Remove usage of admin_token

* Added new tenant/project: services
* Added two new users with admin roles to 'services' project:
  ostf and nailgun
* Use generated passwords for ostf and nailgun keystone users and
  remove admin_token
* OSTF and nailgun will use their users to validate keystone tokens
  instead of admin_token
* Added new services and endpoints for keystone, ostf, nailgun. Now
  it's possible to use keystone service catalog to discover their URLs

DocImpact
Implements: blueprint access-control-master-node-improvments
Depends: Ibe3844da784656f02673c32c2f98cb67bbdb3e89

Change-Id: I9860257b1b392be31de8ff9e09b95e9a3c6ba3f7

deployment/puppet/nailgun/examples/keystone-only.pp

@@ -30,25 +30,53 @@ case $production {
       refreshonly => false,
     }
 
-    keystone_tenant { 'admin' :
+    # Admin user
+    keystone_tenant { 'admin':
+      ensure  => present,
       enabled => 'True',
-      ensure  => present
     }
 
-    keystone_role {'admin' :
-      ensure => present
+    keystone_tenant { 'services':
+      ensure      => present,
+      enabled     => 'True',
+      description => 'fuel services tenant',
+    }
+
+    keystone_role { 'admin':
+      ensure => present,
     }
 
     keystone_user { 'admin':
-      password => $::fuel_settings['FUEL_ACCESS']['password'],
       ensure   => present,
+      password => $::fuel_settings['FUEL_ACCESS']['password'],
       enabled  => 'True',
-      tenant   => 'admin'
+      tenant   => 'admin',
     }
 
     keystone_user_role { 'admin@admin':
+      ensure => present,
       roles  => ['admin'],
-      ensure => present
+    }
+
+    # Keystone Endpoint
+    class { 'keystone::endpoint':
+      public_address   => $::fuel_settings['ADMIN_NETWORK']['ipaddress'],
+      admin_address    => $::fuel_settings['ADMIN_NETWORK']['ipaddress'],
+      internal_address => $::fuel_settings['ADMIN_NETWORK']['ipaddress'],
+    }
+
+    # Nailgun
+    class { 'nailgun::auth':
+      auth_name => $::fuel_settings['keystone']['nailgun_user'],
+      password  => $::fuel_settings['keystone']['nailgun_password'],
+      address   => $::fuel_settings['ADMIN_NETWORK']['ipaddress'],
+    }
+
+    # OSTF
+    class { 'nailgun::ostf::auth':
+      auth_name => $::fuel_settings['keystone']['ostf_user'],
+      password  => $::fuel_settings['keystone']['ostf_password'],
+      address   => $::fuel_settings['ADMIN_NETWORK']['ipaddress'],
     }
 
     # Increase token expiratin to 24h

deployment/puppet/nailgun/examples/nailgun-only.pp

@@ -117,8 +117,10 @@ class { "nailgun::venv":
 
   puppet_master_hostname => $puppet_master_hostname,
 
-  keystone_admin_token => $::fuel_settings['keystone']['admin_token'],
   keystone_host         => $::fuel_settings['ADMIN_NETWORK']['ipaddress'],
+  keystone_nailgun_user => $::fuel_settings['keystone']['nailgun_user'],
+  keystone_nailgun_pass => $::fuel_settings['keystone']['nailgun_password'],
+
   dns_domain => $::fuel_settings['DNS_DOMAIN'],
 }
 class { 'nailgun::uwsgi':

deployment/puppet/nailgun/examples/ostf-only.pp

@@ -46,8 +46,9 @@ node default {
     host         => "0.0.0.0",
     auth_enable  => 'True',
 
-    keystone_admin_token => $::fuel_settings['keystone']['admin_token'],
     keystone_host      => $::fuel_settings['ADMIN_NETWORK']['ipaddress'],
+    keystone_ostf_user => $::fuel_settings['keystone']['ostf_user'],
+    keystone_ostf_pass => $::fuel_settings['keystone']['ostf_password'],
   }
   class { "nailgun::supervisor":
     nailgun_env   => $env_path,

deployment/puppet/nailgun/examples/site.pp

@@ -100,7 +100,6 @@ node default {
     puppet_master_hostname => $puppet_master_hostname,
     puppet_master_ip => $::fuel_settings['ADMIN_NETWORK']['ipaddress'],
 
-    keystone_admin_token => $::fuel_settings['keystone']['admin_token'],
     keystone_host => $::fuel_settings['ADMIN_NETWORK']['ipaddress'],
   }
 

deployment/puppet/nailgun/manifests/auth.pp

@@ -0,0 +1,68 @@
+# == Class: nailgun::auth
+#
+# This class creates keystone users, services, endpoints, and roles
+# for Nailgun services.
+#
+# The user is given the admin role in the services tenant.
+#
+# === Parameters
+# [*auth_user*]
+#  String. The name of the user.
+#  Optional. Defaults to 'nailgun'.
+#
+# [*password*]
+#  String. The user's password.
+#  Optional. Defaults to 'nailgun'.
+#
+class nailgun::auth(
+  $auth_name        = 'nailgun',
+  $password         = 'nailgun',
+  $address          = '127.0.0.1',
+  $internal_address = undef,
+  $admin_address    = undef,
+  $public_address   = undef,
+  $port             = '8000'
+) {
+  if ($internal_address == undef) {
+    $internal_address_real = $address
+  } else {
+    $internal_address_real = $internal_address
+  }
+
+  if ($admin_address == undef) {
+    $admin_address_real = $address
+  } else {
+    $admin_address_real = $admin_address
+  }
+
+  if ($public_address == undef) {
+    $public_address_real = $address
+  } else {
+    $public_address_real = $public_address
+  }
+
+  keystone_user { $auth_name:
+    ensure   => present,
+    enabled  => 'True',
+    tenant   => 'services',
+    password => $password,
+  }
+
+  keystone_user_role { "${auth_name}@services":
+    ensure => present,
+    roles  => 'admin',
+  }
+
+  keystone_service { 'nailgun':
+    ensure      => present,
+    type        => 'fuel',
+    description => 'Nailgun API',
+  }
+
+  keystone_endpoint { 'nailgun':
+    ensure       => present,
+    public_url   => "http://${public_address_real}:${port}/api",
+    admin_url    => "http://${admin_address_real}:${port}/api",
+    internal_url => "http://${internal_address_real}:${port}/api",
+  }
+}

deployment/puppet/nailgun/manifests/init.pp

@@ -50,7 +50,6 @@ class nailgun(
   $puppet_master_hostname = "${hostname}.${domain}",
   $puppet_master_ip = $ipaddress,
 
-  $keystone_admin_token = $keystone_admin_token,
   $keystone_host = $keystone_host,
 
   ) {
@@ -167,8 +166,9 @@ class nailgun(
 
     puppet_master_hostname => $puppet_master_hostname,
 
-    keystone_admin_token => $::fuel_settings['keystone']['admin_token'],
     keystone_host         => $::fuel_settings['ADMIN_NETWORK']['ipaddress'],
+    keystone_nailgun_user => $::fuel_settings['keystone']['nailgun_user'],
+    keystone_nailgun_pass => $::fuel_settings['keystone']['nailgun_password'],
   }
 
   class {"nailgun::astute":
@@ -272,8 +272,9 @@ class nailgun(
   class { "nailgun::ostf":
     production         => $production,
     pip_opts           => "${pip_index} ${pip_find_links}",
-    keystone_admin_token => $keystone_admin_token,
     keystone_host      => $keystone_host,
+    keystone_ostf_user => $::fuel_settings['keystone']['ostf_user'],
+    keystone_ostf_pass => $::fuel_settings['keystone']['ostf_password'],
   }
 
   class { "nailgun::puppetsync": }

deployment/puppet/nailgun/manifests/ostf.pp

@@ -13,9 +13,10 @@ class nailgun::ostf(
   $host                 = '127.0.0.1',
   $port                 = '8777',
   $logfile              = '/var/log/ostf.log',
-  $keystone_admin_token = 'ADMIN',
   $keystone_host        = '127.0.0.1',
   $keystone_port        = '35357',
+  $keystone_ostf_user   = 'ostf',
+  $keystone_ostf_pass   = 'ostf',
   $auth_enable          = 'True',
 ){
   package{'libevent-devel':}

deployment/puppet/nailgun/manifests/ostf/auth.pp

@@ -0,0 +1,68 @@
+# == Class: nailgun::ostf:auth
+#
+# This class creates keystone users, services, endpoints, and roles
+# for OSTF services.
+#
+# The user is given the admin role in the services tenant.
+#
+# === Parameters
+# [*auth_user*]
+#  String. The name of the user.
+#  Optional. Defaults to 'ostf'.
+#
+# [*password*]
+#  String. The user's password.
+#  Optional. Defaults to 'ostf'.
+#
+class nailgun::ostf::auth(
+  $auth_name        = 'ostf',
+  $password         = 'ostf',
+  $address          = '127.0.0.1',
+  $internal_address = undef,
+  $admin_address    = undef,
+  $public_address   = undef,
+  $port             = '8000'
+) {
+  if ($internal_address == undef) {
+    $internal_address_real = $address
+  } else {
+    $internal_address_real = $internal_address
+  }
+
+  if ($admin_address == undef) {
+    $admin_address_real = $address
+  } else {
+    $admin_address_real = $admin_address
+  }
+
+  if ($public_address == undef) {
+    $public_address_real = $address
+  } else {
+    $public_address_real = $public_address
+  }
+
+  keystone_user { $auth_name:
+    ensure   => present,
+    enabled  => 'True',
+    tenant   => 'services',
+    password => $password,
+  }
+
+  keystone_user_role { "${auth_name}@services":
+    ensure => present,
+    roles  => 'admin',
+  }
+
+  keystone_service { 'ostf':
+    ensure      => present,
+    type        => 'ostf',
+    description => 'OSTF',
+  }
+
+  keystone_endpoint { 'ostf':
+    ensure       => present,
+    public_url   => "http://${public_address_real}:${port}/ostf",
+    admin_url    => "http://${admin_address_real}:${port}/ostf",
+    internal_url => "http://${internal_address_real}:${port}/ostf",
+  }
+}

deployment/puppet/nailgun/manifests/venv.pp

@@ -49,8 +49,9 @@ class nailgun::venv(
   $exclude_network = $admin_network,
   $exclude_cidr = $admin_network_cidr,
 
-  $keystone_admin_token = 'ADMIN',
   $keystone_host = '127.0.0.1',
+  $keystone_nailgun_user = 'nailgun',
+  $keystone_nailgun_pass = 'nailgun',
 
   $dns_domain,
   ) {

deployment/puppet/nailgun/templates/ostf.conf.erb

@@ -10,8 +10,10 @@ after_init_hook = False
 auth_enable = <%= @auth_enable %>
 
 [keystone_authtoken]
-admin_token=<%= @keystone_admin_token %>
 auth_protocol=http
 auth_port=<%= @keystone_port %>
 auth_host=<%= @keystone_host %>
 auth_version=v2.0
+admin_user=<%= @keystone_ostf_user  %>
+admin_password=<%= @keystone_ostf_pass %>
+admin_tenant_name=services

deployment/puppet/nailgun/templates/settings.yaml.erb

@@ -8,10 +8,12 @@ AUTH:
   # - keystone - authentication enabled.
   AUTHENTICATION_METHOD: "keystone"
   # use only if AUTHENTICATION_METHOD is set to "keystone"
-  admin_token: "<%= @keystone_admin_token %>"
   auth_host: "<%= @keystone_host %>"
   auth_protocol: "http"
   auth_version: "v2.0"
+  admin_user: "<%= @keystone_nailgun_user  %>"
+  admin_password: "<%= @keystone_nailgun_pass %>"
+  admin_tenant_name: "services"
 
 DATABASE:
   engine: "<%= @database_engine %>"