Remove usage of admin_token

* Added new tenant/project: services * Added two new users with admin roles to 'services' project: ostf and nailgun * Use generated passwords for ostf and nailgun keystone users and remove admin_token * OSTF and nailgun will use their users to validate keystone tokens instead of admin_token * Added new services and endpoints for keystone, ostf, nailgun. Now it's possible to use keystone service catalog to discover their URLs DocImpact Implements: blueprint access-control-master-node-improvments Depends: Ibe3844da784656f02673c32c2f98cb67bbdb3e89 Change-Id: I9860257b1b392be31de8ff9e09b95e9a3c6ba3f7
2014-10-27 13:10:01 +01:00 · 2014-10-27 13:10:01 +01:00 · 9dae245d0d
commit 9dae245d0d
parent 97f28a07fe
11 changed files with 198 additions and 25 deletions
--- a/deployment/puppet/nailgun/examples/keystone-only.pp
+++ b/deployment/puppet/nailgun/examples/keystone-only.pp
@ -30,25 +30,53 @@ case $production {
      refreshonly => false,
    }

-    keystone_tenant { 'admin' :
+    # Admin user
+    keystone_tenant { 'admin':
+      ensure  => present,
      enabled => 'True',
-      ensure  => present
    }

-    keystone_role {'admin' :
-      ensure => present
+    keystone_tenant { 'services':
+      ensure      => present,
+      enabled     => 'True',
+      description => 'fuel services tenant',
+    }
+
+    keystone_role { 'admin':
+      ensure => present,
    }

    keystone_user { 'admin':
-      password => $::fuel_settings['FUEL_ACCESS']['password'],
      ensure   => present,
+      password => $::fuel_settings['FUEL_ACCESS']['password'],
      enabled  => 'True',
-      tenant   => 'admin'
+      tenant   => 'admin',
    }

    keystone_user_role { 'admin@admin':
+      ensure => present,
      roles  => ['admin'],
-      ensure => present
+    }
+
+    # Keystone Endpoint
+    class { 'keystone::endpoint':
+      public_address   => $::fuel_settings['ADMIN_NETWORK']['ipaddress'],
+      admin_address    => $::fuel_settings['ADMIN_NETWORK']['ipaddress'],
+      internal_address => $::fuel_settings['ADMIN_NETWORK']['ipaddress'],
+    }
+
+    # Nailgun
+    class { 'nailgun::auth':
+      auth_name => $::fuel_settings['keystone']['nailgun_user'],
+      password  => $::fuel_settings['keystone']['nailgun_password'],
+      address   => $::fuel_settings['ADMIN_NETWORK']['ipaddress'],
+    }
+
+    # OSTF
+    class { 'nailgun::ostf::auth':
+      auth_name => $::fuel_settings['keystone']['ostf_user'],
+      password  => $::fuel_settings['keystone']['ostf_password'],
+      address   => $::fuel_settings['ADMIN_NETWORK']['ipaddress'],
    }

    # Increase token expiratin to 24h
--- a/deployment/puppet/nailgun/examples/nailgun-only.pp
+++ b/deployment/puppet/nailgun/examples/nailgun-only.pp
@ -117,8 +117,10 @@ class { "nailgun::venv":

  puppet_master_hostname => $puppet_master_hostname,

-  keystone_admin_token => $::fuel_settings['keystone']['admin_token'],
-  keystone_host        => $::fuel_settings['ADMIN_NETWORK']['ipaddress'],
+  keystone_host         => $::fuel_settings['ADMIN_NETWORK']['ipaddress'],
+  keystone_nailgun_user => $::fuel_settings['keystone']['nailgun_user'],
+  keystone_nailgun_pass => $::fuel_settings['keystone']['nailgun_password'],
+
  dns_domain => $::fuel_settings['DNS_DOMAIN'],
 }
 class { 'nailgun::uwsgi':
--- a/deployment/puppet/nailgun/examples/ostf-only.pp
+++ b/deployment/puppet/nailgun/examples/ostf-only.pp
@ -46,8 +46,9 @@ node default {
    host         => "0.0.0.0",
    auth_enable  => 'True',

-    keystone_admin_token => $::fuel_settings['keystone']['admin_token'],
-    keystone_host        => $::fuel_settings['ADMIN_NETWORK']['ipaddress'],
+    keystone_host      => $::fuel_settings['ADMIN_NETWORK']['ipaddress'],
+    keystone_ostf_user => $::fuel_settings['keystone']['ostf_user'],
+    keystone_ostf_pass => $::fuel_settings['keystone']['ostf_password'],
  }
  class { "nailgun::supervisor":
    nailgun_env   => $env_path,
--- a/deployment/puppet/nailgun/examples/site.pp
+++ b/deployment/puppet/nailgun/examples/site.pp
@ -100,8 +100,7 @@ node default {
    puppet_master_hostname => $puppet_master_hostname,
    puppet_master_ip => $::fuel_settings['ADMIN_NETWORK']['ipaddress'],

-    keystone_admin_token => $::fuel_settings['keystone']['admin_token'],
-    keystone_host        => $::fuel_settings['ADMIN_NETWORK']['ipaddress'],
+    keystone_host => $::fuel_settings['ADMIN_NETWORK']['ipaddress'],
  }

  Class['postgresql::server'] -> Class['nailgun']
--- a/deployment/puppet/nailgun/manifests/auth.pp
+++ b/deployment/puppet/nailgun/manifests/auth.pp
@ -0,0 +1,68 @@
+# == Class: nailgun::auth
+#
+# This class creates keystone users, services, endpoints, and roles
+# for Nailgun services.
+#
+# The user is given the admin role in the services tenant.
+#
+# === Parameters
+# [*auth_user*]
+#  String. The name of the user.
+#  Optional. Defaults to 'nailgun'.
+#
+# [*password*]
+#  String. The user's password.
+#  Optional. Defaults to 'nailgun'.
+#
+class nailgun::auth(
+  $auth_name        = 'nailgun',
+  $password         = 'nailgun',
+  $address          = '127.0.0.1',
+  $internal_address = undef,
+  $admin_address    = undef,
+  $public_address   = undef,
+  $port             = '8000'
+) {
+  if ($internal_address == undef) {
+    $internal_address_real = $address
+  } else {
+    $internal_address_real = $internal_address
+  }
+
+  if ($admin_address == undef) {
+    $admin_address_real = $address
+  } else {
+    $admin_address_real = $admin_address
+  }
+
+  if ($public_address == undef) {
+    $public_address_real = $address
+  } else {
+    $public_address_real = $public_address
+  }
+
+  keystone_user { $auth_name:
+    ensure   => present,
+    enabled  => 'True',
+    tenant   => 'services',
+    password => $password,
+  }
+
+  keystone_user_role { "${auth_name}@services":
+    ensure => present,
+    roles  => 'admin',
+  }
+
+  keystone_service { 'nailgun':
+    ensure      => present,
+    type        => 'fuel',
+    description => 'Nailgun API',
+  }
+
+  keystone_endpoint { 'nailgun':
+    ensure       => present,
+    public_url   => "http://${public_address_real}:${port}/api",
+    admin_url    => "http://${admin_address_real}:${port}/api",
+    internal_url => "http://${internal_address_real}:${port}/api",
+  }
+}
--- a/deployment/puppet/nailgun/manifests/init.pp
+++ b/deployment/puppet/nailgun/manifests/init.pp
@ -50,8 +50,7 @@ class nailgun(
  $puppet_master_hostname = "${hostname}.${domain}",
  $puppet_master_ip = $ipaddress,

-  $keystone_admin_token = $keystone_admin_token,
-  $keystone_host        = $keystone_host,
+  $keystone_host = $keystone_host,

  ) {

@ -167,8 +166,9 @@ class nailgun(

    puppet_master_hostname => $puppet_master_hostname,

-    keystone_admin_token => $::fuel_settings['keystone']['admin_token'],
-    keystone_host        => $::fuel_settings['ADMIN_NETWORK']['ipaddress'],
+    keystone_host         => $::fuel_settings['ADMIN_NETWORK']['ipaddress'],
+    keystone_nailgun_user => $::fuel_settings['keystone']['nailgun_user'],
+    keystone_nailgun_pass => $::fuel_settings['keystone']['nailgun_password'],
  }

  class {"nailgun::astute":
@ -270,10 +270,11 @@ class nailgun(
  class { "nailgun::logrotate": }

  class { "nailgun::ostf":
-    production => $production,
-    pip_opts => "${pip_index} ${pip_find_links}",
-    keystone_admin_token => $keystone_admin_token,
-    keystone_host        => $keystone_host,
+    production         => $production,
+    pip_opts           => "${pip_index} ${pip_find_links}",
+    keystone_host      => $keystone_host,
+    keystone_ostf_user => $::fuel_settings['keystone']['ostf_user'],
+    keystone_ostf_pass => $::fuel_settings['keystone']['ostf_password'],
  }

  class { "nailgun::puppetsync": }
--- a/deployment/puppet/nailgun/manifests/ostf.pp
+++ b/deployment/puppet/nailgun/manifests/ostf.pp
@ -13,9 +13,10 @@ class nailgun::ostf(
  $host                 = '127.0.0.1',
  $port                 = '8777',
  $logfile              = '/var/log/ostf.log',
-  $keystone_admin_token = 'ADMIN',
  $keystone_host        = '127.0.0.1',
  $keystone_port        = '35357',
+  $keystone_ostf_user   = 'ostf',
+  $keystone_ostf_pass   = 'ostf',
  $auth_enable          = 'True',
 ){
  package{'libevent-devel':}
--- a/deployment/puppet/nailgun/manifests/ostf/auth.pp
+++ b/deployment/puppet/nailgun/manifests/ostf/auth.pp
@ -0,0 +1,68 @@
+# == Class: nailgun::ostf:auth
+#
+# This class creates keystone users, services, endpoints, and roles
+# for OSTF services.
+#
+# The user is given the admin role in the services tenant.
+#
+# === Parameters
+# [*auth_user*]
+#  String. The name of the user.
+#  Optional. Defaults to 'ostf'.
+#
+# [*password*]
+#  String. The user's password.
+#  Optional. Defaults to 'ostf'.
+#
+class nailgun::ostf::auth(
+  $auth_name        = 'ostf',
+  $password         = 'ostf',
+  $address          = '127.0.0.1',
+  $internal_address = undef,
+  $admin_address    = undef,
+  $public_address   = undef,
+  $port             = '8000'
+) {
+  if ($internal_address == undef) {
+    $internal_address_real = $address
+  } else {
+    $internal_address_real = $internal_address
+  }
+
+  if ($admin_address == undef) {
+    $admin_address_real = $address
+  } else {
+    $admin_address_real = $admin_address
+  }
+
+  if ($public_address == undef) {
+    $public_address_real = $address
+  } else {
+    $public_address_real = $public_address
+  }
+
+  keystone_user { $auth_name:
+    ensure   => present,
+    enabled  => 'True',
+    tenant   => 'services',
+    password => $password,
+  }
+
+  keystone_user_role { "${auth_name}@services":
+    ensure => present,
+    roles  => 'admin',
+  }
+
+  keystone_service { 'ostf':
+    ensure      => present,
+    type        => 'ostf',
+    description => 'OSTF',
+  }
+
+  keystone_endpoint { 'ostf':
+    ensure       => present,
+    public_url   => "http://${public_address_real}:${port}/ostf",
+    admin_url    => "http://${admin_address_real}:${port}/ostf",
+    internal_url => "http://${internal_address_real}:${port}/ostf",
+  }
+}
--- a/deployment/puppet/nailgun/manifests/venv.pp
+++ b/deployment/puppet/nailgun/manifests/venv.pp
@ -49,8 +49,9 @@ class nailgun::venv(
  $exclude_network = $admin_network,
  $exclude_cidr = $admin_network_cidr,

-  $keystone_admin_token = 'ADMIN',
  $keystone_host = '127.0.0.1',
+  $keystone_nailgun_user = 'nailgun',
+  $keystone_nailgun_pass = 'nailgun',

  $dns_domain,
  ) {
--- a/deployment/puppet/nailgun/templates/ostf.conf.erb
+++ b/deployment/puppet/nailgun/templates/ostf.conf.erb
@ -10,8 +10,10 @@ after_init_hook = False
 auth_enable = <%= @auth_enable %>

 [keystone_authtoken]
-admin_token=<%= @keystone_admin_token %>
 auth_protocol=http
 auth_port=<%= @keystone_port %>
 auth_host=<%= @keystone_host %>
 auth_version=v2.0
+admin_user=<%= @keystone_ostf_user  %>
+admin_password=<%= @keystone_ostf_pass %>
+admin_tenant_name=services
--- a/deployment/puppet/nailgun/templates/settings.yaml.erb
+++ b/deployment/puppet/nailgun/templates/settings.yaml.erb
@ -8,10 +8,12 @@ AUTH:
  # - keystone - authentication enabled.
  AUTHENTICATION_METHOD: "keystone"
  # use only if AUTHENTICATION_METHOD is set to "keystone"
-  admin_token: "<%= @keystone_admin_token %>"
  auth_host: "<%= @keystone_host %>"
  auth_protocol: "http"
  auth_version: "v2.0"
+  admin_user: "<%= @keystone_nailgun_user  %>"
+  admin_password: "<%= @keystone_nailgun_pass %>"
+  admin_tenant_name: "services"

 DATABASE:
  engine: "<%= @database_engine %>"