Configure dcmanager user for endpoint_cache

The following changes are made, in order to remove the dependencies to 'admin' user and use 'dcmanager' user to authenticate with services in the subclouds: . Configure dcmanager user for dcorch . Add the dcmanager user id to the static.yaml on subclouds during upgrade Depends-On: https://review.opendev.org/#/c/735994/ Partial-Bug: 1883758 Change-Id: I72ed05d38ac6c25d240f99c4aeaf13b51273471f Signed-off-by: Tao Liu <tao.liu@windriver.com>
2020-06-16 16:29:29 -04:00 · 2020-06-16 16:29:29 -04:00 · 5fd25a2085
commit 5fd25a2085
parent 45c31a7973
5 changed files with 77 additions and 0 deletions
--- a/controllerconfig/controllerconfig/controllerconfig/upgrades/controller.py
+++ b/controllerconfig/controllerconfig/controllerconfig/upgrades/controller.py
@ -30,6 +30,7 @@ from sysinv.common import constants as sysinv_constants
 # have been applied, so only the static entries from tsconfig can be used
 # (the platform.conf file will not have been updated with dynamic values).
 from tsconfig.tsconfig import SW_VERSION
+# from tsconfig.tsconfig import SW_VERSION_20_06
 from tsconfig.tsconfig import PLATFORM_PATH
 from tsconfig.tsconfig import KEYRING_PATH
 from tsconfig.tsconfig import PLATFORM_CONF_FILE
@ -671,6 +672,29 @@ def migrate_hiera_data(from_release, to_release):
        'platform::client::credentials::params::keyring_file':
            os.path.join(KEYRING_PATH, '.CREDENTIAL'),
    })
+    # Add dcmanager and sysinv user id as well as service project id to
+    # the static.yaml on subclouds
+    # comment out the following untested code for now
+    # if to_release == SW_VERSION_20_06 and cutils.is_subcloud():
+    #    dm_user_id = cutils.get_keystone_user_id('dcmanager')
+    #    sysinv_user_id = cutils.get_keystone_user_id('sysinv')
+    #    service_project_id = cutils.get_keystone_project_id('services')
+    #    if dm_user_id:
+    #        static_config.update({
+    #            'platform::dcmanager::bootstrap::dc_dcmanager_user_id':
+    #                dm_user_id
+    #        })
+    #    if sysinv_user_id:
+    #        static_config.update({
+    #            'platform::sysinv::bootstrap::dc_sysinv_user_id':
+    #                sysinv_user_id
+    #        })
+    #    if service_project_id:
+    #        static_config.update({
+    #            'openstack::keystone::bootstrap::dc_services_project_id':
+    #                service_project_id
+    #        })
+
    with open(static_file, 'w') as yaml_file:
        yaml.dump(static_config, yaml_file, default_flow_style=False)

--- a/controllerconfig/controllerconfig/controllerconfig/utils.py
+++ b/controllerconfig/controllerconfig/controllerconfig/utils.py
@ -10,6 +10,8 @@ Utilities

 import glob
 import os
+import psycopg2
+from psycopg2.extras import RealDictCursor
 import shutil
 import subprocess
 import time
@ -25,6 +27,7 @@ from controllerconfig.common import constants
 from controllerconfig.common.exceptions import ValidateFail
 from oslo_log import log

+
 LOG = log.getLogger(__name__)

 DEVNULL = open(os.devnull, 'w')
@ -404,3 +407,36 @@ def ip_version_to_string(ip_version):
        return "IPv6"
    else:
        return "IP"
+
+
+def is_subcloud():
+    conn = psycopg2.connect("dbname='sysinv' user='postgres'")
+    with conn:
+        with conn.cursor(cursor_factory=RealDictCursor) as cur:
+            cur.execute("SELECT * from i_system")
+            system = cur.fetchone()
+            return system['distributed_cloud_role'] == 'subcloud'
+
+
+def get_keystone_user_id(user_name):
+    """ Get the a keystone user id by name"""
+
+    conn = psycopg2.connect("dbname='keystone' user='postgres'")
+    with conn:
+        with conn.cursor(cursor_factory=RealDictCursor) as cur:
+            cur.execute("SELECT user_id FROM local_user WHERE name=%s" %
+                        user_name)
+            user_id = cur.fetchone()
+            return user_id['user_id']
+
+
+def get_keystone_project_id(project_name):
+    """ Get the a keystone project id by name"""
+
+    conn = psycopg2.connect("dbname='keystone' user='postgres'")
+    with conn:
+        with conn.cursor(cursor_factory=RealDictCursor) as cur:
+            cur.execute("SELECT id FROM project WHERE name=%s" %
+                        project_name)
+            project_id = cur.fetchone()
+            return project_id['id']
--- a/sysinv/sysinv/sysinv/sysinv/puppet/dcmanager.py
+++ b/sysinv/sysinv/sysinv/sysinv/puppet/dcmanager.py
@ -102,6 +102,12 @@ class DCManagerPuppet(openstack.OpenstackBasePuppet):
            'dcmanager::api::keystone_admin_password': admin_password,
        }

+    def get_ks_user_name(self):
+        return self._get_service_user_name(self.SERVICE_NAME)
+
+    def get_ks_user_password(self):
+        return self._get_service_password(self.SERVICE_NAME)
+
    def get_public_url(self):
        return self._format_public_endpoint(self.SERVICE_PORT,
                                            path=self.SERVICE_PATH)
--- a/sysinv/sysinv/sysinv/sysinv/puppet/dcorch.py
+++ b/sysinv/sysinv/sysinv/sysinv/puppet/dcorch.py
@ -48,6 +48,8 @@ class DCOrchPuppet(openstack.OpenstackBasePuppet):
        kspass = self._get_service_password(self.SERVICE_NAME)
        admin_password = self._get_keyring_password(self.ADMIN_SERVICE,
                                                    self.ADMIN_USER)
+        dm_kspass = self._operator.dcmanager.get_ks_user_password()
+
        # initial bootstrap is bound to localhost
        dburl = self._format_database_connection(self.SERVICE_NAME,
                                                 constants.LOCALHOST_HOSTNAME)
@ -62,10 +64,13 @@ class DCOrchPuppet(openstack.OpenstackBasePuppet):
            'dcorch::api_proxy::keystone_password': kspass,

            'dcorch::api_proxy::keystone_admin_password': admin_password,
+
+            'dcorch::api_proxy::dcmanager_keystone_password': dm_kspass,
        }

    def get_system_config(self):
        ksuser = self._get_service_user_name(self.SERVICE_NAME)
+        dm_ksuser = self._operator.dcmanager.get_ks_user_name()

        config = {
            # The region in which the identity server can be found
@ -138,6 +143,7 @@ class DCOrchPuppet(openstack.OpenstackBasePuppet):
            'dcorch::api_proxy::keystone_project_domain':
                self._get_service_project_domain_name(),
            'dcorch::api_proxy::keystone_user': ksuser,
+            'dcorch::api_proxy::dcmanager_keystone_user': dm_ksuser,
            'dcorch::api_proxy::keystone_admin_user': self.ADMIN_USER,
            'dcorch::api_proxy::keystone_admin_tenant': self.ADMIN_TENANT,
            'openstack::dcorch::params::region_name': self.get_region_name(),
@ -170,6 +176,8 @@ class DCOrchPuppet(openstack.OpenstackBasePuppet):
        kspass = self._get_service_password(self.SERVICE_NAME)
        admin_password = self._get_keyring_password(self.ADMIN_SERVICE,
                                                    self.ADMIN_USER)
+        dm_kspass = self._operator.dcmanager.get_ks_user_password()
+
        config = {
            'dcorch::database_connection':
                self._format_database_connection(self.SERVICE_NAME),
@ -180,6 +188,8 @@ class DCOrchPuppet(openstack.OpenstackBasePuppet):
            'dcorch::api_proxy::keystone_password': kspass,

            'dcorch::api_proxy::keystone_admin_password': admin_password,
+
+            'dcorch::api_proxy::dcmanager_keystone_password': dm_kspass,
        }

        if utils.is_openstack_applied(self.dbapi):
--- a/tsconfig/tsconfig/tsconfig/tsconfig.py
+++ b/tsconfig/tsconfig/tsconfig/tsconfig.py
@ -11,6 +11,7 @@ import io
 import logging

 SW_VERSION = ""
+SW_VERSION_20_06 = "20.06"

 nodetype = None
 subfunctions = []