diff --git a/files/glance-api-paste.ini b/files/glance-api-paste.ini index b8832ad662..583b70a82a 100644 --- a/files/glance-api-paste.ini +++ b/files/glance-api-paste.ini @@ -30,6 +30,7 @@ glance.filter_factory = glance.common.context:ContextMiddleware [filter:authtoken] paste.filter_factory = keystone.middleware.auth_token:filter_factory +# FIXME(dtroyer): remove these service_* entries after auth_token is updated service_host = %KEYSTONE_SERVICE_HOST% service_port = %KEYSTONE_SERVICE_PORT% service_protocol = %KEYSTONE_SERVICE_PROTOCOL% @@ -37,7 +38,11 @@ auth_host = %KEYSTONE_AUTH_HOST% auth_port = %KEYSTONE_AUTH_PORT% auth_protocol = %KEYSTONE_AUTH_PROTOCOL% auth_uri = %KEYSTONE_SERVICE_PROTOCOL%://%KEYSTONE_SERVICE_HOST%:%KEYSTONE_SERVICE_PORT%/ +# FIXME(dtroyer): remove admin_token after auth_token is updated admin_token = %SERVICE_TOKEN% +admin_tenant_name = %SERVICE_TENANT_NAME% +admin_user = %SERVICE_USERNAME% +admin_password = %SERVICE_PASSWORD% [filter:auth-context] paste.filter_factory = glance.common.wsgi:filter_factory diff --git a/files/glance-registry-paste.ini b/files/glance-registry-paste.ini index f4130ec9e2..fe460d9e59 100644 --- a/files/glance-registry-paste.ini +++ b/files/glance-registry-paste.ini @@ -14,6 +14,7 @@ glance.filter_factory = glance.common.context:ContextMiddleware [filter:authtoken] paste.filter_factory = keystone.middleware.auth_token:filter_factory +# FIXME(dtroyer): remove these service_* entries after auth_token is updated service_host = %KEYSTONE_SERVICE_HOST% service_port = %KEYSTONE_SERVICE_PORT% service_protocol = %KEYSTONE_SERVICE_PROTOCOL% @@ -21,7 +22,11 @@ auth_host = %KEYSTONE_AUTH_HOST% auth_port = %KEYSTONE_AUTH_PORT% auth_protocol = %KEYSTONE_AUTH_PROTOCOL% auth_uri = %KEYSTONE_SERVICE_PROTOCOL%://%KEYSTONE_SERVICE_HOST%:%KEYSTONE_SERVICE_PORT%/ +# FIXME(dtroyer): remove admin_token after auth_token is updated admin_token = %SERVICE_TOKEN% +admin_tenant_name = %SERVICE_TENANT_NAME% +admin_user = %SERVICE_USERNAME% +admin_password = %SERVICE_PASSWORD% [filter:auth-context] context_class = glance.registry.context.RequestContext diff --git a/files/keystone_data.sh b/files/keystone_data.sh index 3f4841f9c3..e292811148 100755 --- a/files/keystone_data.sh +++ b/files/keystone_data.sh @@ -17,6 +17,7 @@ if keystone help | grep -q user-role-add; then fi ADMIN_TENANT=`get_id keystone tenant-create --name=admin` +SERVICE_TENANT=`get_id keystone tenant-create --name=$SERVICE_TENANT_NAME` DEMO_TENANT=`get_id keystone tenant-create --name=demo` INVIS_TENANT=`get_id keystone tenant-create --name=invisible_to_admin` @@ -73,6 +74,14 @@ keystone service-create \ --name=nova \ --type=compute \ --description="Nova Compute Service" +NOVA_USER=`get_id keystone user-create \ + --name=nova \ + --pass="$SERVICE_PASSWORD" \ + --tenant_id $SERVICE_TENANT \ + --email=nova@example.com` +keystone user-role-add --tenant_id $SERVICE_TENANT \ + --user $NOVA_USER \ + --role $ADMIN_ROLE keystone service-create \ --name=ec2 \ @@ -83,6 +92,14 @@ keystone service-create \ --name=glance \ --type=image \ --description="Glance Image Service" +GLANCE_USER=`get_id keystone user-create \ + --name=glance \ + --pass="$SERVICE_PASSWORD" \ + --tenant_id $SERVICE_TENANT \ + --email=glance@example.com` +keystone user-role-add --tenant_id $SERVICE_TENANT \ + --user $GLANCE_USER \ + --role $ADMIN_ROLE keystone service-create \ --name=keystone \ @@ -101,12 +118,28 @@ if [[ "$ENABLED_SERVICES" =~ "swift" ]]; then --name=swift \ --type="object-store" \ --description="Swift Service" + SWIFT_USER=`get_id keystone user-create \ + --name=swift \ + --pass="$SERVICE_PASSWORD" \ + --tenant_id $SERVICE_TENANT \ + --email=swift@example.com` + keystone user-role-add --tenant_id $SERVICE_TENANT \ + --user $SWIFT_USER \ + --role $ADMIN_ROLE fi if [[ "$ENABLED_SERVICES" =~ "quantum" ]]; then keystone service-create \ --name=quantum \ --type=network \ --description="Quantum Service" + QUANTUM_USER=`get_id keystone user-create \ + --name=quantum \ + --pass="$SERVICE_PASSWORD" \ + --tenant_id $SERVICE_TENANT \ + --email=quantum@example.com` + keystone user-role-add --tenant_id $SERVICE_TENANT \ + --user $QUANTUM_USER \ + --role $ADMIN_ROLE fi # create ec2 creds and parse the secret and access key returned diff --git a/files/swift/proxy-server.conf b/files/swift/proxy-server.conf index d6db117c9e..e80c1d5eb5 100644 --- a/files/swift/proxy-server.conf +++ b/files/swift/proxy-server.conf @@ -31,13 +31,18 @@ admin_token = %SERVICE_TOKEN% [filter:tokenauth] paste.filter_factory = keystone.middleware.auth_token:filter_factory +# FIXME(dtroyer): remove these service_* entries after auth_token is updated service_port = %KEYSTONE_SERVICE_PORT% service_host = %KEYSTONE_SERVICE_HOST% auth_port = %KEYSTONE_AUTH_PORT% auth_host = %KEYSTONE_AUTH_HOST% auth_protocol = %KEYSTONE_AUTH_PROTOCOL% auth_token = %SERVICE_TOKEN% +# FIXME(dtroyer): remove admin_token after auth_token is updated admin_token = %SERVICE_TOKEN% +admin_tenant_name = %SERVICE_TENANT_NAME% +admin_user = %SERVICE_USERNAME% +admin_password = %SERVICE_PASSWORD% cache = swift.cache [filter:swift3] diff --git a/stack.sh b/stack.sh index 20c44e2e27..9242182140 100755 --- a/stack.sh +++ b/stack.sh @@ -421,10 +421,16 @@ fi # Service Token - Openstack components need to have an admin token # to validate user tokens. read_password SERVICE_TOKEN "ENTER A SERVICE_TOKEN TO USE FOR THE SERVICE ADMIN TOKEN." +# Services authenticate to Identity with servicename/SERVICE_PASSWORD +read_password SERVICE_PASSWORD "ENTER A SERVICE_PASSWORD TO USE FOR THE SERVICE AUTHENTICATION." # Horizon currently truncates usernames and passwords at 20 characters read_password ADMIN_PASSWORD "ENTER A PASSWORD TO USE FOR HORIZON AND KEYSTONE (20 CHARS OR LESS)." +# Set the tenant for service accounts in Keystone +SERVICE_TENANT_NAME=${SERVICE_TENANT_NAME:-service} + # Set Keystone interface configuration +KEYSTONE_API_PORT=${KEYSTONE_API_PORT:-5000} KEYSTONE_AUTH_HOST=${KEYSTONE_AUTH_HOST:-$SERVICE_HOST} KEYSTONE_AUTH_PORT=${KEYSTONE_AUTH_PORT:-35357} KEYSTONE_AUTH_PROTOCOL=${KEYSTONE_AUTH_PROTOCOL:-http} @@ -768,6 +774,7 @@ if is_service_enabled g-reg; then function glance_config { sudo sed -e " + s,%KEYSTONE_API_PORT%,$KEYSTONE_API_PORT,g; s,%KEYSTONE_AUTH_HOST%,$KEYSTONE_AUTH_HOST,g; s,%KEYSTONE_AUTH_PORT%,$KEYSTONE_AUTH_PORT,g; s,%KEYSTONE_AUTH_PROTOCOL%,$KEYSTONE_AUTH_PROTOCOL,g; @@ -775,6 +782,9 @@ if is_service_enabled g-reg; then s,%KEYSTONE_SERVICE_PORT%,$KEYSTONE_SERVICE_PORT,g; s,%KEYSTONE_SERVICE_PROTOCOL%,$KEYSTONE_SERVICE_PROTOCOL,g; s,%SQL_CONN%,$BASE_SQL_CONN/glance,g; + s,%SERVICE_TENANT_NAME%,$SERVICE_TENANT_NAME,g; + s,%SERVICE_USERNAME%,glance,g; + s,%SERVICE_PASSWORD%,$SERVICE_PASSWORD,g; s,%SERVICE_TOKEN%,$SERVICE_TOKEN,g; s,%DEST%,$DEST,g; s,%SYSLOG%,$SYSLOG,g; @@ -825,7 +835,14 @@ if is_service_enabled n-api; then cp $NOVA_DIR/etc/nova/api-paste.ini $NOVA_CONF # Then we add our own service token to the configuration - sed -e "s,%SERVICE_TOKEN%,$SERVICE_TOKEN,g" -i $NOVA_CONF/api-paste.ini + sed -e " + /^admin_token/i admin_tenant_name = $SERVICE_TENANT_NAME + /admin_tenant_name/s/^.*$/admin_tenant_name = $SERVICE_TENANT_NAME/; + /admin_user/s/^.*$/admin_user = nova/; + /admin_password/s/^.*$/admin_password = $SERVICE_PASSWORD/; + s,%SERVICE_TENANT_NAME%,$SERVICE_TENANT_NAME,g; + s,%SERVICE_TOKEN%,$SERVICE_TOKEN,g; + " -i $NOVA_CONF/api-paste.ini # Finally, we change the pipelines in nova to use keystone function replace_pipeline() { @@ -1011,16 +1028,21 @@ if is_service_enabled swift; then # We do the install of the proxy-server and swift configuration # replacing a few directives to match our configuration. - sed -e "s,%SWIFT_CONFIG_LOCATION%,${SWIFT_CONFIG_LOCATION},g; - s,%USER%,$USER,g; - s,%SERVICE_TOKEN%,${SERVICE_TOKEN},g; - s,%KEYSTONE_SERVICE_PORT%,${KEYSTONE_SERVICE_PORT},g; - s,%KEYSTONE_SERVICE_HOST%,${KEYSTONE_SERVICE_HOST},g; - s,%KEYSTONE_AUTH_PORT%,${KEYSTONE_AUTH_PORT},g; - s,%KEYSTONE_AUTH_HOST%,${KEYSTONE_AUTH_HOST},g; - s,%KEYSTONE_AUTH_PROTOCOL%,${KEYSTONE_AUTH_PROTOCOL},g; - s/%AUTH_SERVER%/${swift_auth_server}/g;" \ - $FILES/swift/proxy-server.conf | \ + sed -e " + s,%SWIFT_CONFIG_LOCATION%,${SWIFT_CONFIG_LOCATION},g; + s,%USER%,$USER,g; + s,%SERVICE_TENANT_NAME%,$SERVICE_TENANT_NAME,g; + s,%SERVICE_USERNAME%,swift,g; + s,%SERVICE_PASSWORD%,$SERVICE_PASSWORD,g; + s,%SERVICE_TOKEN%,${SERVICE_TOKEN},g; + s,%KEYSTONE_SERVICE_PORT%,${KEYSTONE_SERVICE_PORT},g; + s,%KEYSTONE_SERVICE_HOST%,${KEYSTONE_SERVICE_HOST},g; + s,%KEYSTONE_API_PORT%,${KEYSTONE_API_PORT},g; + s,%KEYSTONE_AUTH_HOST%,${KEYSTONE_AUTH_HOST},g; + s,%KEYSTONE_AUTH_PORT%,${KEYSTONE_AUTH_PORT},g; + s,%KEYSTONE_AUTH_PROTOCOL%,${KEYSTONE_AUTH_PROTOCOL},g; + s/%AUTH_SERVER%/${swift_auth_server}/g; + " $FILES/swift/proxy-server.conf | \ sudo tee ${SWIFT_CONFIG_LOCATION}/proxy-server.conf sed -e "s/%SWIFT_HASH%/$SWIFT_HASH/" $FILES/swift/swift.conf > ${SWIFT_CONFIG_LOCATION}/swift.conf @@ -1389,7 +1411,7 @@ fi if is_service_enabled key; then screen_it key "cd $KEYSTONE_DIR && $KEYSTONE_DIR/bin/keystone-all --config-file $KEYSTONE_CONF $KEYSTONE_LOG_CONFIG -d --debug" echo "Waiting for keystone to start..." - if ! timeout $SERVICE_TIMEOUT sh -c "while ! http_proxy= wget -q -O- $KEYSTONE_SERVICE_PROTOCOL://$KEYSTONE_SERVICE_HOST:$KEYSTONE_SERVICE_PORT/v2.0/; do sleep 1; done"; then + if ! timeout $SERVICE_TIMEOUT sh -c "while ! http_proxy= wget -q -O- $KEYSTONE_AUTH_PROTOCOL://$SERVICE_HOST:$KEYSTONE_API_PORT/v2.0/; do sleep 1; done"; then echo "keystone did not start" exit 1 fi @@ -1401,7 +1423,8 @@ if is_service_enabled key; then # keystone_data.sh creates services, admin and demo users, and roles. SERVICE_ENDPOINT=$KEYSTONE_AUTH_PROTOCOL://$KEYSTONE_AUTH_HOST:$KEYSTONE_AUTH_PORT/v2.0 - ADMIN_PASSWORD=$ADMIN_PASSWORD SERVICE_TOKEN=$SERVICE_TOKEN SERVICE_ENDPOINT=$SERVICE_ENDPOINT DEVSTACK_DIR=$TOP_DIR ENABLED_SERVICES=$ENABLED_SERVICES bash $FILES/keystone_data.sh + ADMIN_PASSWORD=$ADMIN_PASSWORD SERVICE_TENANT_NAME=$SERVICE_TENANT_NAME SERVICE_PASSWORD=$SERVICE_PASSWORD SERVICE_TOKEN=$SERVICE_TOKEN SERVICE_ENDPOINT=$SERVICE_ENDPOINT DEVSTACK_DIR=$TOP_DIR ENABLED_SERVICES=$ENABLED_SERVICES \ + bash $FILES/keystone_data.sh fi @@ -1630,7 +1653,7 @@ fi # If keystone is present, you can point nova cli to this server if is_service_enabled key; then - echo "keystone is serving at $KEYSTONE_SERVICE_PROTOCOL://$KEYSTONE_SERVICE_HOST:$KEYSTONE_SERVICE_PORT/v2.0/" + echo "keystone is serving at $KEYSTONE_AUTH_PROTOCOL://$SERVICE_HOST:$KEYSTONE_API_PORT/v2.0/" echo "examples on using novaclient command line is in exercise.sh" echo "the default users are: admin and demo" echo "the password: $ADMIN_PASSWORD"