From 5fd25a20852c7fde76d46ca34b85c252cbb19d72 Mon Sep 17 00:00:00 2001 From: Tao Liu Date: Tue, 16 Jun 2020 16:29:29 -0400 Subject: [PATCH] Configure dcmanager user for endpoint_cache The following changes are made, in order to remove the dependencies to 'admin' user and use 'dcmanager' user to authenticate with services in the subclouds: . Configure dcmanager user for dcorch . Add the dcmanager user id to the static.yaml on subclouds during upgrade Depends-On: https://review.opendev.org/#/c/735994/ Partial-Bug: 1883758 Change-Id: I72ed05d38ac6c25d240f99c4aeaf13b51273471f Signed-off-by: Tao Liu --- .../controllerconfig/upgrades/controller.py | 24 +++++++++++++ .../controllerconfig/utils.py | 36 +++++++++++++++++++ .../sysinv/sysinv/sysinv/puppet/dcmanager.py | 6 ++++ sysinv/sysinv/sysinv/sysinv/puppet/dcorch.py | 10 ++++++ tsconfig/tsconfig/tsconfig/tsconfig.py | 1 + 5 files changed, 77 insertions(+) diff --git a/controllerconfig/controllerconfig/controllerconfig/upgrades/controller.py b/controllerconfig/controllerconfig/controllerconfig/upgrades/controller.py index c94af4aed3..4c3cafc358 100644 --- a/controllerconfig/controllerconfig/controllerconfig/upgrades/controller.py +++ b/controllerconfig/controllerconfig/controllerconfig/upgrades/controller.py @@ -30,6 +30,7 @@ from sysinv.common import constants as sysinv_constants # have been applied, so only the static entries from tsconfig can be used # (the platform.conf file will not have been updated with dynamic values). from tsconfig.tsconfig import SW_VERSION +# from tsconfig.tsconfig import SW_VERSION_20_06 from tsconfig.tsconfig import PLATFORM_PATH from tsconfig.tsconfig import KEYRING_PATH from tsconfig.tsconfig import PLATFORM_CONF_FILE @@ -671,6 +672,29 @@ def migrate_hiera_data(from_release, to_release): 'platform::client::credentials::params::keyring_file': os.path.join(KEYRING_PATH, '.CREDENTIAL'), }) + # Add dcmanager and sysinv user id as well as service project id to + # the static.yaml on subclouds + # comment out the following untested code for now + # if to_release == SW_VERSION_20_06 and cutils.is_subcloud(): + # dm_user_id = cutils.get_keystone_user_id('dcmanager') + # sysinv_user_id = cutils.get_keystone_user_id('sysinv') + # service_project_id = cutils.get_keystone_project_id('services') + # if dm_user_id: + # static_config.update({ + # 'platform::dcmanager::bootstrap::dc_dcmanager_user_id': + # dm_user_id + # }) + # if sysinv_user_id: + # static_config.update({ + # 'platform::sysinv::bootstrap::dc_sysinv_user_id': + # sysinv_user_id + # }) + # if service_project_id: + # static_config.update({ + # 'openstack::keystone::bootstrap::dc_services_project_id': + # service_project_id + # }) + with open(static_file, 'w') as yaml_file: yaml.dump(static_config, yaml_file, default_flow_style=False) diff --git a/controllerconfig/controllerconfig/controllerconfig/utils.py b/controllerconfig/controllerconfig/controllerconfig/utils.py index 59fec88575..702998105f 100644 --- a/controllerconfig/controllerconfig/controllerconfig/utils.py +++ b/controllerconfig/controllerconfig/controllerconfig/utils.py @@ -10,6 +10,8 @@ Utilities import glob import os +import psycopg2 +from psycopg2.extras import RealDictCursor import shutil import subprocess import time @@ -25,6 +27,7 @@ from controllerconfig.common import constants from controllerconfig.common.exceptions import ValidateFail from oslo_log import log + LOG = log.getLogger(__name__) DEVNULL = open(os.devnull, 'w') @@ -404,3 +407,36 @@ def ip_version_to_string(ip_version): return "IPv6" else: return "IP" + + +def is_subcloud(): + conn = psycopg2.connect("dbname='sysinv' user='postgres'") + with conn: + with conn.cursor(cursor_factory=RealDictCursor) as cur: + cur.execute("SELECT * from i_system") + system = cur.fetchone() + return system['distributed_cloud_role'] == 'subcloud' + + +def get_keystone_user_id(user_name): + """ Get the a keystone user id by name""" + + conn = psycopg2.connect("dbname='keystone' user='postgres'") + with conn: + with conn.cursor(cursor_factory=RealDictCursor) as cur: + cur.execute("SELECT user_id FROM local_user WHERE name=%s" % + user_name) + user_id = cur.fetchone() + return user_id['user_id'] + + +def get_keystone_project_id(project_name): + """ Get the a keystone project id by name""" + + conn = psycopg2.connect("dbname='keystone' user='postgres'") + with conn: + with conn.cursor(cursor_factory=RealDictCursor) as cur: + cur.execute("SELECT id FROM project WHERE name=%s" % + project_name) + project_id = cur.fetchone() + return project_id['id'] diff --git a/sysinv/sysinv/sysinv/sysinv/puppet/dcmanager.py b/sysinv/sysinv/sysinv/sysinv/puppet/dcmanager.py index ff7633edb2..0c374f6ee9 100644 --- a/sysinv/sysinv/sysinv/sysinv/puppet/dcmanager.py +++ b/sysinv/sysinv/sysinv/sysinv/puppet/dcmanager.py @@ -102,6 +102,12 @@ class DCManagerPuppet(openstack.OpenstackBasePuppet): 'dcmanager::api::keystone_admin_password': admin_password, } + def get_ks_user_name(self): + return self._get_service_user_name(self.SERVICE_NAME) + + def get_ks_user_password(self): + return self._get_service_password(self.SERVICE_NAME) + def get_public_url(self): return self._format_public_endpoint(self.SERVICE_PORT, path=self.SERVICE_PATH) diff --git a/sysinv/sysinv/sysinv/sysinv/puppet/dcorch.py b/sysinv/sysinv/sysinv/sysinv/puppet/dcorch.py index 4eb8ba2459..5ca43792c0 100644 --- a/sysinv/sysinv/sysinv/sysinv/puppet/dcorch.py +++ b/sysinv/sysinv/sysinv/sysinv/puppet/dcorch.py @@ -48,6 +48,8 @@ class DCOrchPuppet(openstack.OpenstackBasePuppet): kspass = self._get_service_password(self.SERVICE_NAME) admin_password = self._get_keyring_password(self.ADMIN_SERVICE, self.ADMIN_USER) + dm_kspass = self._operator.dcmanager.get_ks_user_password() + # initial bootstrap is bound to localhost dburl = self._format_database_connection(self.SERVICE_NAME, constants.LOCALHOST_HOSTNAME) @@ -62,10 +64,13 @@ class DCOrchPuppet(openstack.OpenstackBasePuppet): 'dcorch::api_proxy::keystone_password': kspass, 'dcorch::api_proxy::keystone_admin_password': admin_password, + + 'dcorch::api_proxy::dcmanager_keystone_password': dm_kspass, } def get_system_config(self): ksuser = self._get_service_user_name(self.SERVICE_NAME) + dm_ksuser = self._operator.dcmanager.get_ks_user_name() config = { # The region in which the identity server can be found @@ -138,6 +143,7 @@ class DCOrchPuppet(openstack.OpenstackBasePuppet): 'dcorch::api_proxy::keystone_project_domain': self._get_service_project_domain_name(), 'dcorch::api_proxy::keystone_user': ksuser, + 'dcorch::api_proxy::dcmanager_keystone_user': dm_ksuser, 'dcorch::api_proxy::keystone_admin_user': self.ADMIN_USER, 'dcorch::api_proxy::keystone_admin_tenant': self.ADMIN_TENANT, 'openstack::dcorch::params::region_name': self.get_region_name(), @@ -170,6 +176,8 @@ class DCOrchPuppet(openstack.OpenstackBasePuppet): kspass = self._get_service_password(self.SERVICE_NAME) admin_password = self._get_keyring_password(self.ADMIN_SERVICE, self.ADMIN_USER) + dm_kspass = self._operator.dcmanager.get_ks_user_password() + config = { 'dcorch::database_connection': self._format_database_connection(self.SERVICE_NAME), @@ -180,6 +188,8 @@ class DCOrchPuppet(openstack.OpenstackBasePuppet): 'dcorch::api_proxy::keystone_password': kspass, 'dcorch::api_proxy::keystone_admin_password': admin_password, + + 'dcorch::api_proxy::dcmanager_keystone_password': dm_kspass, } if utils.is_openstack_applied(self.dbapi): diff --git a/tsconfig/tsconfig/tsconfig/tsconfig.py b/tsconfig/tsconfig/tsconfig/tsconfig.py index 0486842459..d0ca9c83d9 100644 --- a/tsconfig/tsconfig/tsconfig/tsconfig.py +++ b/tsconfig/tsconfig/tsconfig/tsconfig.py @@ -11,6 +11,7 @@ import io import logging SW_VERSION = "" +SW_VERSION_20_06 = "20.06" nodetype = None subfunctions = []