bootstrap keystone using new bootstrap command
Be gone ADMIN_TOKEN, long live keystone-manage bootstrap. This patch reworks the initial setup for keystone by using the new bootstrap command. After a minimal service catalog has been created, using this process, we simply authenticate as usual. implements bp: bootstrap Depends-On: I113c6934b6b83ceff23a94101967a6df1126873f Change-Id: Ia1475d461eab60b68c6a0356714b21c7f92e0194
This commit is contained in:
parent
8df31a107d
commit
923be5f791
76
lib/keystone
76
lib/keystone
@ -12,7 +12,6 @@
|
|||||||
# - ``IDENTITY_API_VERSION``
|
# - ``IDENTITY_API_VERSION``
|
||||||
# - ``BASE_SQL_CONN``
|
# - ``BASE_SQL_CONN``
|
||||||
# - ``SERVICE_HOST``, ``SERVICE_PROTOCOL``
|
# - ``SERVICE_HOST``, ``SERVICE_PROTOCOL``
|
||||||
# - ``SERVICE_TOKEN``
|
|
||||||
# - ``S3_SERVICE_PORT`` (template backend only)
|
# - ``S3_SERVICE_PORT`` (template backend only)
|
||||||
|
|
||||||
# ``stack.sh`` calls the entry points in this order:
|
# ``stack.sh`` calls the entry points in this order:
|
||||||
@ -22,6 +21,7 @@
|
|||||||
# - _config_keystone_apache_wsgi
|
# - _config_keystone_apache_wsgi
|
||||||
# - init_keystone
|
# - init_keystone
|
||||||
# - start_keystone
|
# - start_keystone
|
||||||
|
# - bootstrap_keystone
|
||||||
# - create_keystone_accounts
|
# - create_keystone_accounts
|
||||||
# - stop_keystone
|
# - stop_keystone
|
||||||
# - cleanup_keystone
|
# - cleanup_keystone
|
||||||
@ -230,8 +230,6 @@ function configure_keystone {
|
|||||||
iniset $KEYSTONE_CONF DEFAULT admin_endpoint $KEYSTONE_AUTH_URI
|
iniset $KEYSTONE_CONF DEFAULT admin_endpoint $KEYSTONE_AUTH_URI
|
||||||
fi
|
fi
|
||||||
|
|
||||||
iniset $KEYSTONE_CONF DEFAULT admin_token "$SERVICE_TOKEN"
|
|
||||||
|
|
||||||
if [[ "$KEYSTONE_TOKEN_FORMAT" != "" ]]; then
|
if [[ "$KEYSTONE_TOKEN_FORMAT" != "" ]]; then
|
||||||
iniset $KEYSTONE_CONF token provider $KEYSTONE_TOKEN_FORMAT
|
iniset $KEYSTONE_CONF token provider $KEYSTONE_TOKEN_FORMAT
|
||||||
fi
|
fi
|
||||||
@ -324,14 +322,16 @@ function configure_keystone {
|
|||||||
# Migrated from keystone_data.sh
|
# Migrated from keystone_data.sh
|
||||||
function create_keystone_accounts {
|
function create_keystone_accounts {
|
||||||
|
|
||||||
# admin
|
# The keystone bootstrapping process (performed via keystone-manage bootstrap)
|
||||||
|
# creates an admin user, admin role and admin project. As a sanity check
|
||||||
|
# we exercise the CLI to retrieve the IDs for these values.
|
||||||
local admin_tenant
|
local admin_tenant
|
||||||
admin_tenant=$(get_or_create_project "admin" default)
|
admin_tenant=$(openstack project show "admin" -f value -c id)
|
||||||
local admin_user
|
local admin_user
|
||||||
admin_user=$(get_or_create_user "admin" "$ADMIN_PASSWORD" default)
|
admin_user=$(openstack user show "admin" -f value -c id)
|
||||||
local admin_role
|
local admin_role
|
||||||
admin_role=$(get_or_create_role "admin")
|
admin_role=$(openstack role show "admin" -f value -c id)
|
||||||
get_or_add_user_project_role $admin_role $admin_user $admin_tenant
|
|
||||||
get_or_add_user_domain_role $admin_role $admin_user default
|
get_or_add_user_domain_role $admin_role $admin_user default
|
||||||
|
|
||||||
# Create service project/role
|
# Create service project/role
|
||||||
@ -381,17 +381,6 @@ function create_keystone_accounts {
|
|||||||
get_or_add_group_project_role $member_role $non_admin_group $demo_tenant
|
get_or_add_group_project_role $member_role $non_admin_group $demo_tenant
|
||||||
get_or_add_group_project_role $another_role $non_admin_group $demo_tenant
|
get_or_add_group_project_role $another_role $non_admin_group $demo_tenant
|
||||||
get_or_add_group_project_role $admin_role $admin_group $admin_tenant
|
get_or_add_group_project_role $admin_role $admin_group $admin_tenant
|
||||||
|
|
||||||
# Keystone
|
|
||||||
if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
|
|
||||||
|
|
||||||
get_or_create_service "keystone" "identity" "Keystone Identity Service"
|
|
||||||
get_or_create_endpoint "identity" \
|
|
||||||
"$REGION_NAME" \
|
|
||||||
"$KEYSTONE_SERVICE_PROTOCOL://$KEYSTONE_SERVICE_HOST:$KEYSTONE_SERVICE_PORT/v$IDENTITY_API_VERSION" \
|
|
||||||
"$KEYSTONE_AUTH_PROTOCOL://$KEYSTONE_AUTH_HOST:$KEYSTONE_AUTH_PORT/v$IDENTITY_API_VERSION" \
|
|
||||||
"$KEYSTONE_SERVICE_PROTOCOL://$KEYSTONE_SERVICE_HOST:$KEYSTONE_SERVICE_PORT/v$IDENTITY_API_VERSION"
|
|
||||||
fi
|
|
||||||
}
|
}
|
||||||
|
|
||||||
# Create a user that is capable of verifying keystone tokens for use with auth_token middleware.
|
# Create a user that is capable of verifying keystone tokens for use with auth_token middleware.
|
||||||
@ -565,6 +554,55 @@ function stop_keystone {
|
|||||||
stop_process key
|
stop_process key
|
||||||
}
|
}
|
||||||
|
|
||||||
|
# bootstrap_keystone() - Initialize user, role and project
|
||||||
|
# This function uses the following GLOBAL variables:
|
||||||
|
# - ``KEYSTONE_BIN_DIR``
|
||||||
|
# - ``ADMIN_PASSWORD``
|
||||||
|
# - ``IDENTITY_API_VERSION``
|
||||||
|
# - ``KEYSTONE_CATALOG_BACKEND``
|
||||||
|
# - ``KEYSTONE_AUTH_URI``
|
||||||
|
# - ``REGION_NAME``
|
||||||
|
# - ``KEYSTONE_SERVICE_PROTOCOL``
|
||||||
|
# - ``KEYSTONE_SERVICE_HOST``
|
||||||
|
# - ``KEYSTONE_SERVICE_PORT``
|
||||||
|
function bootstrap_keystone {
|
||||||
|
|
||||||
|
# Initialize keystone, this will create an 'admin' user, 'admin' project,
|
||||||
|
# 'admin' role, and assign the user the role on the project. These resources
|
||||||
|
# are created only if they do not already exist.
|
||||||
|
$KEYSTONE_BIN_DIR/keystone-manage bootstrap --bootstrap-password $ADMIN_PASSWORD
|
||||||
|
|
||||||
|
# Create the keystone service and endpoints. To do this with the new
|
||||||
|
# bootstrapping process, we need to get a token and use that token to
|
||||||
|
# interact with the new APIs. The token will only be used to create services
|
||||||
|
# and endpoints, thus creating a minimal service catalog.
|
||||||
|
# They are unset immediately after.
|
||||||
|
# TODO(stevemar): OpenStackClient and KeystoneClient do not have support to
|
||||||
|
# handle interactions that not return service catalogs. Eventually remove
|
||||||
|
# this section when the support is in place. Use token based auth for now.
|
||||||
|
local token_id
|
||||||
|
token_id=$(openstack token issue -c id -f value \
|
||||||
|
--os-username admin --os-project-name admin \
|
||||||
|
--os-user-domain-id default --os-project-domain-id default \
|
||||||
|
--os-identity-api-version 3 --os-auth-url $KEYSTONE_AUTH_URI \
|
||||||
|
--os-password $ADMIN_PASSWORD)
|
||||||
|
|
||||||
|
if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
|
||||||
|
|
||||||
|
export OS_TOKEN=$token_id
|
||||||
|
export OS_URL=$KEYSTONE_AUTH_URI/v3
|
||||||
|
export OS_IDENTITY_API_VERSION=3
|
||||||
|
|
||||||
|
get_or_create_service "keystone" "identity" "Keystone Identity Service"
|
||||||
|
get_or_create_endpoint "identity" \
|
||||||
|
"$REGION_NAME" \
|
||||||
|
"$KEYSTONE_SERVICE_PROTOCOL://$KEYSTONE_SERVICE_HOST:$KEYSTONE_SERVICE_PORT/v$IDENTITY_API_VERSION" \
|
||||||
|
"$KEYSTONE_AUTH_URI/v$IDENTITY_API_VERSION" \
|
||||||
|
"$KEYSTONE_SERVICE_PROTOCOL://$KEYSTONE_SERVICE_HOST:$KEYSTONE_SERVICE_PORT/v$IDENTITY_API_VERSION"
|
||||||
|
fi
|
||||||
|
|
||||||
|
unset OS_TOKEN OS_URL OS_IDENTITY_API_VERSION
|
||||||
|
}
|
||||||
|
|
||||||
# Restore xtrace
|
# Restore xtrace
|
||||||
$_XTRACE_KEYSTONE
|
$_XTRACE_KEYSTONE
|
||||||
|
@ -23,10 +23,8 @@
|
|||||||
# While ``stack.sh`` is happy to run without ``localrc``, devlife is better when
|
# While ``stack.sh`` is happy to run without ``localrc``, devlife is better when
|
||||||
# there are a few minimal variables set:
|
# there are a few minimal variables set:
|
||||||
|
|
||||||
# If the ``SERVICE_TOKEN`` and ``*_PASSWORD`` variables are not set
|
# If the ``*_PASSWORD`` variables are not set here you will be prompted to enter
|
||||||
# here you will be prompted to enter values for them by ``stack.sh``
|
# values for them by ``stack.sh``and they will be added to ``local.conf``.
|
||||||
# and they will be added to ``local.conf``.
|
|
||||||
SERVICE_TOKEN=azertytoken
|
|
||||||
ADMIN_PASSWORD=nomoresecrete
|
ADMIN_PASSWORD=nomoresecrete
|
||||||
DATABASE_PASSWORD=stackdb
|
DATABASE_PASSWORD=stackdb
|
||||||
RABBIT_PASSWORD=stackqueue
|
RABBIT_PASSWORD=stackqueue
|
||||||
|
59
stack.sh
59
stack.sh
@ -652,9 +652,6 @@ fi
|
|||||||
# --------
|
# --------
|
||||||
|
|
||||||
if is_service_enabled keystone; then
|
if is_service_enabled keystone; then
|
||||||
# The ``SERVICE_TOKEN`` is used to bootstrap the Keystone database. It is
|
|
||||||
# just a string and is not a 'real' Keystone token.
|
|
||||||
read_password SERVICE_TOKEN "ENTER A SERVICE_TOKEN TO USE FOR THE SERVICE ADMIN TOKEN."
|
|
||||||
# Services authenticate to Identity with servicename/``SERVICE_PASSWORD``
|
# Services authenticate to Identity with servicename/``SERVICE_PASSWORD``
|
||||||
read_password SERVICE_PASSWORD "ENTER A SERVICE_PASSWORD TO USE FOR THE SERVICE AUTHENTICATION."
|
read_password SERVICE_PASSWORD "ENTER A SERVICE_PASSWORD TO USE FOR THE SERVICE AUTHENTICATION."
|
||||||
# Horizon currently truncates usernames and passwords at 20 characters
|
# Horizon currently truncates usernames and passwords at 20 characters
|
||||||
@ -994,22 +991,34 @@ if is_service_enabled keystone; then
|
|||||||
if [ "$KEYSTONE_AUTH_HOST" == "$SERVICE_HOST" ]; then
|
if [ "$KEYSTONE_AUTH_HOST" == "$SERVICE_HOST" ]; then
|
||||||
init_keystone
|
init_keystone
|
||||||
start_keystone
|
start_keystone
|
||||||
|
bootstrap_keystone
|
||||||
fi
|
fi
|
||||||
|
|
||||||
export OS_IDENTITY_API_VERSION=3
|
|
||||||
|
|
||||||
# Set up a temporary admin URI for Keystone
|
|
||||||
SERVICE_ENDPOINT=$KEYSTONE_AUTH_URI/v3
|
|
||||||
|
|
||||||
if is_service_enabled tls-proxy; then
|
if is_service_enabled tls-proxy; then
|
||||||
export OS_CACERT=$INT_CA_DIR/ca-chain.pem
|
export OS_CACERT=$INT_CA_DIR/ca-chain.pem
|
||||||
# Until the client support is fixed, just use the internal endpoint
|
|
||||||
SERVICE_ENDPOINT=http://$KEYSTONE_AUTH_HOST:$KEYSTONE_AUTH_PORT_INT/v3
|
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Setup OpenStackClient token-endpoint auth
|
# Rather than just export these, we write them out to a
|
||||||
export OS_TOKEN=$SERVICE_TOKEN
|
# intermediate userrc file that can also be used to debug if
|
||||||
export OS_URL=$SERVICE_ENDPOINT
|
# something goes wrong between here and running
|
||||||
|
# tools/create_userrc.sh (this script relies on services other
|
||||||
|
# than keystone being available, so we can't call it right now)
|
||||||
|
cat > $TOP_DIR/userrc_early <<EOF
|
||||||
|
# Use this for debugging issues before files in accrc are created
|
||||||
|
|
||||||
|
# Set up password auth credentials now that Keystone is bootstrapped
|
||||||
|
export OS_IDENTITY_API_VERSION=3
|
||||||
|
export OS_AUTH_URL=$KEYSTONE_AUTH_URI
|
||||||
|
export OS_USERNAME=admin
|
||||||
|
export OS_USER_DOMAIN_ID=default
|
||||||
|
export OS_PASSWORD=$ADMIN_PASSWORD
|
||||||
|
export OS_PROJECT_NAME=admin
|
||||||
|
export OS_PROJECT_DOMAIN_ID=default
|
||||||
|
export OS_REGION_NAME=$REGION_NAME
|
||||||
|
|
||||||
|
EOF
|
||||||
|
|
||||||
|
source $TOP_DIR/userrc_early
|
||||||
|
|
||||||
create_keystone_accounts
|
create_keystone_accounts
|
||||||
create_nova_accounts
|
create_nova_accounts
|
||||||
@ -1025,30 +1034,6 @@ if is_service_enabled keystone; then
|
|||||||
create_heat_accounts
|
create_heat_accounts
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Begone token auth
|
|
||||||
unset OS_TOKEN OS_URL
|
|
||||||
|
|
||||||
# Rather than just export these, we write them out to a
|
|
||||||
# intermediate userrc file that can also be used to debug if
|
|
||||||
# something goes wrong between here and running
|
|
||||||
# tools/create_userrc.sh (this script relies on services other
|
|
||||||
# than keystone being available, so we can't call it right now)
|
|
||||||
cat > $TOP_DIR/userrc_early <<EOF
|
|
||||||
# Use this for debugging issues before files in accrc are created
|
|
||||||
|
|
||||||
# Set up password auth credentials now that Keystone is bootstrapped
|
|
||||||
export OS_AUTH_URL=$KEYSTONE_AUTH_URI
|
|
||||||
export OS_USERNAME=admin
|
|
||||||
export OS_USER_DOMAIN_ID=default
|
|
||||||
export OS_PASSWORD=$ADMIN_PASSWORD
|
|
||||||
export OS_PROJECT_NAME=admin
|
|
||||||
export OS_PROJECT_DOMAIN_ID=default
|
|
||||||
export OS_REGION_NAME=$REGION_NAME
|
|
||||||
|
|
||||||
EOF
|
|
||||||
|
|
||||||
source $TOP_DIR/userrc_early
|
|
||||||
|
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Write a clouds.yaml file
|
# Write a clouds.yaml file
|
||||||
|
Loading…
Reference in New Issue
Block a user