7b07ccf5e4
The devstack ldap configuration for keystone is still using some old options that are no longer valid. The write support is being removed this release. And in previous releases, the ldap assignment driver support was removed and was not removed here. Change-Id: I538626b681eaee6a7ac10dfbc29605b73fbe13bf
652 lines
24 KiB
Bash
652 lines
24 KiB
Bash
#!/bin/bash
|
|
#
|
|
# lib/keystone
|
|
# Functions to control the configuration and operation of **Keystone**
|
|
|
|
# Dependencies:
|
|
#
|
|
# - ``functions`` file
|
|
# - ``tls`` file
|
|
# - ``DEST``, ``STACK_USER``
|
|
# - ``FILES``
|
|
# - ``IDENTITY_API_VERSION``
|
|
# - ``BASE_SQL_CONN``
|
|
# - ``SERVICE_HOST``, ``SERVICE_PROTOCOL``
|
|
# - ``S3_SERVICE_PORT`` (template backend only)
|
|
|
|
# ``stack.sh`` calls the entry points in this order:
|
|
#
|
|
# - install_keystone
|
|
# - configure_keystone
|
|
# - _config_keystone_apache_wsgi
|
|
# - init_keystone
|
|
# - start_keystone
|
|
# - bootstrap_keystone
|
|
# - create_keystone_accounts
|
|
# - stop_keystone
|
|
# - cleanup_keystone
|
|
|
|
# Save trace setting
|
|
_XTRACE_KEYSTONE=$(set +o | grep xtrace)
|
|
set +o xtrace
|
|
|
|
# Defaults
|
|
# --------
|
|
|
|
# Set up default directories
|
|
GITDIR["keystoneauth"]=$DEST/keystoneauth
|
|
GITDIR["python-keystoneclient"]=$DEST/python-keystoneclient
|
|
GITDIR["keystonemiddleware"]=$DEST/keystonemiddleware
|
|
KEYSTONE_DIR=$DEST/keystone
|
|
|
|
# Keystone virtual environment
|
|
if [[ ${USE_VENV} = True ]]; then
|
|
PROJECT_VENV["keystone"]=${KEYSTONE_DIR}.venv
|
|
KEYSTONE_BIN_DIR=${PROJECT_VENV["keystone"]}/bin
|
|
else
|
|
KEYSTONE_BIN_DIR=$(get_python_exec_prefix)
|
|
fi
|
|
|
|
KEYSTONE_CONF_DIR=${KEYSTONE_CONF_DIR:-/etc/keystone}
|
|
KEYSTONE_CONF=$KEYSTONE_CONF_DIR/keystone.conf
|
|
KEYSTONE_PASTE_INI=${KEYSTONE_PASTE_INI:-$KEYSTONE_CONF_DIR/keystone-paste.ini}
|
|
|
|
# NOTE(sdague): remove in Newton
|
|
KEYSTONE_CATALOG_BACKEND="sql"
|
|
|
|
# Toggle for deploying Keystone under HTTPD + mod_wsgi
|
|
# Deprecated in Mitaka, use KEYSTONE_DEPLOY instead.
|
|
KEYSTONE_USE_MOD_WSGI=${KEYSTONE_USE_MOD_WSGI:-${ENABLE_HTTPD_MOD_WSGI_SERVICES}}
|
|
|
|
# KEYSTONE_DEPLOY defines how keystone is deployed, allowed values:
|
|
# - mod_wsgi : Run keystone under Apache HTTPd mod_wsgi
|
|
# - uwsgi : Run keystone under uwsgi
|
|
if [ -z "$KEYSTONE_DEPLOY" ]; then
|
|
if [ -z "$KEYSTONE_USE_MOD_WSGI" ]; then
|
|
KEYSTONE_DEPLOY=mod_wsgi
|
|
elif [ "$KEYSTONE_USE_MOD_WSGI" == True ]; then
|
|
KEYSTONE_DEPLOY=mod_wsgi
|
|
else
|
|
KEYSTONE_DEPLOY=uwsgi
|
|
fi
|
|
fi
|
|
|
|
# Select the token persistence backend driver
|
|
KEYSTONE_TOKEN_BACKEND=${KEYSTONE_TOKEN_BACKEND:-sql}
|
|
|
|
# Select the Identity backend driver
|
|
KEYSTONE_IDENTITY_BACKEND=${KEYSTONE_IDENTITY_BACKEND:-sql}
|
|
|
|
# Select the Assignment backend driver
|
|
KEYSTONE_ASSIGNMENT_BACKEND=${KEYSTONE_ASSIGNMENT_BACKEND:-sql}
|
|
|
|
# Select the Role backend driver
|
|
KEYSTONE_ROLE_BACKEND=${KEYSTONE_ROLE_BACKEND:-sql}
|
|
|
|
# Select the Resource backend driver
|
|
KEYSTONE_RESOURCE_BACKEND=${KEYSTONE_RESOURCE_BACKEND:-sql}
|
|
|
|
# Select Keystone's token provider (and format)
|
|
# Choose from 'uuid', 'pki', 'pkiz', or 'fernet'
|
|
KEYSTONE_TOKEN_FORMAT=${KEYSTONE_TOKEN_FORMAT:-}
|
|
KEYSTONE_TOKEN_FORMAT=$(echo ${KEYSTONE_TOKEN_FORMAT} | tr '[:upper:]' '[:lower:]')
|
|
|
|
# Set Keystone interface configuration
|
|
KEYSTONE_AUTH_HOST=${KEYSTONE_AUTH_HOST:-$SERVICE_HOST}
|
|
KEYSTONE_AUTH_PORT=${KEYSTONE_AUTH_PORT:-35357}
|
|
KEYSTONE_AUTH_PORT_INT=${KEYSTONE_AUTH_PORT_INT:-35358}
|
|
KEYSTONE_AUTH_PROTOCOL=${KEYSTONE_AUTH_PROTOCOL:-$SERVICE_PROTOCOL}
|
|
|
|
# Public facing bits
|
|
KEYSTONE_SERVICE_HOST=${KEYSTONE_SERVICE_HOST:-$SERVICE_HOST}
|
|
KEYSTONE_SERVICE_PORT=${KEYSTONE_SERVICE_PORT:-5000}
|
|
KEYSTONE_SERVICE_PORT_INT=${KEYSTONE_SERVICE_PORT_INT:-5001}
|
|
KEYSTONE_SERVICE_PROTOCOL=${KEYSTONE_SERVICE_PROTOCOL:-$SERVICE_PROTOCOL}
|
|
|
|
# Bind hosts
|
|
KEYSTONE_ADMIN_BIND_HOST=${KEYSTONE_ADMIN_BIND_HOST:-$KEYSTONE_SERVICE_HOST}
|
|
|
|
# Set the project for service accounts in Keystone
|
|
SERVICE_DOMAIN_NAME=${SERVICE_DOMAIN_NAME:-Default}
|
|
SERVICE_PROJECT_NAME=${SERVICE_PROJECT_NAME:-service}
|
|
|
|
# Note 2016-03 : SERVICE_TENANT_NAME is kept for backwards
|
|
# compatibility; we should be using SERVICE_PROJECT_NAME now
|
|
SERVICE_TENANT_NAME=${SERVICE_PROJECT_NAME:-service}
|
|
|
|
# if we are running with SSL use https protocols
|
|
if is_ssl_enabled_service "key" || is_service_enabled tls-proxy; then
|
|
KEYSTONE_AUTH_PROTOCOL="https"
|
|
KEYSTONE_SERVICE_PROTOCOL="https"
|
|
fi
|
|
|
|
# complete URIs
|
|
if [ "$KEYSTONE_DEPLOY" == "mod_wsgi" ]; then
|
|
# If running in Apache, use path access rather than port.
|
|
KEYSTONE_AUTH_URI=${KEYSTONE_AUTH_PROTOCOL}://${KEYSTONE_AUTH_HOST}/identity_admin
|
|
KEYSTONE_SERVICE_URI=${KEYSTONE_SERVICE_PROTOCOL}://${KEYSTONE_SERVICE_HOST}/identity
|
|
else
|
|
KEYSTONE_AUTH_URI=${KEYSTONE_AUTH_PROTOCOL}://${KEYSTONE_AUTH_HOST}:${KEYSTONE_AUTH_PORT}
|
|
KEYSTONE_SERVICE_URI=${KEYSTONE_SERVICE_PROTOCOL}://${KEYSTONE_SERVICE_HOST}:${KEYSTONE_SERVICE_PORT}
|
|
fi
|
|
|
|
# V3 URIs
|
|
KEYSTONE_AUTH_URI_V3=$KEYSTONE_AUTH_URI/v3
|
|
KEYSTONE_SERVICE_URI_V3=$KEYSTONE_SERVICE_URI/v3
|
|
|
|
|
|
# Functions
|
|
# ---------
|
|
|
|
# Test if Keystone is enabled
|
|
# is_keystone_enabled
|
|
function is_keystone_enabled {
|
|
[[ ,${ENABLED_SERVICES}, =~ ,"key", ]] && return 0
|
|
return 1
|
|
}
|
|
|
|
# cleanup_keystone() - Remove residual data files, anything left over from previous
|
|
# runs that a clean run would need to clean up
|
|
function cleanup_keystone {
|
|
disable_apache_site keystone
|
|
sudo rm -f $(apache_site_config_for keystone)
|
|
}
|
|
|
|
# _config_keystone_apache_wsgi() - Set WSGI config files of Keystone
|
|
function _config_keystone_apache_wsgi {
|
|
local keystone_apache_conf
|
|
keystone_apache_conf=$(apache_site_config_for keystone)
|
|
local keystone_ssl=""
|
|
local keystone_certfile=""
|
|
local keystone_keyfile=""
|
|
local keystone_service_port=$KEYSTONE_SERVICE_PORT
|
|
local keystone_auth_port=$KEYSTONE_AUTH_PORT
|
|
local venv_path=""
|
|
|
|
if is_ssl_enabled_service key; then
|
|
keystone_ssl="SSLEngine On"
|
|
keystone_certfile="SSLCertificateFile $KEYSTONE_SSL_CERT"
|
|
keystone_keyfile="SSLCertificateKeyFile $KEYSTONE_SSL_KEY"
|
|
fi
|
|
if is_service_enabled tls-proxy; then
|
|
keystone_service_port=$KEYSTONE_SERVICE_PORT_INT
|
|
keystone_auth_port=$KEYSTONE_AUTH_PORT_INT
|
|
fi
|
|
if [[ ${USE_VENV} = True ]]; then
|
|
venv_path="python-path=${PROJECT_VENV["keystone"]}/lib/$(python_version)/site-packages"
|
|
fi
|
|
|
|
sudo cp $FILES/apache-keystone.template $keystone_apache_conf
|
|
sudo sed -e "
|
|
s|%PUBLICPORT%|$keystone_service_port|g;
|
|
s|%ADMINPORT%|$keystone_auth_port|g;
|
|
s|%APACHE_NAME%|$APACHE_NAME|g;
|
|
s|%SSLENGINE%|$keystone_ssl|g;
|
|
s|%SSLCERTFILE%|$keystone_certfile|g;
|
|
s|%SSLKEYFILE%|$keystone_keyfile|g;
|
|
s|%USER%|$STACK_USER|g;
|
|
s|%VIRTUALENV%|$venv_path|g
|
|
s|%KEYSTONE_BIN%|$KEYSTONE_BIN_DIR|g
|
|
" -i $keystone_apache_conf
|
|
}
|
|
|
|
# configure_keystone() - Set config files, create data dirs, etc
|
|
function configure_keystone {
|
|
sudo install -d -o $STACK_USER $KEYSTONE_CONF_DIR
|
|
|
|
if [[ "$KEYSTONE_CONF_DIR" != "$KEYSTONE_DIR/etc" ]]; then
|
|
install -m 600 $KEYSTONE_DIR/etc/keystone.conf.sample $KEYSTONE_CONF
|
|
cp -p $KEYSTONE_DIR/etc/policy.json $KEYSTONE_CONF_DIR
|
|
if [[ -f "$KEYSTONE_DIR/etc/keystone-paste.ini" ]]; then
|
|
cp -p "$KEYSTONE_DIR/etc/keystone-paste.ini" "$KEYSTONE_PASTE_INI"
|
|
fi
|
|
fi
|
|
if [[ -f "$KEYSTONE_PASTE_INI" ]]; then
|
|
iniset "$KEYSTONE_CONF" paste_deploy config_file "$KEYSTONE_PASTE_INI"
|
|
else
|
|
# compatibility with mixed cfg and paste.deploy configuration
|
|
KEYSTONE_PASTE_INI="$KEYSTONE_CONF"
|
|
fi
|
|
|
|
if [ "$ENABLE_IDENTITY_V2" == "False" ]; then
|
|
# Only Identity v3 API should be available; then disable v2 pipelines
|
|
inidelete $KEYSTONE_PASTE_INI composite:main \\/v2.0
|
|
inidelete $KEYSTONE_PASTE_INI composite:admin \\/v2.0
|
|
fi
|
|
|
|
# Rewrite stock ``keystone.conf``
|
|
|
|
if is_service_enabled ldap; then
|
|
#Set all needed ldap values
|
|
iniset $KEYSTONE_CONF ldap password $LDAP_PASSWORD
|
|
iniset $KEYSTONE_CONF ldap user $LDAP_MANAGER_DN
|
|
iniset $KEYSTONE_CONF ldap suffix $LDAP_BASE_DN
|
|
iniset $KEYSTONE_CONF ldap user_tree_dn "ou=Users,$LDAP_BASE_DN"
|
|
iniset $KEYSTONE_CONF DEFAULT member_role_id "9fe2ff9ee4384b1894a90878d3e92bab"
|
|
iniset $KEYSTONE_CONF DEFAULT member_role_name "_member_"
|
|
fi
|
|
|
|
iniset $KEYSTONE_CONF identity driver "$KEYSTONE_IDENTITY_BACKEND"
|
|
iniset $KEYSTONE_CONF assignment driver "$KEYSTONE_ASSIGNMENT_BACKEND"
|
|
iniset $KEYSTONE_CONF role driver "$KEYSTONE_ROLE_BACKEND"
|
|
iniset $KEYSTONE_CONF resource driver "$KEYSTONE_RESOURCE_BACKEND"
|
|
|
|
# Enable caching
|
|
iniset $KEYSTONE_CONF cache enabled "True"
|
|
iniset $KEYSTONE_CONF cache backend "dogpile.cache.memcached"
|
|
iniset $KEYSTONE_CONF cache memcache_servers localhost:11211
|
|
|
|
iniset_rpc_backend keystone $KEYSTONE_CONF
|
|
|
|
# Register SSL certificates if provided
|
|
if is_ssl_enabled_service key; then
|
|
ensure_certificates KEYSTONE
|
|
fi
|
|
|
|
local service_port=$KEYSTONE_SERVICE_PORT
|
|
local auth_port=$KEYSTONE_AUTH_PORT
|
|
|
|
if is_service_enabled tls-proxy; then
|
|
# Set the service ports for a proxy to take the originals
|
|
service_port=$KEYSTONE_SERVICE_PORT_INT
|
|
auth_port=$KEYSTONE_AUTH_PORT_INT
|
|
fi
|
|
|
|
# Override the endpoints advertised by keystone (the public_endpoint and
|
|
# admin_endpoint) so that clients use the correct endpoint. By default, the
|
|
# keystone server uses the public_port and admin_port which isn't going to
|
|
# work when you want to use a different port (in the case of proxy), or you
|
|
# don't want the port (in the case of putting keystone on a path in
|
|
# apache).
|
|
if is_service_enabled tls-proxy || [ "$KEYSTONE_DEPLOY" == "mod_wsgi" ]; then
|
|
iniset $KEYSTONE_CONF DEFAULT public_endpoint $KEYSTONE_SERVICE_URI
|
|
iniset $KEYSTONE_CONF DEFAULT admin_endpoint $KEYSTONE_AUTH_URI
|
|
fi
|
|
|
|
if [[ "$KEYSTONE_TOKEN_FORMAT" != "" ]]; then
|
|
iniset $KEYSTONE_CONF token provider $KEYSTONE_TOKEN_FORMAT
|
|
fi
|
|
|
|
iniset $KEYSTONE_CONF database connection `database_connection_url keystone`
|
|
|
|
iniset $KEYSTONE_CONF token driver "$KEYSTONE_TOKEN_BACKEND"
|
|
|
|
# Set up logging
|
|
if [ "$SYSLOG" != "False" ]; then
|
|
iniset $KEYSTONE_CONF DEFAULT use_syslog "True"
|
|
fi
|
|
|
|
# Format logging
|
|
if [ "$LOG_COLOR" == "True" ] && [ "$SYSLOG" == "False" ] && [ "$KEYSTONE_DEPLOY" != "mod_wsgi" ] ; then
|
|
setup_colorized_logging $KEYSTONE_CONF DEFAULT
|
|
fi
|
|
|
|
iniset $KEYSTONE_CONF DEFAULT debug $ENABLE_DEBUG_LOG_LEVEL
|
|
|
|
if [ "$KEYSTONE_DEPLOY" == "mod_wsgi" ]; then
|
|
iniset $KEYSTONE_CONF DEFAULT logging_exception_prefix "%(asctime)s.%(msecs)03d %(process)d TRACE %(name)s %(instance)s"
|
|
_config_keystone_apache_wsgi
|
|
else # uwsgi
|
|
# iniset creates these files when it's called if they don't exist.
|
|
KEYSTONE_PUBLIC_UWSGI_FILE=$KEYSTONE_CONF_DIR/keystone-uwsgi-public.ini
|
|
KEYSTONE_ADMIN_UWSGI_FILE=$KEYSTONE_CONF_DIR/keystone-uwsgi-admin.ini
|
|
|
|
rm -f "$KEYSTONE_PUBLIC_UWSGI_FILE"
|
|
rm -f "$KEYSTONE_ADMIN_UWSGI_FILE"
|
|
|
|
if is_ssl_enabled_service key; then
|
|
iniset "$KEYSTONE_PUBLIC_UWSGI_FILE" uwsgi https $KEYSTONE_SERVICE_HOST:$service_port,$KEYSTONE_SSL_CERT,$KEYSTONE_SSL_KEY
|
|
iniset "$KEYSTONE_ADMIN_UWSGI_FILE" uwsgi https $KEYSTONE_ADMIN_BIND_HOST:$auth_port,$KEYSTONE_SSL_CERT,$KEYSTONE_SSL_KEY
|
|
else
|
|
iniset "$KEYSTONE_PUBLIC_UWSGI_FILE" uwsgi http $KEYSTONE_SERVICE_HOST:$service_port
|
|
iniset "$KEYSTONE_ADMIN_UWSGI_FILE" uwsgi http $KEYSTONE_ADMIN_BIND_HOST:$auth_port
|
|
fi
|
|
|
|
iniset "$KEYSTONE_PUBLIC_UWSGI_FILE" uwsgi wsgi-file "$KEYSTONE_BIN_DIR/keystone-wsgi-public"
|
|
iniset "$KEYSTONE_PUBLIC_UWSGI_FILE" uwsgi processes $(nproc)
|
|
|
|
iniset "$KEYSTONE_ADMIN_UWSGI_FILE" uwsgi wsgi-file "$KEYSTONE_BIN_DIR/keystone-wsgi-admin"
|
|
iniset "$KEYSTONE_ADMIN_UWSGI_FILE" uwsgi processes $API_WORKERS
|
|
|
|
# Common settings
|
|
for file in "$KEYSTONE_PUBLIC_UWSGI_FILE" "$KEYSTONE_ADMIN_UWSGI_FILE"; do
|
|
# This is running standalone
|
|
iniset "$file" uwsgi master true
|
|
# Set die-on-term & exit-on-reload so that uwsgi shuts down
|
|
iniset "$file" uwsgi die-on-term true
|
|
iniset "$file" uwsgi exit-on-reload true
|
|
iniset "$file" uwsgi enable-threads true
|
|
iniset "$file" uwsgi plugins python
|
|
# uwsgi recommends this to prevent thundering herd on accept.
|
|
iniset "$file" uwsgi thunder-lock true
|
|
# Override the default size for headers from the 4k default.
|
|
iniset "$file" uwsgi buffer-size 65535
|
|
# Make sure the client doesn't try to re-use the connection.
|
|
iniset "$file" uwsgi add-header "Connection: close"
|
|
# This ensures that file descriptors aren't shared between processes.
|
|
iniset "$file" uwsgi lazy-apps true
|
|
done
|
|
fi
|
|
|
|
iniset $KEYSTONE_CONF DEFAULT max_token_size 16384
|
|
|
|
iniset $KEYSTONE_CONF fernet_tokens key_repository "$KEYSTONE_CONF_DIR/fernet-keys/"
|
|
|
|
iniset $KEYSTONE_CONF credential key_repository "$KEYSTONE_CONF_DIR/credential-keys/"
|
|
|
|
# Configure the project created by the 'keystone-manage bootstrap' as the cloud-admin project.
|
|
# The users from this project are globally admin as before, but it also
|
|
# allows policy changes in order to clarify the adminess scope.
|
|
iniset $KEYSTONE_CONF resource admin_project_domain_name Default
|
|
iniset $KEYSTONE_CONF resource admin_project_name admin
|
|
}
|
|
|
|
# create_keystone_accounts() - Sets up common required keystone accounts
|
|
|
|
# Project User Roles
|
|
# ------------------------------------------------------------------
|
|
# admin admin admin
|
|
# service -- --
|
|
# -- -- service
|
|
# -- -- ResellerAdmin
|
|
# -- -- Member
|
|
# demo admin admin
|
|
# demo demo Member, anotherrole
|
|
# alt_demo admin admin
|
|
# alt_demo alt_demo Member, anotherrole
|
|
# invisible_to_admin demo Member
|
|
|
|
# Group Users Roles Project
|
|
# ------------------------------------------------------------------
|
|
# admins admin admin admin
|
|
# nonadmins demo, alt_demo Member, anotherrole demo, alt_demo
|
|
|
|
|
|
# Migrated from keystone_data.sh
|
|
function create_keystone_accounts {
|
|
|
|
# The keystone bootstrapping process (performed via keystone-manage bootstrap)
|
|
# creates an admin user, admin role and admin project. As a sanity check
|
|
# we exercise the CLI to retrieve the IDs for these values.
|
|
local admin_project
|
|
admin_project=$(openstack project show "admin" -f value -c id)
|
|
local admin_user
|
|
admin_user=$(openstack user show "admin" -f value -c id)
|
|
local admin_role
|
|
admin_role=$(openstack role show "admin" -f value -c id)
|
|
|
|
get_or_add_user_domain_role $admin_role $admin_user default
|
|
|
|
# Create service project/role
|
|
get_or_create_domain "$SERVICE_DOMAIN_NAME"
|
|
get_or_create_project "$SERVICE_PROJECT_NAME" "$SERVICE_DOMAIN_NAME"
|
|
|
|
# Service role, so service users do not have to be admins
|
|
get_or_create_role service
|
|
|
|
# The ResellerAdmin role is used by Nova and Ceilometer so we need to keep it.
|
|
# The admin role in swift allows a user to act as an admin for their project,
|
|
# but ResellerAdmin is needed for a user to act as any project. The name of this
|
|
# role is also configurable in swift-proxy.conf
|
|
get_or_create_role ResellerAdmin
|
|
|
|
# The Member role is used by Horizon and Swift so we need to keep it:
|
|
local member_role
|
|
member_role=$(get_or_create_role "Member")
|
|
|
|
# another_role demonstrates that an arbitrary role may be created and used
|
|
# TODO(sleepsonthefloor): show how this can be used for rbac in the future!
|
|
local another_role
|
|
another_role=$(get_or_create_role "anotherrole")
|
|
|
|
# invisible project - admin can't see this one
|
|
local invis_project
|
|
invis_project=$(get_or_create_project "invisible_to_admin" default)
|
|
|
|
# demo
|
|
local demo_project
|
|
demo_project=$(get_or_create_project "demo" default)
|
|
local demo_user
|
|
demo_user=$(get_or_create_user "demo" \
|
|
"$ADMIN_PASSWORD" "default" "demo@example.com")
|
|
|
|
get_or_add_user_project_role $member_role $demo_user $demo_project
|
|
get_or_add_user_project_role $admin_role $admin_user $demo_project
|
|
get_or_add_user_project_role $another_role $demo_user $demo_project
|
|
get_or_add_user_project_role $member_role $demo_user $invis_project
|
|
|
|
# alt_demo
|
|
local alt_demo_project
|
|
alt_demo_project=$(get_or_create_project "alt_demo" default)
|
|
local alt_demo_user
|
|
alt_demo_user=$(get_or_create_user "alt_demo" \
|
|
"$ADMIN_PASSWORD" "default" "alt_demo@example.com")
|
|
|
|
get_or_add_user_project_role $member_role $alt_demo_user $alt_demo_project
|
|
get_or_add_user_project_role $admin_role $admin_user $alt_demo_project
|
|
get_or_add_user_project_role $another_role $alt_demo_user $alt_demo_project
|
|
|
|
# groups
|
|
local admin_group
|
|
admin_group=$(get_or_create_group "admins" \
|
|
"default" "openstack admin group")
|
|
local non_admin_group
|
|
non_admin_group=$(get_or_create_group "nonadmins" \
|
|
"default" "non-admin group")
|
|
|
|
get_or_add_group_project_role $member_role $non_admin_group $demo_project
|
|
get_or_add_group_project_role $another_role $non_admin_group $demo_project
|
|
get_or_add_group_project_role $member_role $non_admin_group $alt_demo_project
|
|
get_or_add_group_project_role $another_role $non_admin_group $alt_demo_project
|
|
get_or_add_group_project_role $admin_role $admin_group $admin_project
|
|
}
|
|
|
|
# Create a user that is capable of verifying keystone tokens for use with auth_token middleware.
|
|
#
|
|
# create_service_user <name> [role]
|
|
#
|
|
# The role defaults to the service role. It is allowed to be provided as optional as historically
|
|
# a lot of projects have configured themselves with the admin or other role here if they are
|
|
# using this user for other purposes beyond simply auth_token middleware.
|
|
function create_service_user {
|
|
local role=${2:-service}
|
|
|
|
get_or_create_user "$1" "$SERVICE_PASSWORD" "$SERVICE_DOMAIN_NAME"
|
|
get_or_add_user_project_role "$role" "$1" "$SERVICE_PROJECT_NAME" "$SERVICE_DOMAIN_NAME" "$SERVICE_DOMAIN_NAME"
|
|
}
|
|
|
|
# Configure the service to use the auth token middleware.
|
|
#
|
|
# configure_auth_token_middleware conf_file admin_user signing_dir [section]
|
|
#
|
|
# section defaults to keystone_authtoken, which is where auth_token looks in
|
|
# the .conf file. If the paste config file is used (api-paste.ini) then
|
|
# provide the section name for the auth_token filter.
|
|
function configure_auth_token_middleware {
|
|
local conf_file=$1
|
|
local admin_user=$2
|
|
local signing_dir=$3
|
|
local section=${4:-keystone_authtoken}
|
|
|
|
iniset $conf_file $section auth_type password
|
|
iniset $conf_file $section auth_url $KEYSTONE_AUTH_URI
|
|
iniset $conf_file $section username $admin_user
|
|
iniset $conf_file $section password $SERVICE_PASSWORD
|
|
iniset $conf_file $section user_domain_name "$SERVICE_DOMAIN_NAME"
|
|
iniset $conf_file $section project_name $SERVICE_PROJECT_NAME
|
|
iniset $conf_file $section project_domain_name "$SERVICE_DOMAIN_NAME"
|
|
|
|
iniset $conf_file $section auth_uri $KEYSTONE_SERVICE_URI
|
|
iniset $conf_file $section cafile $SSL_BUNDLE_FILE
|
|
iniset $conf_file $section signing_dir $signing_dir
|
|
iniset $conf_file $section memcached_servers $SERVICE_HOST:11211
|
|
}
|
|
|
|
# init_keystone() - Initialize databases, etc.
|
|
function init_keystone {
|
|
if is_service_enabled ldap; then
|
|
init_ldap
|
|
fi
|
|
|
|
# (Re)create keystone database
|
|
recreate_database keystone
|
|
|
|
# Initialize keystone database
|
|
$KEYSTONE_BIN_DIR/keystone-manage --config-file $KEYSTONE_CONF db_sync
|
|
|
|
if [[ "$KEYSTONE_TOKEN_FORMAT" == "pki" || "$KEYSTONE_TOKEN_FORMAT" == "pkiz" ]]; then
|
|
# Set up certificates
|
|
rm -rf $KEYSTONE_CONF_DIR/ssl
|
|
$KEYSTONE_BIN_DIR/keystone-manage --config-file $KEYSTONE_CONF pki_setup
|
|
fi
|
|
if [[ "$KEYSTONE_TOKEN_FORMAT" == "fernet" ]]; then
|
|
rm -rf "$KEYSTONE_CONF_DIR/fernet-keys/"
|
|
$KEYSTONE_BIN_DIR/keystone-manage --config-file $KEYSTONE_CONF fernet_setup
|
|
fi
|
|
rm -rf "$KEYSTONE_CONF_DIR/credential-keys/"
|
|
$KEYSTONE_BIN_DIR/keystone-manage --config-file $KEYSTONE_CONF credential_setup
|
|
|
|
}
|
|
|
|
# install_keystoneauth() - Collect source and prepare
|
|
function install_keystoneauth {
|
|
if use_library_from_git "keystoneauth"; then
|
|
git_clone_by_name "keystoneauth"
|
|
setup_dev_lib "keystoneauth"
|
|
fi
|
|
}
|
|
|
|
# install_keystoneclient() - Collect source and prepare
|
|
function install_keystoneclient {
|
|
if use_library_from_git "python-keystoneclient"; then
|
|
git_clone_by_name "python-keystoneclient"
|
|
setup_dev_lib "python-keystoneclient"
|
|
fi
|
|
}
|
|
|
|
# install_keystonemiddleware() - Collect source and prepare
|
|
function install_keystonemiddleware {
|
|
# install_keystonemiddleware() is called when keystonemiddleware is needed
|
|
# to provide an opportunity to install it from the source repo
|
|
if use_library_from_git "keystonemiddleware"; then
|
|
git_clone_by_name "keystonemiddleware"
|
|
setup_dev_lib "keystonemiddleware"
|
|
else
|
|
# When not installing from repo, keystonemiddleware is still needed...
|
|
pip_install_gr keystonemiddleware
|
|
fi
|
|
# Install the memcache library so keystonemiddleware can cache tokens in a
|
|
# shared location.
|
|
pip_install_gr python-memcached
|
|
}
|
|
|
|
# install_keystone() - Collect source and prepare
|
|
function install_keystone {
|
|
# only install ldap if the service has been enabled
|
|
if is_service_enabled ldap; then
|
|
install_ldap
|
|
fi
|
|
|
|
git_clone $KEYSTONE_REPO $KEYSTONE_DIR $KEYSTONE_BRANCH
|
|
setup_develop $KEYSTONE_DIR
|
|
|
|
if is_service_enabled ldap; then
|
|
setup_develop $KEYSTONE_DIR ldap
|
|
fi
|
|
|
|
if [ "$KEYSTONE_DEPLOY" == "mod_wsgi" ]; then
|
|
install_apache_wsgi
|
|
if is_ssl_enabled_service "key"; then
|
|
enable_mod_ssl
|
|
fi
|
|
elif [ "$KEYSTONE_DEPLOY" == "uwsgi" ]; then
|
|
pip_install uwsgi
|
|
fi
|
|
}
|
|
|
|
# start_keystone() - Start running processes, including screen
|
|
function start_keystone {
|
|
# Get right service port for testing
|
|
local service_port=$KEYSTONE_SERVICE_PORT
|
|
local auth_protocol=$KEYSTONE_AUTH_PROTOCOL
|
|
if is_service_enabled tls-proxy; then
|
|
service_port=$KEYSTONE_SERVICE_PORT_INT
|
|
auth_protocol="http"
|
|
fi
|
|
|
|
if [ "$KEYSTONE_DEPLOY" == "mod_wsgi" ]; then
|
|
enable_apache_site keystone
|
|
restart_apache_server
|
|
tail_log key /var/log/$APACHE_NAME/keystone.log
|
|
tail_log key-access /var/log/$APACHE_NAME/keystone_access.log
|
|
else # uwsgi
|
|
run_process key "$KEYSTONE_BIN_DIR/uwsgi $KEYSTONE_PUBLIC_UWSGI_FILE" "" "key-p"
|
|
run_process key "$KEYSTONE_BIN_DIR/uwsgi $KEYSTONE_ADMIN_UWSGI_FILE" "" "key-a"
|
|
fi
|
|
|
|
echo "Waiting for keystone to start..."
|
|
# Check that the keystone service is running. Even if the tls tunnel
|
|
# should be enabled, make sure the internal port is checked using
|
|
# unencryted traffic at this point.
|
|
# If running in Apache, use the path rather than port.
|
|
|
|
local service_uri=$auth_protocol://$KEYSTONE_SERVICE_HOST:$service_port/v$IDENTITY_API_VERSION/
|
|
if [ "$KEYSTONE_DEPLOY" == "mod_wsgi" ]; then
|
|
service_uri=$auth_protocol://$KEYSTONE_SERVICE_HOST/identity/v$IDENTITY_API_VERSION/
|
|
fi
|
|
|
|
if ! wait_for_service $SERVICE_TIMEOUT $service_uri; then
|
|
die $LINENO "keystone did not start"
|
|
fi
|
|
|
|
# Start proxies if enabled
|
|
if is_service_enabled tls-proxy; then
|
|
start_tls_proxy keystone-service '*' $KEYSTONE_SERVICE_PORT $KEYSTONE_SERVICE_HOST $KEYSTONE_SERVICE_PORT_INT
|
|
start_tls_proxy keystone-auth '*' $KEYSTONE_AUTH_PORT $KEYSTONE_AUTH_HOST $KEYSTONE_AUTH_PORT_INT
|
|
fi
|
|
|
|
# (re)start memcached to make sure we have a clean memcache.
|
|
restart_service memcached
|
|
}
|
|
|
|
# stop_keystone() - Stop running processes
|
|
function stop_keystone {
|
|
if [ "$KEYSTONE_DEPLOY" == "mod_wsgi" ]; then
|
|
disable_apache_site keystone
|
|
restart_apache_server
|
|
fi
|
|
# Kill the Keystone screen window
|
|
stop_process key
|
|
}
|
|
|
|
# bootstrap_keystone() - Initialize user, role and project
|
|
# This function uses the following GLOBAL variables:
|
|
# - ``KEYSTONE_BIN_DIR``
|
|
# - ``ADMIN_PASSWORD``
|
|
# - ``IDENTITY_API_VERSION``
|
|
# - ``KEYSTONE_AUTH_URI``
|
|
# - ``REGION_NAME``
|
|
# - ``KEYSTONE_SERVICE_PROTOCOL``
|
|
# - ``KEYSTONE_SERVICE_HOST``
|
|
# - ``KEYSTONE_SERVICE_PORT``
|
|
function bootstrap_keystone {
|
|
$KEYSTONE_BIN_DIR/keystone-manage bootstrap \
|
|
--bootstrap-username admin \
|
|
--bootstrap-password "$ADMIN_PASSWORD" \
|
|
--bootstrap-project-name admin \
|
|
--bootstrap-role-name admin \
|
|
--bootstrap-service-name keystone \
|
|
--bootstrap-region-id "$REGION_NAME" \
|
|
--bootstrap-admin-url "$KEYSTONE_AUTH_URI" \
|
|
--bootstrap-public-url "$KEYSTONE_SERVICE_URI" \
|
|
--bootstrap-internal-url "$KEYSTONE_SERVICE_URI"
|
|
}
|
|
|
|
# Restore xtrace
|
|
$_XTRACE_KEYSTONE
|
|
|
|
# Tell emacs to use shell-script-mode
|
|
## Local variables:
|
|
## mode: shell-script
|
|
## End:
|