From ed99d3960c67c6671a2f55b4bf2e6756128f9f4e Mon Sep 17 00:00:00 2001 From: Yuxing Jiang Date: Fri, 28 Aug 2020 21:36:27 -0400 Subject: [PATCH] Align OS_AUTH_URL in admin-openrc.sh The admin-openrc.sh can be downloaded from Horizon. This file can be used for authentication as sysadmin in system controllers. However, as the keystone public endpoint of region SystemController differs from the RegionOne. If a user download an RC file of SystemController and use the OS_AUTH_URL to authenticate, a HTTP 401 Error(The request you have made requires authentication) will be produced. In the upstream project, the OS_AUTH_URL is got according to the "Central Cloud Region" and shown in the view. This commit overwrites the openrc template, aligns the OS_AUTH_URL in the admin-openrc.sh of region SystemController with the RegionOne by port replacement. As it is a specific usage for starlingx rather than a generic usage, it will not go to the Horizon project. Test: 1. Choose the "Central Cloud Region" in Horizon as "SystemController" 2. Download the admin-openrc.sh via API Access -> Download OpenStack RC File 3. Check the OS_AUTH_URL is pointing to then keystone pulic endpoint of RegionOne 4. Check the keystone pulic endpoint is still correct in the web page Change-Id: I1f43f79364f5cc7bff382c1ae90a7f8f801abedb Closes-Bug: 1892090 Signed-off-by: Yuxing Jiang --- .../_30_stx_local_settings.py | 1 + .../starlingx-openrc.sh.template | 55 +++++++++++++++++++ .../templatetags/align_auth_url.py | 16 ++++++ 3 files changed, 72 insertions(+) create mode 100644 starlingx-dashboard/starlingx-dashboard/starlingx_dashboard/starlingx_templates/starlingx-openrc.sh.template create mode 100644 starlingx-dashboard/starlingx-dashboard/starlingx_dashboard/templatetags/align_auth_url.py diff --git a/starlingx-dashboard/starlingx-dashboard/starlingx_dashboard/local/local_settings.d/_30_stx_local_settings.py b/starlingx-dashboard/starlingx-dashboard/starlingx_dashboard/local/local_settings.d/_30_stx_local_settings.py index 3c25f042..10204b6e 100644 --- a/starlingx-dashboard/starlingx-dashboard/starlingx_dashboard/local/local_settings.d/_30_stx_local_settings.py +++ b/starlingx-dashboard/starlingx-dashboard/starlingx_dashboard/local/local_settings.d/_30_stx_local_settings.py @@ -141,6 +141,7 @@ for root, _dirs, files in os.walk('/opt/branding/applied'): ADD_TEMPLATE_DIRS = [os.path.join(ROOT_PATH, 'starlingx_templates')] TEMPLATES[0]['DIRS'] = ADD_TEMPLATE_DIRS + TEMPLATES[0]['DIRS'] +OPENRC_CUSTOM_TEMPLATE = 'starlingx-openrc.sh.template' STATIC_ROOT = "/www/pages/static" COMPRESS_OFFLINE = True diff --git a/starlingx-dashboard/starlingx-dashboard/starlingx_dashboard/starlingx_templates/starlingx-openrc.sh.template b/starlingx-dashboard/starlingx-dashboard/starlingx_dashboard/starlingx_templates/starlingx-openrc.sh.template new file mode 100644 index 00000000..847c2a08 --- /dev/null +++ b/starlingx-dashboard/starlingx-dashboard/starlingx_dashboard/starlingx_templates/starlingx-openrc.sh.template @@ -0,0 +1,55 @@ +{% load shellfilter %}#!/usr/bin/env bash +{% load align_auth_url %} + +# +# Copyright (c) 2020 Wind River Systems, Inc. +# +# SPDX-License-Identifier: Apache-2.0 +# +# To use an OpenStack cloud you need to authenticate against the Identity +# service named keystone, which returns a **Token** and **Service Catalog**. +# The catalog contains the endpoints for all services the user/tenant has +# access to - such as Compute, Image Service, Identity, Object Storage, Block +# Storage, and Networking (code-named nova, glance, keystone, swift, +# cinder, and neutron). +# +# *NOTE*: Using the 3 *Identity API* does not necessarily mean any other +# OpenStack API is version 3. For example, your cloud provider may implement +# Image API v1.1, Block Storage API v2, and Compute API v2.0. OS_AUTH_URL is +# only for the Identity API served through keystone. +{% if region == 'SystemController' %} +export OS_AUTH_URL={{ auth_url|align_auth_url }} +{% else %} +export OS_AUTH_URL={{ auth_url }} +{% endif %} + +# With the addition of Keystone we have standardized on the term **project** +# as the entity that owns the resources. +export OS_PROJECT_ID={{ tenant_id }} +export OS_PROJECT_NAME="{{ tenant_name|shellfilter }}" +export OS_USER_DOMAIN_NAME="{{ user_domain_name|shellfilter }}" +if [ -z "$OS_USER_DOMAIN_NAME" ]; then unset OS_USER_DOMAIN_NAME; fi +export OS_PROJECT_DOMAIN_ID="{{ project_domain_id|shellfilter }}" +if [ -z "$OS_PROJECT_DOMAIN_ID" ]; then unset OS_PROJECT_DOMAIN_ID; fi + +# unset v2.0 items in case set +unset OS_TENANT_ID +unset OS_TENANT_NAME + +# In addition to the owning entity (tenant), OpenStack stores the entity +# performing the action as the **user**. +export OS_USERNAME="{{ user.username|shellfilter }}" + +# With Keystone you pass the keystone password. +echo "Please enter your OpenStack Password for project $OS_PROJECT_NAME as user $OS_USERNAME: " +read -sr OS_PASSWORD_INPUT +export OS_PASSWORD=$OS_PASSWORD_INPUT + +# If your configuration has multiple regions, we set that information here. +# OS_REGION_NAME is optional and only valid in certain environments. +export OS_REGION_NAME="{{ region|shellfilter }}" +# Don't leave a blank variable, unset it if it was empty +if [ -z "$OS_REGION_NAME" ]; then unset OS_REGION_NAME; fi + +export OS_INTERFACE={{ interface }} +export OS_IDENTITY_API_VERSION={{ os_identity_api_version }} \ No newline at end of file diff --git a/starlingx-dashboard/starlingx-dashboard/starlingx_dashboard/templatetags/align_auth_url.py b/starlingx-dashboard/starlingx-dashboard/starlingx_dashboard/templatetags/align_auth_url.py new file mode 100644 index 00000000..079f3f42 --- /dev/null +++ b/starlingx-dashboard/starlingx-dashboard/starlingx_dashboard/templatetags/align_auth_url.py @@ -0,0 +1,16 @@ +# +# Copyright (c) 2020 Wind River Systems, Inc. +# +# SPDX-License-Identifier: Apache-2.0 +# + +from django import template + +register = template.Library() + + +@register.filter(name="align_auth_url") +def align_auth_url(url): + url_list = url.split(':') + url_list[-1] = '5000/v3' + return ':'.join(url_list)