Remove usage of admin_token

* Added new tenant/project: services
* Added two new users with admin roles to 'services' project:
  ostf and nailgun
* Use generated passwords for ostf and nailgun keystone users and
  remove admin_token
* OSTF and nailgun will use their users to validate keystone tokens
  instead of admin_token
* Added new services and endpoints for keystone, ostf, nailgun. Now
  it's possible to use keystone service catalog to discover their URLs

DocImpact
Implements: blueprint access-control-master-node-improvments
Depends: Ibe3844da784656f02673c32c2f98cb67bbdb3e89

Change-Id: I9860257b1b392be31de8ff9e09b95e9a3c6ba3f7
This commit is contained in:
Sebastian Kalinowski 2014-10-27 13:10:01 +01:00
parent 97f28a07fe
commit 9dae245d0d
11 changed files with 198 additions and 25 deletions

View File

@ -30,25 +30,53 @@ case $production {
refreshonly => false,
}
keystone_tenant { 'admin' :
# Admin user
keystone_tenant { 'admin':
ensure => present,
enabled => 'True',
ensure => present
}
keystone_role {'admin' :
ensure => present
keystone_tenant { 'services':
ensure => present,
enabled => 'True',
description => 'fuel services tenant',
}
keystone_role { 'admin':
ensure => present,
}
keystone_user { 'admin':
password => $::fuel_settings['FUEL_ACCESS']['password'],
ensure => present,
password => $::fuel_settings['FUEL_ACCESS']['password'],
enabled => 'True',
tenant => 'admin'
tenant => 'admin',
}
keystone_user_role { 'admin@admin':
ensure => present,
roles => ['admin'],
ensure => present
}
# Keystone Endpoint
class { 'keystone::endpoint':
public_address => $::fuel_settings['ADMIN_NETWORK']['ipaddress'],
admin_address => $::fuel_settings['ADMIN_NETWORK']['ipaddress'],
internal_address => $::fuel_settings['ADMIN_NETWORK']['ipaddress'],
}
# Nailgun
class { 'nailgun::auth':
auth_name => $::fuel_settings['keystone']['nailgun_user'],
password => $::fuel_settings['keystone']['nailgun_password'],
address => $::fuel_settings['ADMIN_NETWORK']['ipaddress'],
}
# OSTF
class { 'nailgun::ostf::auth':
auth_name => $::fuel_settings['keystone']['ostf_user'],
password => $::fuel_settings['keystone']['ostf_password'],
address => $::fuel_settings['ADMIN_NETWORK']['ipaddress'],
}
# Increase token expiratin to 24h

View File

@ -117,8 +117,10 @@ class { "nailgun::venv":
puppet_master_hostname => $puppet_master_hostname,
keystone_admin_token => $::fuel_settings['keystone']['admin_token'],
keystone_host => $::fuel_settings['ADMIN_NETWORK']['ipaddress'],
keystone_host => $::fuel_settings['ADMIN_NETWORK']['ipaddress'],
keystone_nailgun_user => $::fuel_settings['keystone']['nailgun_user'],
keystone_nailgun_pass => $::fuel_settings['keystone']['nailgun_password'],
dns_domain => $::fuel_settings['DNS_DOMAIN'],
}
class { 'nailgun::uwsgi':

View File

@ -46,8 +46,9 @@ node default {
host => "0.0.0.0",
auth_enable => 'True',
keystone_admin_token => $::fuel_settings['keystone']['admin_token'],
keystone_host => $::fuel_settings['ADMIN_NETWORK']['ipaddress'],
keystone_host => $::fuel_settings['ADMIN_NETWORK']['ipaddress'],
keystone_ostf_user => $::fuel_settings['keystone']['ostf_user'],
keystone_ostf_pass => $::fuel_settings['keystone']['ostf_password'],
}
class { "nailgun::supervisor":
nailgun_env => $env_path,

View File

@ -100,8 +100,7 @@ node default {
puppet_master_hostname => $puppet_master_hostname,
puppet_master_ip => $::fuel_settings['ADMIN_NETWORK']['ipaddress'],
keystone_admin_token => $::fuel_settings['keystone']['admin_token'],
keystone_host => $::fuel_settings['ADMIN_NETWORK']['ipaddress'],
keystone_host => $::fuel_settings['ADMIN_NETWORK']['ipaddress'],
}
Class['postgresql::server'] -> Class['nailgun']

View File

@ -0,0 +1,68 @@
# == Class: nailgun::auth
#
# This class creates keystone users, services, endpoints, and roles
# for Nailgun services.
#
# The user is given the admin role in the services tenant.
#
# === Parameters
# [*auth_user*]
# String. The name of the user.
# Optional. Defaults to 'nailgun'.
#
# [*password*]
# String. The user's password.
# Optional. Defaults to 'nailgun'.
#
class nailgun::auth(
$auth_name = 'nailgun',
$password = 'nailgun',
$address = '127.0.0.1',
$internal_address = undef,
$admin_address = undef,
$public_address = undef,
$port = '8000'
) {
if ($internal_address == undef) {
$internal_address_real = $address
} else {
$internal_address_real = $internal_address
}
if ($admin_address == undef) {
$admin_address_real = $address
} else {
$admin_address_real = $admin_address
}
if ($public_address == undef) {
$public_address_real = $address
} else {
$public_address_real = $public_address
}
keystone_user { $auth_name:
ensure => present,
enabled => 'True',
tenant => 'services',
password => $password,
}
keystone_user_role { "${auth_name}@services":
ensure => present,
roles => 'admin',
}
keystone_service { 'nailgun':
ensure => present,
type => 'fuel',
description => 'Nailgun API',
}
keystone_endpoint { 'nailgun':
ensure => present,
public_url => "http://${public_address_real}:${port}/api",
admin_url => "http://${admin_address_real}:${port}/api",
internal_url => "http://${internal_address_real}:${port}/api",
}
}

View File

@ -50,8 +50,7 @@ class nailgun(
$puppet_master_hostname = "${hostname}.${domain}",
$puppet_master_ip = $ipaddress,
$keystone_admin_token = $keystone_admin_token,
$keystone_host = $keystone_host,
$keystone_host = $keystone_host,
) {
@ -167,8 +166,9 @@ class nailgun(
puppet_master_hostname => $puppet_master_hostname,
keystone_admin_token => $::fuel_settings['keystone']['admin_token'],
keystone_host => $::fuel_settings['ADMIN_NETWORK']['ipaddress'],
keystone_host => $::fuel_settings['ADMIN_NETWORK']['ipaddress'],
keystone_nailgun_user => $::fuel_settings['keystone']['nailgun_user'],
keystone_nailgun_pass => $::fuel_settings['keystone']['nailgun_password'],
}
class {"nailgun::astute":
@ -270,10 +270,11 @@ class nailgun(
class { "nailgun::logrotate": }
class { "nailgun::ostf":
production => $production,
pip_opts => "${pip_index} ${pip_find_links}",
keystone_admin_token => $keystone_admin_token,
keystone_host => $keystone_host,
production => $production,
pip_opts => "${pip_index} ${pip_find_links}",
keystone_host => $keystone_host,
keystone_ostf_user => $::fuel_settings['keystone']['ostf_user'],
keystone_ostf_pass => $::fuel_settings['keystone']['ostf_password'],
}
class { "nailgun::puppetsync": }

View File

@ -13,9 +13,10 @@ class nailgun::ostf(
$host = '127.0.0.1',
$port = '8777',
$logfile = '/var/log/ostf.log',
$keystone_admin_token = 'ADMIN',
$keystone_host = '127.0.0.1',
$keystone_port = '35357',
$keystone_ostf_user = 'ostf',
$keystone_ostf_pass = 'ostf',
$auth_enable = 'True',
){
package{'libevent-devel':}

View File

@ -0,0 +1,68 @@
# == Class: nailgun::ostf:auth
#
# This class creates keystone users, services, endpoints, and roles
# for OSTF services.
#
# The user is given the admin role in the services tenant.
#
# === Parameters
# [*auth_user*]
# String. The name of the user.
# Optional. Defaults to 'ostf'.
#
# [*password*]
# String. The user's password.
# Optional. Defaults to 'ostf'.
#
class nailgun::ostf::auth(
$auth_name = 'ostf',
$password = 'ostf',
$address = '127.0.0.1',
$internal_address = undef,
$admin_address = undef,
$public_address = undef,
$port = '8000'
) {
if ($internal_address == undef) {
$internal_address_real = $address
} else {
$internal_address_real = $internal_address
}
if ($admin_address == undef) {
$admin_address_real = $address
} else {
$admin_address_real = $admin_address
}
if ($public_address == undef) {
$public_address_real = $address
} else {
$public_address_real = $public_address
}
keystone_user { $auth_name:
ensure => present,
enabled => 'True',
tenant => 'services',
password => $password,
}
keystone_user_role { "${auth_name}@services":
ensure => present,
roles => 'admin',
}
keystone_service { 'ostf':
ensure => present,
type => 'ostf',
description => 'OSTF',
}
keystone_endpoint { 'ostf':
ensure => present,
public_url => "http://${public_address_real}:${port}/ostf",
admin_url => "http://${admin_address_real}:${port}/ostf",
internal_url => "http://${internal_address_real}:${port}/ostf",
}
}

View File

@ -49,8 +49,9 @@ class nailgun::venv(
$exclude_network = $admin_network,
$exclude_cidr = $admin_network_cidr,
$keystone_admin_token = 'ADMIN',
$keystone_host = '127.0.0.1',
$keystone_nailgun_user = 'nailgun',
$keystone_nailgun_pass = 'nailgun',
$dns_domain,
) {

View File

@ -10,8 +10,10 @@ after_init_hook = False
auth_enable = <%= @auth_enable %>
[keystone_authtoken]
admin_token=<%= @keystone_admin_token %>
auth_protocol=http
auth_port=<%= @keystone_port %>
auth_host=<%= @keystone_host %>
auth_version=v2.0
admin_user=<%= @keystone_ostf_user %>
admin_password=<%= @keystone_ostf_pass %>
admin_tenant_name=services

View File

@ -8,10 +8,12 @@ AUTH:
# - keystone - authentication enabled.
AUTHENTICATION_METHOD: "keystone"
# use only if AUTHENTICATION_METHOD is set to "keystone"
admin_token: "<%= @keystone_admin_token %>"
auth_host: "<%= @keystone_host %>"
auth_protocol: "http"
auth_version: "v2.0"
admin_user: "<%= @keystone_nailgun_user %>"
admin_password: "<%= @keystone_nailgun_pass %>"
admin_tenant_name: "services"
DATABASE:
engine: "<%= @database_engine %>"