From 3561d7f9edc6dd0d00be097a78b83f38aa8cbf5f Mon Sep 17 00:00:00 2001 From: Jamie Lennox Date: Wed, 21 May 2014 17:18:43 +1000 Subject: [PATCH] Use identity_uri instead of auth fragments auth_token middleware now accepts a standard URL string as the parameter identity_uri instead of specifying protocol etc individually. Change the services over to use this. Also changes over some other places in which the auth fragments are used individually to the new variables and fixes up some misconfigurations of auth_token. identity_uri option was release in keystoneclient 0.8.0 Change-Id: Iac13bc3d08c524a6a0f39cdfbc1009e2f5c45c2a --- lib/ceilometer | 4 +--- lib/cinder | 4 +--- lib/glance | 12 ++++-------- lib/heat | 8 +++----- lib/ironic | 6 ++---- lib/keystone | 4 ++++ lib/neutron | 17 ++++------------- lib/nova | 4 +--- lib/nova_plugins/hypervisor-ironic | 2 +- lib/trove | 7 +++---- stack.sh | 4 ++-- 11 files changed, 26 insertions(+), 46 deletions(-) diff --git a/lib/ceilometer b/lib/ceilometer index a4be7af480..286f199da0 100644 --- a/lib/ceilometer +++ b/lib/ceilometer @@ -164,9 +164,7 @@ function configure_ceilometer { iniset $CEILOMETER_CONF service_credentials os_password $SERVICE_PASSWORD iniset $CEILOMETER_CONF service_credentials os_tenant_name $SERVICE_TENANT_NAME - iniset $CEILOMETER_CONF keystone_authtoken auth_host $KEYSTONE_AUTH_HOST - iniset $CEILOMETER_CONF keystone_authtoken auth_port $KEYSTONE_AUTH_PORT - iniset $CEILOMETER_CONF keystone_authtoken auth_protocol $KEYSTONE_AUTH_PROTOCOL + iniset $CEILOMETER_CONF keystone_authtoken identity_uri $KEYSTONE_AUTH_URI iniset $CEILOMETER_CONF keystone_authtoken admin_user ceilometer iniset $CEILOMETER_CONF keystone_authtoken admin_password $SERVICE_PASSWORD iniset $CEILOMETER_CONF keystone_authtoken admin_tenant_name $SERVICE_TENANT_NAME diff --git a/lib/cinder b/lib/cinder index d5ee17e65b..4183676211 100644 --- a/lib/cinder +++ b/lib/cinder @@ -233,9 +233,7 @@ function configure_cinder { inicomment $CINDER_API_PASTE_INI filter:authtoken admin_password inicomment $CINDER_API_PASTE_INI filter:authtoken signing_dir - iniset $CINDER_CONF keystone_authtoken auth_host $KEYSTONE_AUTH_HOST - iniset $CINDER_CONF keystone_authtoken auth_port $KEYSTONE_AUTH_PORT - iniset $CINDER_CONF keystone_authtoken auth_protocol $KEYSTONE_AUTH_PROTOCOL + iniset $CINDER_CONF keystone_authtoken identity_uri $KEYSTONE_AUTH_URI iniset $CINDER_CONF keystone_authtoken cafile $KEYSTONE_SSL_CA iniset $CINDER_CONF keystone_authtoken admin_tenant_name $SERVICE_TENANT_NAME iniset $CINDER_CONF keystone_authtoken admin_user cinder diff --git a/lib/glance b/lib/glance index 51e4399388..4eb0ada590 100644 --- a/lib/glance +++ b/lib/glance @@ -89,9 +89,7 @@ function configure_glance { iniset $GLANCE_REGISTRY_CONF DEFAULT sql_connection $dburl iniset $GLANCE_REGISTRY_CONF DEFAULT use_syslog $SYSLOG iniset $GLANCE_REGISTRY_CONF paste_deploy flavor keystone - iniset $GLANCE_REGISTRY_CONF keystone_authtoken auth_host $KEYSTONE_AUTH_HOST - iniset $GLANCE_REGISTRY_CONF keystone_authtoken auth_port $KEYSTONE_AUTH_PORT - iniset $GLANCE_REGISTRY_CONF keystone_authtoken auth_protocol $KEYSTONE_AUTH_PROTOCOL + iniset $GLANCE_REGISTRY_CONF keystone_authtoken identity_uri $KEYSTONE_AUTH_URI iniset $GLANCE_REGISTRY_CONF keystone_authtoken cafile $KEYSTONE_SSL_CA configure_API_version $GLANCE_REGISTRY_CONF $IDENTITY_API_VERSION iniset $GLANCE_REGISTRY_CONF keystone_authtoken admin_tenant_name $SERVICE_TENANT_NAME @@ -107,9 +105,7 @@ function configure_glance { iniset $GLANCE_API_CONF DEFAULT filesystem_store_datadir $GLANCE_IMAGE_DIR/ iniset $GLANCE_API_CONF DEFAULT image_cache_dir $GLANCE_CACHE_DIR/ iniset $GLANCE_API_CONF paste_deploy flavor keystone+cachemanagement - iniset $GLANCE_API_CONF keystone_authtoken auth_host $KEYSTONE_AUTH_HOST - iniset $GLANCE_API_CONF keystone_authtoken auth_port $KEYSTONE_AUTH_PORT - iniset $GLANCE_API_CONF keystone_authtoken auth_protocol $KEYSTONE_AUTH_PROTOCOL + iniset $GLANCE_API_CONF keystone_authtoken identity_uri $KEYSTONE_AUTH_URI iniset $GLANCE_API_CONF keystone_authtoken cafile $KEYSTONE_SSL_CA configure_API_version $GLANCE_API_CONF $IDENTITY_API_VERSION iniset $GLANCE_API_CONF keystone_authtoken admin_tenant_name $SERVICE_TENANT_NAME @@ -128,7 +124,7 @@ function configure_glance { # Store the images in swift if enabled. if is_service_enabled s-proxy; then iniset $GLANCE_API_CONF DEFAULT default_store swift - iniset $GLANCE_API_CONF DEFAULT swift_store_auth_address $KEYSTONE_SERVICE_PROTOCOL://$KEYSTONE_SERVICE_HOST:$KEYSTONE_SERVICE_PORT/v2.0/ + iniset $GLANCE_API_CONF DEFAULT swift_store_auth_address $KEYSTONE_SERVICE_URI/v2.0/ iniset $GLANCE_API_CONF DEFAULT swift_store_user $SERVICE_TENANT_NAME:glance-swift iniset $GLANCE_API_CONF DEFAULT swift_store_key $SERVICE_PASSWORD iniset $GLANCE_API_CONF DEFAULT swift_store_create_container_on_put True @@ -147,7 +143,7 @@ function configure_glance { iniset $GLANCE_CACHE_CONF DEFAULT filesystem_store_datadir $GLANCE_IMAGE_DIR/ iniset $GLANCE_CACHE_CONF DEFAULT image_cache_dir $GLANCE_CACHE_DIR/ iniuncomment $GLANCE_CACHE_CONF DEFAULT auth_url - iniset $GLANCE_CACHE_CONF DEFAULT auth_url $KEYSTONE_AUTH_PROTOCOL://$KEYSTONE_AUTH_HOST:$KEYSTONE_AUTH_PORT/v2.0 + iniset $GLANCE_CACHE_CONF DEFAULT auth_url $KEYSTONE_AUTH_URI/v2.0 iniuncomment $GLANCE_CACHE_CONF DEFAULT auth_tenant_name iniset $GLANCE_CACHE_CONF DEFAULT admin_tenant_name $SERVICE_TENANT_NAME iniuncomment $GLANCE_CACHE_CONF DEFAULT auth_user diff --git a/lib/heat b/lib/heat index fe75ec9dc4..e27943ace0 100644 --- a/lib/heat +++ b/lib/heat @@ -107,9 +107,7 @@ function configure_heat { fi # keystone authtoken - iniset $HEAT_CONF keystone_authtoken auth_host $KEYSTONE_AUTH_HOST - iniset $HEAT_CONF keystone_authtoken auth_port $KEYSTONE_AUTH_PORT - iniset $HEAT_CONF keystone_authtoken auth_protocol $KEYSTONE_AUTH_PROTOCOL + iniset $HEAT_CONF keystone_authtoken identity_uri $KEYSTONE_AUTH_URI configure_API_version $HEAT_CONF $IDENTITY_API_VERSION iniset $HEAT_CONF keystone_authtoken cafile $KEYSTONE_SSL_CA iniset $HEAT_CONF keystone_authtoken admin_tenant_name $SERVICE_TENANT_NAME @@ -118,7 +116,7 @@ function configure_heat { iniset $HEAT_CONF keystone_authtoken signing_dir $HEAT_AUTH_CACHE_DIR # ec2authtoken - iniset $HEAT_CONF ec2authtoken auth_uri $KEYSTONE_SERVICE_PROTOCOL://$KEYSTONE_SERVICE_HOST:$KEYSTONE_SERVICE_PORT/v2.0 + iniset $HEAT_CONF ec2authtoken auth_uri $KEYSTONE_SERVICE_URI/v2.0 # paste_deploy [[ "$HEAT_STANDALONE" = "True" ]] && iniset $HEAT_CONF paste_deploy flavor standalone @@ -269,7 +267,7 @@ function create_heat_accounts { if [[ "$HEAT_STACK_DOMAIN" == "True" ]]; then # Note we have to pass token/endpoint here because the current endpoint and # version negotiation in OSC means just --os-identity-api-version=3 won't work - KS_ENDPOINT_V3="$KEYSTONE_SERVICE_PROTOCOL://$KEYSTONE_SERVICE_HOST:$KEYSTONE_SERVICE_PORT/v3" + KS_ENDPOINT_V3="$KEYSTONE_SERVICE_URI/v3" D_ID=$(openstack --os-token $OS_TOKEN --os-url=$KS_ENDPOINT_V3 \ --os-identity-api-version=3 domain create heat \ --description "Owns users and projects created by heat" \ diff --git a/lib/ironic b/lib/ironic index 0656980a89..d53e1ad457 100644 --- a/lib/ironic +++ b/lib/ironic @@ -162,11 +162,9 @@ function configure_ironic { function configure_ironic_api { iniset $IRONIC_CONF_FILE DEFAULT auth_strategy keystone iniset $IRONIC_CONF_FILE DEFAULT policy_file $IRONIC_POLICY_JSON - iniset $IRONIC_CONF_FILE keystone_authtoken auth_host $KEYSTONE_AUTH_HOST - iniset $IRONIC_CONF_FILE keystone_authtoken auth_port $KEYSTONE_AUTH_PORT - iniset $IRONIC_CONF_FILE keystone_authtoken auth_protocol $KEYSTONE_AUTH_PROTOCOL + iniset $IRONIC_CONF_FILE keystone_authtoken identity_uri $KEYSTONE_AUTH_URI iniset $IRONIC_CONF_FILE keystone_authtoken cafile $KEYSTONE_SSL_CA - iniset $IRONIC_CONF_FILE keystone_authtoken auth_uri $KEYSTONE_SERVICE_PROTOCOL://$KEYSTONE_SERVICE_HOST:$KEYSTONE_SERVICE_PORT/ + iniset $IRONIC_CONF_FILE keystone_authtoken auth_uri $KEYSTONE_SERVICE_URI iniset $IRONIC_CONF_FILE keystone_authtoken admin_tenant_name $SERVICE_TENANT_NAME iniset $IRONIC_CONF_FILE keystone_authtoken admin_user ironic iniset $IRONIC_CONF_FILE keystone_authtoken admin_password $SERVICE_PASSWORD diff --git a/lib/keystone b/lib/keystone index 6b8863e336..e021b8bd47 100644 --- a/lib/keystone +++ b/lib/keystone @@ -87,6 +87,10 @@ if is_ssl_enabled_service "key"; then KEYSTONE_SERVICE_PROTOCOL="https" fi +# complete URIs +KEYSTONE_AUTH_URI=${KEYSTONE_AUTH_PROTOCOL}://${KEYSTONE_AUTH_HOST}:${KEYSTONE_AUTH_PORT} +KEYSTONE_SERVICE_URI=${KEYSTONE_SERVICE_PROTOCOL}://${KEYSTONE_SERVICE_HOST}:${KEYSTONE_SERVICE_PORT} + # Functions # --------- # cleanup_keystone() - Remove residual data files, anything left over from previous diff --git a/lib/neutron b/lib/neutron index e9182864fa..6c0ca06b70 100644 --- a/lib/neutron +++ b/lib/neutron @@ -726,7 +726,7 @@ function _configure_neutron_metadata_agent { iniset $Q_META_CONF_FILE DEFAULT nova_metadata_ip $Q_META_DATA_IP iniset $Q_META_CONF_FILE DEFAULT root_helper "$Q_RR_COMMAND" - _neutron_setup_keystone $Q_META_CONF_FILE DEFAULT True True True + _neutron_setup_keystone $Q_META_CONF_FILE DEFAULT True True } @@ -868,18 +868,9 @@ function _neutron_setup_keystone { local section=$2 local use_auth_url=$3 local skip_auth_cache=$4 - local use_service_port=$5 - local keystone_port=$KEYSTONE_AUTH_PORT - if [[ -n $use_service_port ]]; then - keystone_port=$KEYSTONE_SERVICE_PORT - fi - if [[ -n $use_auth_url ]]; then - iniset $conf_file $section auth_url "$KEYSTONE_SERVICE_PROTOCOL://$KEYSTONE_AUTH_HOST:$keystone_port/v2.0" - else - iniset $conf_file $section auth_host $KEYSTONE_SERVICE_HOST - iniset $conf_file $section auth_port $keystone_port - iniset $conf_file $section auth_protocol $KEYSTONE_SERVICE_PROTOCOL - fi + + iniset $conf_file $section auth_uri $KEYSTONE_SERVICE_URI + iniset $conf_file $section identity_uri $KEYSTONE_AUTH_URI iniset $conf_file $section admin_tenant_name $SERVICE_TENANT_NAME iniset $conf_file $section admin_user $Q_ADMIN_USERNAME iniset $conf_file $section admin_password $SERVICE_PASSWORD diff --git a/lib/nova b/lib/nova index 76929b1a46..9dd6bb05dc 100644 --- a/lib/nova +++ b/lib/nova @@ -456,9 +456,7 @@ function create_nova_conf { # Add keystone authtoken configuration - iniset $NOVA_CONF keystone_authtoken auth_host $KEYSTONE_AUTH_HOST - iniset $NOVA_CONF keystone_authtoken auth_port $KEYSTONE_AUTH_PORT - iniset $NOVA_CONF keystone_authtoken auth_protocol $KEYSTONE_AUTH_PROTOCOL + iniset $NOVA_CONF keystone_authtoken identity_uri $KEYSTONE_AUTH_URI iniset $NOVA_CONF keystone_authtoken admin_tenant_name $SERVICE_TENANT_NAME iniset $NOVA_CONF keystone_authtoken cafile $KEYSTONE_SSL_CA iniset $NOVA_CONF keystone_authtoken admin_user nova diff --git a/lib/nova_plugins/hypervisor-ironic b/lib/nova_plugins/hypervisor-ironic index e72f7c1dc0..c068c74b33 100644 --- a/lib/nova_plugins/hypervisor-ironic +++ b/lib/nova_plugins/hypervisor-ironic @@ -48,7 +48,7 @@ function configure_nova_hypervisor { # ironic section iniset $NOVA_CONF ironic admin_username admin iniset $NOVA_CONF ironic admin_password $ADMIN_PASSWORD - iniset $NOVA_CONF ironic admin_url $KEYSTONE_AUTH_PROTOCOL://$KEYSTONE_AUTH_HOST:$KEYSTONE_AUTH_PORT/v2.0 + iniset $NOVA_CONF ironic admin_url $KEYSTONE_AUTH_URI/v2.0 iniset $NOVA_CONF ironic admin_tenant_name demo iniset $NOVA_CONF ironic api_endpoint http://$SERVICE_HOST:6385/v1 iniset $NOVA_CONF ironic sql_connection `database_connection_url nova_bm` diff --git a/lib/trove b/lib/trove index 82c8c96400..e467c9061b 100644 --- a/lib/trove +++ b/lib/trove @@ -133,9 +133,8 @@ function configure_trove { # Copy api-paste file over to the trove conf dir and configure it cp $TROVE_LOCAL_CONF_DIR/api-paste.ini $TROVE_CONF_DIR/api-paste.ini TROVE_API_PASTE_INI=$TROVE_CONF_DIR/api-paste.ini - iniset $TROVE_API_PASTE_INI filter:authtoken auth_host $KEYSTONE_AUTH_HOST - iniset $TROVE_API_PASTE_INI filter:authtoken auth_port $KEYSTONE_AUTH_PORT - iniset $TROVE_API_PASTE_INI filter:authtoken auth_protocol $KEYSTONE_AUTH_PROTOCOL + + iniset $TROVE_API_PASTE_INI filter:authtoken identity_uri $KEYSTONE_AUTH_URI iniset $TROVE_API_PASTE_INI filter:authtoken cafile $KEYSTONE_SSL_CA iniset $TROVE_API_PASTE_INI filter:authtoken admin_tenant_name $SERVICE_TENANT_NAME iniset $TROVE_API_PASTE_INI filter:authtoken admin_user trove @@ -158,7 +157,7 @@ function configure_trove { # (Re)create trove taskmanager conf file if needed if is_service_enabled tr-tmgr; then - TROVE_AUTH_ENDPOINT=$KEYSTONE_AUTH_PROTOCOL://$KEYSTONE_AUTH_HOST:$KEYSTONE_AUTH_PORT//v$IDENTITY_API_VERSION + TROVE_AUTH_ENDPOINT=$KEYSTONE_AUTH_URI/v$IDENTITY_API_VERSION iniset $TROVE_CONF_DIR/trove-taskmanager.conf DEFAULT rabbit_password $RABBIT_PASSWORD iniset $TROVE_CONF_DIR/trove-taskmanager.conf DEFAULT sql_connection `database_connection_url trove` diff --git a/stack.sh b/stack.sh index d2f18d48c1..2daa2594e5 100755 --- a/stack.sh +++ b/stack.sh @@ -924,7 +924,7 @@ if is_service_enabled key; then start_keystone # Set up a temporary admin URI for Keystone - SERVICE_ENDPOINT=$KEYSTONE_SERVICE_PROTOCOL://$KEYSTONE_AUTH_HOST:$KEYSTONE_AUTH_PORT/v2.0 + SERVICE_ENDPOINT=$KEYSTONE_AUTH_URI/v2.0 if is_service_enabled tls-proxy; then export OS_CACERT=$INT_CA_DIR/ca-chain.pem @@ -1357,7 +1357,7 @@ fi # If Keystone is present you can point ``nova`` cli to this server if is_service_enabled key; then - echo "Keystone is serving at $KEYSTONE_AUTH_PROTOCOL://$SERVICE_HOST:$KEYSTONE_SERVICE_PORT/v2.0/" + echo "Keystone is serving at $KEYSTONE_SERVICE_URI/v2.0/" echo "Examples on using novaclient command line is in exercise.sh" echo "The default users are: admin and demo" echo "The password: $ADMIN_PASSWORD"