diff --git a/files/default_catalog.templates b/files/default_catalog.templates new file mode 100644 index 0000000000..b527ae5034 --- /dev/null +++ b/files/default_catalog.templates @@ -0,0 +1,30 @@ +# config for TemplatedCatalog, using camelCase because I don't want to do +# translations for legacy compat +catalog.RegionOne.identity.publicURL = http://%SERVICE_HOST%:$(public_port)s/v2.0 +catalog.RegionOne.identity.adminURL = http://%SERVICE_HOST%:$(admin_port)s/v2.0 +catalog.RegionOne.identity.internalURL = http://%SERVICE_HOST%:$(public_port)s/v2.0 +catalog.RegionOne.identity.name = 'Identity Service' + + +catalog.RegionOne.compute.publicURL = http://%SERVICE_HOST%:8774/v1.1/$(tenant_id)s +catalog.RegionOne.compute.adminURL = http://%SERVICE_HOST%:8774/v1.1/$(tenant_id)s +catalog.RegionOne.compute.internalURL = http://%SERVICE_HOST%:8774/v1.1/$(tenant_id)s +catalog.RegionOne.compute.name = 'Compute Service' + + +catalog.RegionOne.ec2.publicURL = http://%SERVICE_HOST%:8773/services/Cloud +catalog.RegionOne.ec2.adminURL = http://%SERVICE_HOST%:8773/services/Admin +catalog.RegionOne.ec2.internalURL = http://%SERVICE_HOST%:8773/services/Cloud +catalog.RegionOne.ec2.name = 'EC2 Service' + + +catalog.RegionOne.image.publicURL = http://%SERVICE_HOST%:9292/v1 +catalog.RegionOne.image.adminURL = http://%SERVICE_HOST%:9292/v1 +catalog.RegionOne.image.internalURL = http://%SERVICE_HOST%:9292/v1 +catalog.RegionOne.image.name = 'Image Service' + + +catalog.RegionOne.object_store.publicURL = http://%SERVICE_HOST%:8080/v1/AUTH_$(tenant_id)s +catalog.RegionOne.object_store.adminURL = http://%SERVICE_HOST%:8080/ +catalog.RegionOne.object_store.internalURL = http://%SERVICE_HOST%:8080/v1/AUTH_$(tenant_id)s +catalog.RegionOne.object_store.name = 'Swift Service' diff --git a/files/keystone.conf b/files/keystone.conf index 6d0fd7e11d..0649e90725 100644 --- a/files/keystone.conf +++ b/files/keystone.conf @@ -1,112 +1,61 @@ [DEFAULT] -# Show more verbose log output (sets INFO log level output) -verbose = False - -# Show debugging output in logs (sets DEBUG log level output) -debug = False - -# Which backend store should Keystone use by default. -# Default: 'sqlite' -# Available choices are 'sqlite' [future will include LDAP, PAM, etc] -default_store = sqlite - -# Log to this file. Make sure you do not set the same log -# file for both the API and registry servers! +public_port = 5000 +admin_port = 35357 +admin_token = %SERVICE_TOKEN% log_file = %DEST%/keystone/keystone.log -# List of backends to be configured -backends = keystone.backends.sqlalchemy -#For LDAP support, add: ,keystone.backends.ldap +[sql] +connection = %SQL_CONN% +idle_timeout = 30 +min_pool_size = 5 +max_pool_size = 10 +pool_timeout = 200 -# Dictionary Maps every service to a header.Missing services would get header -# X_(SERVICE_NAME) Key => Service Name, Value => Header Name -service-header-mappings = { - 'nova' : 'X-Server-Management-Url', - 'swift' : 'X-Storage-Url', - 'cdn' : 'X-CDN-Management-Url'} +[identity] +driver = keystone.backends.sql.SqlIdentity -#List of extensions currently supported -extensions= osksadm,oskscatalog +[catalog] +driver = keystone.backends.templated.TemplatedCatalog +template_file = ./etc/default_catalog.templates -# Address to bind the API server -# TODO Properties defined within app not available via pipeline. -service_host = 0.0.0.0 +[token] +driver = keystone.backends.kvs.KvsToken -# Port the bind the API server to -service_port = 5000 - -# SSL for API server -service_ssl = False - -# Address to bind the Admin API server -admin_host = 0.0.0.0 - -# Port the bind the Admin API server to -admin_port = 35357 - -# SSL for API Admin server -admin_ssl = False - -# Keystone certificate file (modify as needed) -# Only required if *_ssl is set to True -certfile = /etc/keystone/ssl/certs/keystone.pem - -# Keystone private key file (modify as needed) -# Only required if *_ssl is set to True -keyfile = /etc/keystone/ssl/private/keystonekey.pem - -# Keystone trusted CA certificates (modify as needed) -# Only required if *_ssl is set to True -ca_certs = /etc/keystone/ssl/certs/ca.pem - -# Client certificate required -# Only relevant if *_ssl is set to True -cert_required = True - -#Role that allows to perform admin operations. -keystone-admin-role = admin - -#Role that allows to perform service admin operations. -keystone-service-admin-role = KeystoneServiceAdmin - -#Tells whether password user need to be hashed in the backend -hash-password = True - -[keystone.backends.sqlalchemy] -# SQLAlchemy connection string for the reference implementation registry -# server. Any valid SQLAlchemy connection string is fine. -# See: http://bit.ly/ideIpI -sql_connection = %SQL_CONN% -backend_entities = ['UserRoleAssociation', 'Endpoints', 'Role', 'Tenant', - 'User', 'Credentials', 'EndpointTemplates', 'Token', - 'Service'] - -# Period in seconds after which SQLAlchemy should reestablish its connection -# to the database. -sql_idle_timeout = 30 - -[pipeline:admin] -pipeline = - urlrewritefilter - admin_api - -[pipeline:keystone-legacy-auth] -pipeline = - urlrewritefilter - legacy_auth - service_api - -[app:service_api] -paste.app_factory = keystone.server:service_app_factory - -[app:admin_api] -paste.app_factory = keystone.server:admin_app_factory - -[filter:urlrewritefilter] -paste.filter_factory = keystone.middleware.url:filter_factory - -[filter:legacy_auth] -paste.filter_factory = keystone.frontends.legacy_token_auth:filter_factory +[policy] +driver = keystone.backends.policy.SimpleMatch [filter:debug] -paste.filter_factory = keystone.common.wsgi:debug_filter_factory +paste.filter_factory = keystone.wsgi:Debug.factory + +[filter:token_auth] +paste.filter_factory = keystone.middleware:TokenAuthMiddleware.factory + +[filter:admin_token_auth] +paste.filter_factory = keystone.middleware:AdminTokenAuthMiddleware.factory + +[filter:json_body] +paste.filter_factory = keystone.middleware:JsonBodyMiddleware.factory + +[filter:crud_extension] +paste.filter_factory = keystone.service:AdminCrudExtension.factory + + +[app:public_service] +paste.app_factory = keystone.service:public_app_factory + +[app:admin_service] +paste.app_factory = keystone.service:admin_app_factory + +[pipeline:public_api] +pipeline = token_auth admin_token_auth json_body debug public_service + +[pipeline:admin_api] +pipeline = token_auth admin_token_auth json_body debug crud_extension admin_service + +[composite:main] +use = egg:Paste#urlmap +/v2.0 = public_api + +[composite:admin] +use = egg:Paste#urlmap +/v2.0 = admin_api diff --git a/files/keystone_data.sh b/files/keystone_data.sh index 77f6b93330..8ec529a5b5 100755 --- a/files/keystone_data.sh +++ b/files/keystone_data.sh @@ -1,54 +1,138 @@ #!/bin/bash BIN_DIR=${BIN_DIR:-.} # Tenants -$BIN_DIR/keystone-manage tenant add admin -$BIN_DIR/keystone-manage tenant add demo -$BIN_DIR/keystone-manage tenant add invisible_to_admin +ADMIN_TENANT=`$BIN_DIR/keystone-manage tenant --ks-id-only + create \ + tenant_name=admin` +DEMO_TENANT=`$BIN_DIR/keystone-manage tenant --ks-id-only create \ + tenant_name=demo` +INVIS_TENANT=`$BIN_DIR/keystone-manage tenant --ks-id-only create \ + tenant_name=invisible_to_admin` + # Users -$BIN_DIR/keystone-manage user add admin %ADMIN_PASSWORD% -$BIN_DIR/keystone-manage user add demo %ADMIN_PASSWORD% +ADMIN_USER=`$BIN_DIR/keystone-manage user --ks-id-only create \ + name=admin \ + "password=%ADMIN_PASSWORD%" \ + email=admin@example.com` +DEMO_USER=`$BIN_DIR/keystone-manage user --ks-id-only create \ + name=demo \ + "password=%ADMIN_PASSWORD%" \ + email=demo@example.com` # Roles -$BIN_DIR/keystone-manage role add admin -$BIN_DIR/keystone-manage role add Member -$BIN_DIR/keystone-manage role add KeystoneAdmin -$BIN_DIR/keystone-manage role add KeystoneServiceAdmin -$BIN_DIR/keystone-manage role add sysadmin -$BIN_DIR/keystone-manage role add netadmin -$BIN_DIR/keystone-manage role grant admin admin admin -$BIN_DIR/keystone-manage role grant Member demo demo -$BIN_DIR/keystone-manage role grant sysadmin demo demo -$BIN_DIR/keystone-manage role grant netadmin demo demo -$BIN_DIR/keystone-manage role grant Member demo invisible_to_admin -$BIN_DIR/keystone-manage role grant admin admin demo -$BIN_DIR/keystone-manage role grant admin admin -$BIN_DIR/keystone-manage role grant KeystoneAdmin admin -$BIN_DIR/keystone-manage role grant KeystoneServiceAdmin admin +ADMIN_ROLE=`$BIN_DIR/keystone-manage role --ks-id-only create \ + name=Admin` +MEMBER_ROLE=`$BIN_DIR/keystone-manage role --ks-id-only create \ + name=Member` +KEYSTONEADMIN_ROLE=`$BIN_DIR/keystone-manage role --ks-id-only create \ + name=KeystoneAdmin` +KEYSTONESERVICE_ROLE=`$BIN_DIR/keystone-manage role --ks-id-only create \ + name=KeystoneServiceAdmin` +SYSADMIN_ROLE=`$BIN_DIR/keystone-manage role --ks-id-only create \ + name=sysadmin` +NETADMIN_ROLE=`$BIN_DIR/keystone-manage role --ks-id-only create \ + name=netadmin` + + +# Add Roles to Users in Tenants + +$BIN_DIR/keystone-manage role add_user_to_tenant \ + role_id=$ADMIN_ROLE \ + user_id=$ADMIN_USER \ + tenant_id=$ADMIN_TENANT +$BIN_DIR/keystone-manage role add_user_to_tenant \ + role_id=$MEMBER_ROLE \ + user_id=$DEMO_USER \ + tenant_id=$DEMO_TENANT +$BIN_DIR/keystone-manage role add_user_to_tenant \ + role_id=$SYSADMIN_ROLE \ + user_id=$DEMO_USER \ + tenant_id=$DEMO_TENANT +$BIN_DIR/keystone-manage role add_user_to_tenant \ + role_id=$NETADMIN_ROLE \ + user_id=$DEMO_USER \ + tenant_id=$DEMO_TENANT +$BIN_DIR/keystone-manage role add_user_to_tenant \ + role_id=$MEMBER_ROLE \ + user_id=$DEMO_USER \ + tenant_id=$INVIS_TENANT +$BIN_DIR/keystone-manage role add_user_to_tenant \ + role_id=$ADMIN_ROLE \ + user_id=$ADMIN_USER \ + tenant_id=$DEMO_TENANT + +# TODO(termie): these two might be dubious +$BIN_DIR/keystone-manage role add_user_to_tenant \ + role_id=$KEYSTONEADMIN_ROLE \ + user_id=$ADMIN_USER \ + tenant_id=$ADMIN_TENANT +$BIN_DIR/keystone-manage role add_user_to_tenant \ + role_id=$KEYSTONESERVICE_ROLE \ + user_id=$ADMIN_USER \ + tenant_id=$ADMIN_TENANT # Services -$BIN_DIR/keystone-manage service add nova compute "Nova Compute Service" -$BIN_DIR/keystone-manage service add ec2 ec2 "EC2 Compatability Layer" -$BIN_DIR/keystone-manage service add glance image "Glance Image Service" -$BIN_DIR/keystone-manage service add keystone identity "Keystone Identity Service" +$BIN_DIR/keystone-manage service create \ + name=nova \ + service_type=compute \ + "description=Nova Compute Service" + +$BIN_DIR/keystone-manage service create \ + name=ec2 \ + service_type=ec2 \ + "description=EC2 Compatibility Layer" + +$BIN_DIR/keystone-manage service create \ + name=glance \ + service_type=image \ + "description=Glance Image Service" + +$BIN_DIR/keystone-manage service create \ + name=keystone \ + service_type=identity \ + "description=Keystone Identity Service" if [[ "$ENABLED_SERVICES" =~ "swift" ]]; then - $BIN_DIR/keystone-manage service add swift object-store "Swift Service" + $BIN_DIR/keystone-manage service create \ + name=swift \ + service_type=object-store \ + "description=Swift Service" fi #endpointTemplates -$BIN_DIR/keystone-manage $* endpointTemplates add RegionOne nova http://%SERVICE_HOST%:8774/v1.1/%tenant_id% http://%SERVICE_HOST%:8774/v1.1/%tenant_id% http://%SERVICE_HOST%:8774/v1.1/%tenant_id% 1 1 -$BIN_DIR/keystone-manage $* endpointTemplates add RegionOne ec2 http://%SERVICE_HOST%:8773/services/Cloud http://%SERVICE_HOST%:8773/services/Admin http://%SERVICE_HOST%:8773/services/Cloud 1 1 -$BIN_DIR/keystone-manage $* endpointTemplates add RegionOne glance http://%SERVICE_HOST%:9292/v1 http://%SERVICE_HOST%:9292/v1 http://%SERVICE_HOST%:9292/v1 1 1 -$BIN_DIR/keystone-manage $* endpointTemplates add RegionOne keystone %KEYSTONE_SERVICE_PROTOCOL%://%KEYSTONE_SERVICE_HOST%:%KEYSTONE_SERVICE_PORT%/v2.0 %KEYSTONE_AUTH_PROTOCOL%://%KEYSTONE_AUTH_HOST%:%KEYSTONE_AUTH_PORT%/v2.0 %KEYSTONE_SERVICE_PROTOCOL%://%KEYSTONE_SERVICE_HOST%:%KEYSTONE_SERVICE_PORT%/v2.0 1 1 +$BIN_DIR/keystone-manage $* endpointTemplates add \ + RegionOne nova + http://%SERVICE_HOST%:8774/v1.1/%tenant_id% + http://%SERVICE_HOST%:8774/v1.1/%tenant_id% + http://%SERVICE_HOST%:8774/v1.1/%tenant_id% 1 1 +$BIN_DIR/keystone-manage $* endpointTemplates add + RegionOne ec2 + http://%SERVICE_HOST%:8773/services/Cloud + http://%SERVICE_HOST%:8773/services/Admin + http://%SERVICE_HOST%:8773/services/Cloud 1 1 +$BIN_DIR/keystone-manage $* endpointTemplates add + RegionOne glance + http://%SERVICE_HOST%:9292/v1 + http://%SERVICE_HOST%:9292/v1 + http://%SERVICE_HOST%:9292/v1 1 1 +$BIN_DIR/keystone-manage $* endpointTemplates add + RegionOne keystone + http://%SERVICE_HOST%:5000/v2.0 + http://%SERVICE_HOST%:35357/v2.0 + http://%SERVICE_HOST%:5000/v2.0 1 1 if [[ "$ENABLED_SERVICES" =~ "swift" ]]; then - $BIN_DIR/keystone-manage $* endpointTemplates add RegionOne swift http://%SERVICE_HOST%:8080/v1/AUTH_%tenant_id% http://%SERVICE_HOST%:8080/ http://%SERVICE_HOST%:8080/v1/AUTH_%tenant_id% 1 1 + $BIN_DIR/keystone-manage $* endpointTemplates add + RegionOne swift + http://%SERVICE_HOST%:8080/v1/AUTH_%tenant_id% + http://%SERVICE_HOST%:8080/ + http://%SERVICE_HOST%:8080/v1/AUTH_%tenant_id% 1 1 fi # Tokens -$BIN_DIR/keystone-manage token add %SERVICE_TOKEN% admin admin 2015-02-05T00:00 +#$BIN_DIR/keystone-manage token add %SERVICE_TOKEN% admin admin 2015-02-05T00:00 # EC2 related creds - note we are setting the secret key to ADMIN_PASSWORD # but keystone doesn't parse them - it is just a blob from keystone's # point of view -$BIN_DIR/keystone-manage credentials add admin EC2 'admin' '%ADMIN_PASSWORD%' admin || echo "no support for adding credentials" -$BIN_DIR/keystone-manage credentials add demo EC2 'demo' '%ADMIN_PASSWORD%' demo || echo "no support for adding credentials" +#$BIN_DIR/keystone-manage credentials add admin EC2 'admin' '%ADMIN_PASSWORD%' admin || echo "no support for adding credentials" +#$BIN_DIR/keystone-manage credentials add demo EC2 'demo' '%ADMIN_PASSWORD%' demo || echo "no support for adding credentials" diff --git a/stack.sh b/stack.sh index 18d1695c5d..d54d7711fe 100755 --- a/stack.sh +++ b/stack.sh @@ -1310,6 +1310,11 @@ if [[ "$ENABLED_SERVICES" =~ "key" ]]; then cp $FILES/keystone.conf $KEYSTONE_CONF sudo sed -e "s,%SQL_CONN%,$BASE_SQL_CONN/keystone,g" -i $KEYSTONE_CONF sudo sed -e "s,%DEST%,$DEST,g" -i $KEYSTONE_CONF + sudo sed -e "s,%SERVICE_TOKEN%,$SERVICE_TOKEN,g" -i $KEYSTONE_CONF + + KEYSTONE_CATALOG=$KEYSTONE_DIR/etc/default_catalog.template + cp $FILES/default_catalog.template $KEYSTONE_CATALOG + sudo sed -e "s,%SERVICE_HOST%,$SERVICE_HOST,g" -i $KEYSTONE_CATALOG # keystone_data.sh creates our admin user and our ``SERVICE_TOKEN``. KEYSTONE_DATA=$KEYSTONE_DIR/bin/keystone_data.sh diff --git a/stackrc b/stackrc index e87b3cde8f..c9acdbeef6 100644 --- a/stackrc +++ b/stackrc @@ -15,7 +15,7 @@ GLANCE_REPO=https://github.com/openstack/glance.git GLANCE_BRANCH=master # unified auth system (manages accounts/tokens) -KEYSTONE_REPO=https://github.com/openstack/keystone.git +KEYSTONE_REPO=https://github.com/termie/keystonelight.git KEYSTONE_BRANCH=master # a websockets/html5 or flash powered VNC console for vm instances