Remove keystone admin token

Admin token has been deprecated upstream. It will be removed in O. We
switch over to the new `keystone-manage bootstrap` method for creating
the initial admin user, role, and project.

Co-Authored-By: Sam Yaple <sam@yaple.net>
Change-Id: I6ca90e8d4c3b71009e24b049b2efbc08c05ebfbf
This commit is contained in:
SamYaple 2016-02-29 18:54:02 +00:00
parent f1bf9a4a1e
commit 4edd0baf8d
7 changed files with 95 additions and 48 deletions

View File

@ -1,7 +1,8 @@
[DEFAULT] [DEFAULT]
debug = {{ ironic_logging_debug }} debug = {{ ironic_logging_debug }}
admin_token = {{ keystone_admin_token }} admin_user = {{ openstack_auth.username }}
admin_password = {{ keystone_admin_password }}
{% if service_name == 'ironic-api' %} {% if service_name == 'ironic-api' %}
[api] [api]

View File

@ -24,7 +24,10 @@ keystone_public_address: "{{ kolla_external_fqdn }}"
keystone_admin_address: "{{ kolla_internal_fqdn }}" keystone_admin_address: "{{ kolla_internal_fqdn }}"
keystone_internal_address: "{{ kolla_internal_fqdn }}" keystone_internal_address: "{{ kolla_internal_fqdn }}"
keystone_admin_url: "{{ admin_protocol }}://{{ kolla_internal_fqdn }}:{{ keystone_admin_port }}"
keystone_internal_url: "{{ internal_protocol }}://{{ kolla_internal_fqdn }}:{{ keystone_admin_port }}"
keystone_public_url: "{{ public_protocol }}://{{ kolla_external_fqdn }}:{{ keystone_public_port }}"
keystone_logging_debug: "{{ openstack_logging_debug }}" keystone_logging_debug: "{{ openstack_logging_debug }}"
openstack_keystone_auth: "{'auth_url':'{{ openstack_auth_v2.auth_url }}','username':'{{ openstack_auth_v2.username }}','password':'{{ openstack_auth_v2.password }}','project_name':'{{ openstack_auth_v2.project_name }}'}" openstack_keystone_auth: "{'auth_url':'{{ openstack_auth_v2.auth_url }}','username':'{{ openstack_auth_v2.username }}','password':'{{ openstack_auth_v2.password }}','project_name':'{{ openstack_auth_v2.project_name }}'}"
openstack_keystone_token_auth: "{'endpoint':'{{ openstack_auth_v2.auth_url }}','token':'{{ keystone_admin_token }}'}"

View File

@ -1,39 +1,7 @@
--- ---
- name: Creating the admin project, user and role - name: Creating admin project, user, role, service, and endpoint
command: docker exec -t kolla_toolbox /usr/bin/ansible localhost command: docker exec -t keystone kolla_keystone_bootstrap {{ openstack_auth.username }} {{ openstack_auth.password }} {{ openstack_auth.project_name }} admin {{ keystone_admin_url }} {{ keystone_internal_url }} {{ keystone_public_url }} {{ openstack_region_name }}
-m kolla_keystone_user register: keystone_bootstrap
-a "project=admin changed_when: "{{ (keystone_bootstrap.stdout | from_json).changed }}"
user=admin failed_when: "{{ (keystone_bootstrap.stdout | from_json).failed }}"
password={{ keystone_admin_password }}
role=admin
region_name={{ openstack_region_name }}
auth_type=admin_token
auth={{ '{{ openstack_keystone_token_auth }}' }}"
-e "{'openstack_keystone_token_auth':{{ openstack_keystone_token_auth }}}"
register: keystone_admin_user
changed_when: "{{ keystone_admin_user.stdout.find('localhost | SUCCESS => ') != -1 and (keystone_admin_user.stdout.split('localhost | SUCCESS => ')[1]|from_json).changed }}"
until: keystone_admin_user.stdout.split()[2] == 'SUCCESS'
retries: 10
delay: 5
run_once: True
- name: Creating the Keystone service and endpoint
command: docker exec -t kolla_toolbox /usr/bin/ansible localhost
-m kolla_keystone_service
-a "service_name=keystone
service_type=identity
description='Openstack Identity'
endpoint_region={{ openstack_region_name }}
admin_url='{{ admin_protocol }}://{{ kolla_internal_fqdn }}:{{ keystone_admin_port }}'
internal_url='{{ internal_protocol }}://{{ kolla_internal_fqdn }}:{{ keystone_admin_port }}'
public_url='{{ public_protocol }}://{{ kolla_external_fqdn }}:{{ keystone_public_port }}'
region_name={{ openstack_region_name }}
auth_type=admin_token
auth={{ '{{ openstack_keystone_token_auth }}' }}"
-e "{'openstack_keystone_token_auth':{{ openstack_keystone_token_auth }}}"
register: keystone_endpoint
changed_when: "{{ keystone_endpoint.stdout.find('localhost | SUCCESS => ') != -1 and (keystone_endpoint.stdout.split('localhost | SUCCESS => ')[1]|from_json).changed }}"
until: keystone_endpoint.stdout.split()[2] == 'SUCCESS'
retries: 10
delay: 5
run_once: True run_once: True

View File

@ -4,7 +4,5 @@ debug = {{ keystone_logging_debug }}
# NOTE(elemoine) log_dir alone does not work for Keystone # NOTE(elemoine) log_dir alone does not work for Keystone
log_file = /var/log/kolla/keystone/keystone.log log_file = /var/log/kolla/keystone/keystone.log
admin_token = {{ keystone_admin_token }}
[database] [database]
connection = mysql+pymysql://{{ keystone_database_user }}:{{ keystone_database_password }}@{{ keystone_database_address }}/{{ keystone_database_name }} connection = mysql+pymysql://{{ keystone_database_user }}:{{ keystone_database_password }}@{{ keystone_database_address }}/{{ keystone_database_name }}

View File

@ -60,16 +60,12 @@ RUN ln -s keystone-source/* keystone \
{% endif %} {% endif %}
# NOTE(SamYaple): This is to reintroduce a deprecated option as a quick-fix
# until the correct new procedure is implemented.
# TODO(SamYaple): Replace this with `keystone-manage bootstrap`
RUN sed -i 's|token_auth json_body|token_auth admin_token_auth json_body|g' /etc/keystone/keystone-paste.ini
RUN usermod -a -G kolla keystone \ RUN usermod -a -G kolla keystone \
&& chown -R keystone: /var/www/cgi-bin/keystone \ && chown -R keystone: /var/www/cgi-bin/keystone \
&& chmod 755 /var/www/cgi-bin/keystone/* && chmod 755 /var/www/cgi-bin/keystone/*
COPY keystone_bootstrap.sh /usr/local/bin/kolla_keystone_bootstrap
COPY extend_start.sh /usr/local/bin/kolla_extend_start COPY extend_start.sh /usr/local/bin/kolla_extend_start
RUN chmod 755 /usr/local/bin/kolla_extend_start RUN chmod 755 /usr/local/bin/kolla_extend_start /usr/local/bin/kolla_keystone_bootstrap
{{ include_footer }} {{ include_footer }}

View File

@ -0,0 +1,82 @@
#!/bin/bash
# NOTE(SamYaple): Kolla needs to wraps `keystone-manage bootstrap` to ensure
# any change is reported correctly for idempotency. This script will exit with
# valid json that can be parsed with information about if the task has failed
# and if anything changed.
USERNAME=$1
PASSWORD=$2
PROJECT=$3
ROLE=$4
ADMIN_URL=$5
INTERNAL_URL=$6
PUBLIC_URL=$7
REGION=$8
function get_token {
unset OS_TOKEN OS_URL
OS_TOKEN=$(openstack --os-identity-api-version 3 --os-username "${USERNAME}" --os-password "${PASSWORD}" --os-project-name "${PROJECT}" --os-auth-url "${ADMIN_URL}" token issue 2>&1 | awk '/ id / {print $4}')
OS_URL="${ADMIN_URL}/v3"
}
function fail_json {
echo '{"failed": true, "msg": "'$1'"}'
exit 1
}
function exit_json {
echo '{"failed": false, "changed": '"${changed}"'}'
}
function create_service {
if [[ ! $(openstack --os-identity-api-version 3 --os-token "${OS_TOKEN}" --os-url "${OS_URL}" service list 2>&1 | awk '/identity/') ]]; then
openstack --os-identity-api-version 3 --os-token "${OS_TOKEN}" --os-url "${OS_URL}" service create identity --name keystone 2>&1 > /dev/null
changed="true"
fi
}
function create_endpoints {
endpoints=$(openstack --os-identity-api-version 3 --os-token "${OS_TOKEN}" --os-url "${OS_URL}" endpoint list)
if [[ $(echo "${endpoints}" | awk '$6 == "keystone" && $4 == "'"${REGION}"'" && $12 == "admin" {print $14;exit}') != "${ADMIN_URL}" ]]; then
openstack --os-identity-api-version 3 --os-token "${OS_TOKEN}" --os-url "${OS_URL}" endpoint create --region "${REGION}" keystone admin "${ADMIN_URL}" 2>&1 > /dev/null
changed="true"
fi
if [[ $(echo "${endpoints}" | awk '$6 == "keystone" && $4 == "'"${REGION}"'" && $12 == "internal" {print $14;exit}') != "${INTERNAL_URL}" ]]; then
openstack --os-identity-api-version 3 --os-token "${OS_TOKEN}" --os-url "${OS_URL}" endpoint create --region "${REGION}" keystone internal "${INTERNAL_URL}" 2>&1 > /dev/null
changed="true"
fi
if [[ $(echo "${endpoints}" | awk '$6 == "keystone" && $4 == "'"${REGION}"'" && $12 == "public" {print $14;exit}') != "${PUBLIC_URL}" ]]; then
openstack --os-identity-api-version 3 --os-token "${OS_TOKEN}" --os-url "${OS_URL}" endpoint create --region "${REGION}" keystone public "${PUBLIC_URL}" 2>&1 > /dev/null
changed="true"
fi
}
changed="false"
get_token
if [[ ! $(openstack --os-identity-api-version 3 --os-token "${OS_TOKEN}" --os-url "${OS_URL}" user list 2>&1 | awk '/'"${USERNAME}"'/') ]]; then
keystone_bootstrap=$(keystone-manage bootstrap --bootstrap-username "${USERNAME}" --bootstrap-password "${PASSWORD}" --bootstrap-project-name "${PROJECT}" --bootstrap-role-name "${ROLE}" 2>&1)
if [[ $? != 0 ]]; then
fail_json "${keystone_bootstrap}"
fi
changed=$(echo "${keystone_bootstrap}" | awk '
/Domain default already exists, skipping creation./ ||
/Project '"${PROJECT}"' already exists, skipping creation./ ||
/User '"${USERNAME}"' already exists, skipping creation./ ||
/Role '"${ROLE}"' exists, skipping creation./ ||
/User '"${USERNAME}"' already has '"${ROLE}"' on '"${PROJECT}"'./ {count++}
END {
if (count == 5) changed="false"; else changed="true"
print changed
}'
)
fi
get_token
if [[ ! "${OS_TOKEN}" ]]; then
fail_json "Unable to issue token"
fi
create_service
create_endpoints
exit_json

View File

@ -25,7 +25,6 @@ docker_registry_password:
#################### ####################
# OpenStack options # OpenStack options
#################### ####################
keystone_admin_token: "password"
keystone_admin_password: "password" keystone_admin_password: "password"
keystone_database_password: "password" keystone_database_password: "password"