From 9dae245d0d91203f1c6acf24ae9ba4eb18b98295 Mon Sep 17 00:00:00 2001 From: Sebastian Kalinowski Date: Mon, 27 Oct 2014 13:10:01 +0100 Subject: [PATCH] Remove usage of admin_token * Added new tenant/project: services * Added two new users with admin roles to 'services' project: ostf and nailgun * Use generated passwords for ostf and nailgun keystone users and remove admin_token * OSTF and nailgun will use their users to validate keystone tokens instead of admin_token * Added new services and endpoints for keystone, ostf, nailgun. Now it's possible to use keystone service catalog to discover their URLs DocImpact Implements: blueprint access-control-master-node-improvments Depends: Ibe3844da784656f02673c32c2f98cb67bbdb3e89 Change-Id: I9860257b1b392be31de8ff9e09b95e9a3c6ba3f7 --- .../puppet/nailgun/examples/keystone-only.pp | 42 ++++++++++-- .../puppet/nailgun/examples/nailgun-only.pp | 6 +- .../puppet/nailgun/examples/ostf-only.pp | 5 +- deployment/puppet/nailgun/examples/site.pp | 3 +- deployment/puppet/nailgun/manifests/auth.pp | 68 +++++++++++++++++++ deployment/puppet/nailgun/manifests/init.pp | 17 ++--- deployment/puppet/nailgun/manifests/ostf.pp | 3 +- .../puppet/nailgun/manifests/ostf/auth.pp | 68 +++++++++++++++++++ deployment/puppet/nailgun/manifests/venv.pp | 3 +- .../puppet/nailgun/templates/ostf.conf.erb | 4 +- .../nailgun/templates/settings.yaml.erb | 4 +- 11 files changed, 198 insertions(+), 25 deletions(-) create mode 100644 deployment/puppet/nailgun/manifests/auth.pp create mode 100644 deployment/puppet/nailgun/manifests/ostf/auth.pp diff --git a/deployment/puppet/nailgun/examples/keystone-only.pp b/deployment/puppet/nailgun/examples/keystone-only.pp index ff9329e067..ee9e3f8e02 100644 --- a/deployment/puppet/nailgun/examples/keystone-only.pp +++ b/deployment/puppet/nailgun/examples/keystone-only.pp @@ -30,25 +30,53 @@ case $production { refreshonly => false, } - keystone_tenant { 'admin' : + # Admin user + keystone_tenant { 'admin': + ensure => present, enabled => 'True', - ensure => present } - keystone_role {'admin' : - ensure => present + keystone_tenant { 'services': + ensure => present, + enabled => 'True', + description => 'fuel services tenant', + } + + keystone_role { 'admin': + ensure => present, } keystone_user { 'admin': - password => $::fuel_settings['FUEL_ACCESS']['password'], ensure => present, + password => $::fuel_settings['FUEL_ACCESS']['password'], enabled => 'True', - tenant => 'admin' + tenant => 'admin', } keystone_user_role { 'admin@admin': + ensure => present, roles => ['admin'], - ensure => present + } + + # Keystone Endpoint + class { 'keystone::endpoint': + public_address => $::fuel_settings['ADMIN_NETWORK']['ipaddress'], + admin_address => $::fuel_settings['ADMIN_NETWORK']['ipaddress'], + internal_address => $::fuel_settings['ADMIN_NETWORK']['ipaddress'], + } + + # Nailgun + class { 'nailgun::auth': + auth_name => $::fuel_settings['keystone']['nailgun_user'], + password => $::fuel_settings['keystone']['nailgun_password'], + address => $::fuel_settings['ADMIN_NETWORK']['ipaddress'], + } + + # OSTF + class { 'nailgun::ostf::auth': + auth_name => $::fuel_settings['keystone']['ostf_user'], + password => $::fuel_settings['keystone']['ostf_password'], + address => $::fuel_settings['ADMIN_NETWORK']['ipaddress'], } # Increase token expiratin to 24h diff --git a/deployment/puppet/nailgun/examples/nailgun-only.pp b/deployment/puppet/nailgun/examples/nailgun-only.pp index 426edfd29e..d9fb85d204 100644 --- a/deployment/puppet/nailgun/examples/nailgun-only.pp +++ b/deployment/puppet/nailgun/examples/nailgun-only.pp @@ -117,8 +117,10 @@ class { "nailgun::venv": puppet_master_hostname => $puppet_master_hostname, - keystone_admin_token => $::fuel_settings['keystone']['admin_token'], - keystone_host => $::fuel_settings['ADMIN_NETWORK']['ipaddress'], + keystone_host => $::fuel_settings['ADMIN_NETWORK']['ipaddress'], + keystone_nailgun_user => $::fuel_settings['keystone']['nailgun_user'], + keystone_nailgun_pass => $::fuel_settings['keystone']['nailgun_password'], + dns_domain => $::fuel_settings['DNS_DOMAIN'], } class { 'nailgun::uwsgi': diff --git a/deployment/puppet/nailgun/examples/ostf-only.pp b/deployment/puppet/nailgun/examples/ostf-only.pp index 0bef680e05..b23ed9e7ba 100644 --- a/deployment/puppet/nailgun/examples/ostf-only.pp +++ b/deployment/puppet/nailgun/examples/ostf-only.pp @@ -46,8 +46,9 @@ node default { host => "0.0.0.0", auth_enable => 'True', - keystone_admin_token => $::fuel_settings['keystone']['admin_token'], - keystone_host => $::fuel_settings['ADMIN_NETWORK']['ipaddress'], + keystone_host => $::fuel_settings['ADMIN_NETWORK']['ipaddress'], + keystone_ostf_user => $::fuel_settings['keystone']['ostf_user'], + keystone_ostf_pass => $::fuel_settings['keystone']['ostf_password'], } class { "nailgun::supervisor": nailgun_env => $env_path, diff --git a/deployment/puppet/nailgun/examples/site.pp b/deployment/puppet/nailgun/examples/site.pp index dcf6b67b12..932d670937 100644 --- a/deployment/puppet/nailgun/examples/site.pp +++ b/deployment/puppet/nailgun/examples/site.pp @@ -100,8 +100,7 @@ node default { puppet_master_hostname => $puppet_master_hostname, puppet_master_ip => $::fuel_settings['ADMIN_NETWORK']['ipaddress'], - keystone_admin_token => $::fuel_settings['keystone']['admin_token'], - keystone_host => $::fuel_settings['ADMIN_NETWORK']['ipaddress'], + keystone_host => $::fuel_settings['ADMIN_NETWORK']['ipaddress'], } Class['postgresql::server'] -> Class['nailgun'] diff --git a/deployment/puppet/nailgun/manifests/auth.pp b/deployment/puppet/nailgun/manifests/auth.pp new file mode 100644 index 0000000000..65fbd09ecb --- /dev/null +++ b/deployment/puppet/nailgun/manifests/auth.pp @@ -0,0 +1,68 @@ +# == Class: nailgun::auth +# +# This class creates keystone users, services, endpoints, and roles +# for Nailgun services. +# +# The user is given the admin role in the services tenant. +# +# === Parameters +# [*auth_user*] +# String. The name of the user. +# Optional. Defaults to 'nailgun'. +# +# [*password*] +# String. The user's password. +# Optional. Defaults to 'nailgun'. +# +class nailgun::auth( + $auth_name = 'nailgun', + $password = 'nailgun', + $address = '127.0.0.1', + $internal_address = undef, + $admin_address = undef, + $public_address = undef, + $port = '8000' +) { + if ($internal_address == undef) { + $internal_address_real = $address + } else { + $internal_address_real = $internal_address + } + + if ($admin_address == undef) { + $admin_address_real = $address + } else { + $admin_address_real = $admin_address + } + + if ($public_address == undef) { + $public_address_real = $address + } else { + $public_address_real = $public_address + } + + keystone_user { $auth_name: + ensure => present, + enabled => 'True', + tenant => 'services', + password => $password, + } + + keystone_user_role { "${auth_name}@services": + ensure => present, + roles => 'admin', + } + + keystone_service { 'nailgun': + ensure => present, + type => 'fuel', + description => 'Nailgun API', + } + + keystone_endpoint { 'nailgun': + ensure => present, + public_url => "http://${public_address_real}:${port}/api", + admin_url => "http://${admin_address_real}:${port}/api", + internal_url => "http://${internal_address_real}:${port}/api", + } +} diff --git a/deployment/puppet/nailgun/manifests/init.pp b/deployment/puppet/nailgun/manifests/init.pp index 3cb9296c0f..4033e92a52 100644 --- a/deployment/puppet/nailgun/manifests/init.pp +++ b/deployment/puppet/nailgun/manifests/init.pp @@ -50,8 +50,7 @@ class nailgun( $puppet_master_hostname = "${hostname}.${domain}", $puppet_master_ip = $ipaddress, - $keystone_admin_token = $keystone_admin_token, - $keystone_host = $keystone_host, + $keystone_host = $keystone_host, ) { @@ -167,8 +166,9 @@ class nailgun( puppet_master_hostname => $puppet_master_hostname, - keystone_admin_token => $::fuel_settings['keystone']['admin_token'], - keystone_host => $::fuel_settings['ADMIN_NETWORK']['ipaddress'], + keystone_host => $::fuel_settings['ADMIN_NETWORK']['ipaddress'], + keystone_nailgun_user => $::fuel_settings['keystone']['nailgun_user'], + keystone_nailgun_pass => $::fuel_settings['keystone']['nailgun_password'], } class {"nailgun::astute": @@ -270,10 +270,11 @@ class nailgun( class { "nailgun::logrotate": } class { "nailgun::ostf": - production => $production, - pip_opts => "${pip_index} ${pip_find_links}", - keystone_admin_token => $keystone_admin_token, - keystone_host => $keystone_host, + production => $production, + pip_opts => "${pip_index} ${pip_find_links}", + keystone_host => $keystone_host, + keystone_ostf_user => $::fuel_settings['keystone']['ostf_user'], + keystone_ostf_pass => $::fuel_settings['keystone']['ostf_password'], } class { "nailgun::puppetsync": } diff --git a/deployment/puppet/nailgun/manifests/ostf.pp b/deployment/puppet/nailgun/manifests/ostf.pp index a1ee05be03..2d1c597e8e 100644 --- a/deployment/puppet/nailgun/manifests/ostf.pp +++ b/deployment/puppet/nailgun/manifests/ostf.pp @@ -13,9 +13,10 @@ class nailgun::ostf( $host = '127.0.0.1', $port = '8777', $logfile = '/var/log/ostf.log', - $keystone_admin_token = 'ADMIN', $keystone_host = '127.0.0.1', $keystone_port = '35357', + $keystone_ostf_user = 'ostf', + $keystone_ostf_pass = 'ostf', $auth_enable = 'True', ){ package{'libevent-devel':} diff --git a/deployment/puppet/nailgun/manifests/ostf/auth.pp b/deployment/puppet/nailgun/manifests/ostf/auth.pp new file mode 100644 index 0000000000..4745cb460b --- /dev/null +++ b/deployment/puppet/nailgun/manifests/ostf/auth.pp @@ -0,0 +1,68 @@ +# == Class: nailgun::ostf:auth +# +# This class creates keystone users, services, endpoints, and roles +# for OSTF services. +# +# The user is given the admin role in the services tenant. +# +# === Parameters +# [*auth_user*] +# String. The name of the user. +# Optional. Defaults to 'ostf'. +# +# [*password*] +# String. The user's password. +# Optional. Defaults to 'ostf'. +# +class nailgun::ostf::auth( + $auth_name = 'ostf', + $password = 'ostf', + $address = '127.0.0.1', + $internal_address = undef, + $admin_address = undef, + $public_address = undef, + $port = '8000' +) { + if ($internal_address == undef) { + $internal_address_real = $address + } else { + $internal_address_real = $internal_address + } + + if ($admin_address == undef) { + $admin_address_real = $address + } else { + $admin_address_real = $admin_address + } + + if ($public_address == undef) { + $public_address_real = $address + } else { + $public_address_real = $public_address + } + + keystone_user { $auth_name: + ensure => present, + enabled => 'True', + tenant => 'services', + password => $password, + } + + keystone_user_role { "${auth_name}@services": + ensure => present, + roles => 'admin', + } + + keystone_service { 'ostf': + ensure => present, + type => 'ostf', + description => 'OSTF', + } + + keystone_endpoint { 'ostf': + ensure => present, + public_url => "http://${public_address_real}:${port}/ostf", + admin_url => "http://${admin_address_real}:${port}/ostf", + internal_url => "http://${internal_address_real}:${port}/ostf", + } +} diff --git a/deployment/puppet/nailgun/manifests/venv.pp b/deployment/puppet/nailgun/manifests/venv.pp index a1273f30f6..94edb88c70 100644 --- a/deployment/puppet/nailgun/manifests/venv.pp +++ b/deployment/puppet/nailgun/manifests/venv.pp @@ -49,8 +49,9 @@ class nailgun::venv( $exclude_network = $admin_network, $exclude_cidr = $admin_network_cidr, - $keystone_admin_token = 'ADMIN', $keystone_host = '127.0.0.1', + $keystone_nailgun_user = 'nailgun', + $keystone_nailgun_pass = 'nailgun', $dns_domain, ) { diff --git a/deployment/puppet/nailgun/templates/ostf.conf.erb b/deployment/puppet/nailgun/templates/ostf.conf.erb index 719262431d..9709a6bb43 100644 --- a/deployment/puppet/nailgun/templates/ostf.conf.erb +++ b/deployment/puppet/nailgun/templates/ostf.conf.erb @@ -10,8 +10,10 @@ after_init_hook = False auth_enable = <%= @auth_enable %> [keystone_authtoken] -admin_token=<%= @keystone_admin_token %> auth_protocol=http auth_port=<%= @keystone_port %> auth_host=<%= @keystone_host %> auth_version=v2.0 +admin_user=<%= @keystone_ostf_user %> +admin_password=<%= @keystone_ostf_pass %> +admin_tenant_name=services diff --git a/deployment/puppet/nailgun/templates/settings.yaml.erb b/deployment/puppet/nailgun/templates/settings.yaml.erb index 22afe7980a..451b17f844 100644 --- a/deployment/puppet/nailgun/templates/settings.yaml.erb +++ b/deployment/puppet/nailgun/templates/settings.yaml.erb @@ -8,10 +8,12 @@ AUTH: # - keystone - authentication enabled. AUTHENTICATION_METHOD: "keystone" # use only if AUTHENTICATION_METHOD is set to "keystone" - admin_token: "<%= @keystone_admin_token %>" auth_host: "<%= @keystone_host %>" auth_protocol: "http" auth_version: "v2.0" + admin_user: "<%= @keystone_nailgun_user %>" + admin_password: "<%= @keystone_nailgun_pass %>" + admin_tenant_name: "services" DATABASE: engine: "<%= @database_engine %>"