# - ``KEYSTONE_AUTH_URI``
# - ``REGION_NAME``
# - ``KEYSTONE_SERVICE_PROTOCOL``
# - ``KEYSTONE_SERVICE_HOST``
# - ``KEYSTONE_SERVICE_PORT``
function bootstrap_keystone {
# Initialize keystone, this will create an 'admin' user, 'admin' project,
# 'admin' role, and assign the user the role on the project. These resources
# are created only if they do not already exist.
$KEYSTONE_BIN_DIR/keystone-manage bootstrap --bootstrap-password $ADMIN_PASSWORD
# Create the keystone service and endpoints. To do this with the new
# bootstrapping process, we need to get a token and use that token to
# interact with the new APIs. The token will only be used to create services
# and endpoints, thus creating a minimal service catalog.
# They are unset immediately after.
# TODO(stevemar): OpenStackClient and KeystoneClient do not have support to
# handle interactions that not return service catalogs. Eventually remove
# this section when the support is in place. Use token based auth for now.
local token_id
token_id=$(openstack token issue -c id -f value \
--os-username admin --os-project-name admin \
--os-user-domain-id default --os-project-domain-id default \
--os-identity-api-version 3 --os-auth-url $KEYSTONE_AUTH_URI \
--os-password $ADMIN_PASSWORD)
if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
export OS_TOKEN=$token_id
export OS_URL=$KEYSTONE_AUTH_URI/v3
export OS_IDENTITY_API_VERSION=3
get_or_create_service "keystone" "identity" "Keystone Identity Service"
get_or_create_endpoint "identity" \
"$REGION_NAME" \
"$KEYSTONE_SERVICE_PROTOCOL://$KEYSTONE_SERVICE_HOST:$KEYSTONE_SERVICE_PORT/v$IDENTITY_API_VERSION" \
"$KEYSTONE_AUTH_URI/v$IDENTITY_API_VERSION" \
"$KEYSTONE_SERVICE_PROTOCOL://$KEYSTONE_SERVICE_HOST:$KEYSTONE_SERVICE_PORT/v$IDENTITY_API_VERSION"
fi
unset OS_TOKEN OS_URL OS_IDENTITY_API_VERSION
}
# Restore xtrace # Restore xtrace
$_XTRACE_KEYSTONE $_XTRACE_KEYSTONE

View File

@ -23,10 +23,8 @@
# While ``stack.sh`` is happy to run without ``localrc``, devlife is better when # While ``stack.sh`` is happy to run without ``localrc``, devlife is better when
# there are a few minimal variables set: # there are a few minimal variables set:
# If the ``SERVICE_TOKEN`` and ``*_PASSWORD`` variables are not set # If the ``*_PASSWORD`` variables are not set here you will be prompted to enter
# here you will be prompted to enter values for them by ``stack.sh`` # values for them by ``stack.sh``and they will be added to ``local.conf``.
# and they will be added to ``local.conf``.
SERVICE_TOKEN=azertytoken
ADMIN_PASSWORD=nomoresecrete ADMIN_PASSWORD=nomoresecrete
DATABASE_PASSWORD=stackdb DATABASE_PASSWORD=stackdb
RABBIT_PASSWORD=stackqueue RABBIT_PASSWORD=stackqueue

View File

@ -652,9 +652,6 @@ fi
# -------- # --------
if is_service_enabled keystone; then if is_service_enabled keystone; then
# The ``SERVICE_TOKEN`` is used to bootstrap the Keystone database. It is
# just a string and is not a 'real' Keystone token.
read_password SERVICE_TOKEN "ENTER A SERVICE_TOKEN TO USE FOR THE SERVICE ADMIN TOKEN."
# Services authenticate to Identity with servicename/``SERVICE_PASSWORD`` # Services authenticate to Identity with servicename/``SERVICE_PASSWORD``
read_password SERVICE_PASSWORD "ENTER A SERVICE_PASSWORD TO USE FOR THE SERVICE AUTHENTICATION." read_password SERVICE_PASSWORD "ENTER A SERVICE_PASSWORD TO USE FOR THE SERVICE AUTHENTICATION."
# Horizon currently truncates usernames and passwords at 20 characters # Horizon currently truncates usernames and passwords at 20 characters
@ -994,22 +991,34 @@ if is_service_enabled keystone; then
if [ "$KEYSTONE_AUTH_HOST" == "$SERVICE_HOST" ]; then if [ "$KEYSTONE_AUTH_HOST" == "$SERVICE_HOST" ]; then
init_keystone init_keystone
start_keystone start_keystone
bootstrap_keystone
fi fi
export OS_IDENTITY_API_VERSION=3
# Set up a temporary admin URI for Keystone
SERVICE_ENDPOINT=$KEYSTONE_AUTH_URI/v3
if is_service_enabled tls-proxy; then if is_service_enabled tls-proxy; then
export OS_CACERT=$INT_CA_DIR/ca-chain.pem export OS_CACERT=$INT_CA_DIR/ca-chain.pem
# Until the client support is fixed, just use the internal endpoint
SERVICE_ENDPOINT=http://$KEYSTONE_AUTH_HOST:$KEYSTONE_AUTH_PORT_INT/v3
fi fi
# Setup OpenStackClient token-endpoint auth # Rather than just export these, we write them out to a
export OS_TOKEN=$SERVICE_TOKEN # intermediate userrc file that can also be used to debug if
export OS_URL=$SERVICE_ENDPOINT # something goes wrong between here and running
# tools/create_userrc.sh (this script relies on services other
# than keystone being available, so we can't call it right now)
cat > $TOP_DIR/userrc_early <<EOF
# Use this for debugging issues before files in accrc are created
# Set up password auth credentials now that Keystone is bootstrapped
export OS_IDENTITY_API_VERSION=3
export OS_AUTH_URL=$KEYSTONE_AUTH_URI
export OS_USERNAME=admin
export OS_USER_DOMAIN_ID=default
export OS_PASSWORD=$ADMIN_PASSWORD
export OS_PROJECT_NAME=admin
export OS_PROJECT_DOMAIN_ID=default
export OS_REGION_NAME=$REGION_NAME
EOF
source $TOP_DIR/userrc_early
create_keystone_accounts create_keystone_accounts
create_nova_accounts create_nova_accounts
@ -1025,30 +1034,6 @@ if is_service_enabled keystone; then
create_heat_accounts create_heat_accounts
fi fi
# Begone token auth
unset OS_TOKEN OS_URL
# Rather than just export these, we write them out to a
# intermediate userrc file that can also be used to debug if
# something goes wrong between here and running
# tools/create_userrc.sh (this script relies on services other
# than keystone being available, so we can't call it right now)
cat > $TOP_DIR/userrc_early <<EOF
# Use this for debugging issues before files in accrc are created
# Set up password auth credentials now that Keystone is bootstrapped
export OS_AUTH_URL=$KEYSTONE_AUTH_URI
export OS_USERNAME=admin
export OS_USER_DOMAIN_ID=default
export OS_PASSWORD=$ADMIN_PASSWORD
export OS_PROJECT_NAME=admin
export OS_PROJECT_DOMAIN_ID=default
export OS_REGION_NAME=$REGION_NAME
EOF
source $TOP_DIR/userrc_early
fi fi
# Write a clouds.yaml file # Write a clouds.yaml file