Merge "Configures Heat to use Trusts by default" into icehouse

2014-07-16 03:32:02 +00:00
parent 98d47fd945 e6191e4bc9
commit 2409a45a86
7 changed files with 67 additions and 0 deletions
--- a/docs/packstack.rst
+++ b/docs/packstack.rst
@@ -363,6 +363,9 @@ Heat Config Parameters
 **CONFIG_HEAT_KS_PW**
    The password to use for the Heat to authenticate with Keystone.

+**CONFIG_HEAT_USING_TRUSTS**
+    Set to 'y' if you would like Packstack to install heat with trusts as deferred auth method.  If not, the stored password method will be used.
+
 **CONFIG_HEAT_CLOUDWATCH_INSTALL**
    Set to 'y' if you would like Packstack to install Heat CloudWatch API.

--- a/packstack/plugins/heat_750.py
+++ b/packstack/plugins/heat_750.py
@@ -82,6 +82,21 @@ def initConfig(controller):
         "NEED_CONFIRM": False,
         "CONDITION": False},

+        {"CMD_OPTION": "os-heat-using-trusts",
+         "USAGE": ("Set to 'y' if you would like Packstack to install Heat "
+                   "with trusts as deferred auth method. "
+                   "If not, the stored password method will be used."),
+         "PROMPT": "Should Packstack configure Heat to use trusts",
+         "OPTION_LIST": ["y", "n"],
+         "VALIDATORS": [validators.validate_options],
+         "DEFAULT_VALUE": "y",
+         "MASK_INPUT": False,
+         "LOOSE_VALIDATION": False,
+         "CONF_NAME": "CONFIG_HEAT_USING_TRUSTS",
+         "USE_DEFAULT": False,
+         "NEED_CONFIRM": False,
+         "CONDITION": False},
+
        {"CMD_OPTION": "os-heat-cfn-install",
         "USAGE": ("Set to 'y' if you would like Packstack to install Heat "
                   "CloudFormation API"),
@@ -172,12 +187,20 @@ def create_manifest(config, messages):
    manifestfile = "%s_heat.pp" % config['CONFIG_CONTROLLER_HOST']
    manifestdata = getManifestTemplate(get_mq(config, "heat"))
    manifestdata += getManifestTemplate("heat.pp")
+
+    if config.get('CONFIG_HEAT_USING_TRUSTS', 'n') == 'y':
+        manifestdata += getManifestTemplate("heat_trusts.pp")
+
    appendManifestFile(manifestfile, manifestdata)


 def create_keystone_manifest(config, messages):
    manifestfile = "%s_keystone.pp" % config['CONFIG_CONTROLLER_HOST']
    manifestdata = getManifestTemplate("keystone_heat.pp")
+
+    if config.get('CONFIG_HEAT_USING_TRUSTS', 'n') == 'y':
+        manifestdata += getManifestTemplate("keystone_heat_trusts.pp")
+
    appendManifestFile(manifestfile, manifestdata)


--- a/packstack/plugins/provision_700.py
+++ b/packstack/plugins/provision_700.py
@@ -245,6 +245,11 @@ def marshall_conf_bool(conf, key):
        conf[key] = 'false'


+def using_heat(config):
+    if config['CONFIG_HEAT_INSTALL'] != "y":
+        config['CONFIG_HEAT_USING_TRUSTS'] = "n"
+
+
 def using_neutron(config):
    # Using the neutron or nova api servers as the provisioning target
    # will suffice for the all-in-one case.
@@ -265,6 +270,7 @@ def using_neutron(config):

 def create_demo_manifest(config, messages):
    using_neutron(config)
+    using_heat(config)
    manifest_file = '%s_provision_demo.pp' % config['CONFIG_CONTROLLER_HOST']
    manifest_data = getManifestTemplate("provision_demo.pp")
    appendManifestFile(manifest_file, manifest_data)
@@ -272,6 +278,7 @@ def create_demo_manifest(config, messages):

 def create_tempest_manifest(config, messages):
    using_neutron(config)
+    using_heat(config)
    manifest_file = '%s_provision_tempest.pp' % \
                    config['CONFIG_CONTROLLER_HOST']
    manifest_data = getManifestTemplate("provision_tempest.pp")
--- a/packstack/puppet/templates/heat_trusts.pp
+++ b/packstack/puppet/templates/heat_trusts.pp
@@ -0,0 +1,10 @@
+
+heat_config {
+  'DEFAULT/deferred_auth_method'   : value => 'trusts';
+  'DEFAULT/trusts_delegated_roles' : value => 'heat_stack_owner';
+}
+
+keystone_user_role { 'admin@admin':
+  ensure => present,
+  roles  => ['admin', '_member_', 'heat_stack_owner'],
+}
--- a/packstack/puppet/templates/keystone_heat_trusts.pp
+++ b/packstack/puppet/templates/keystone_heat_trusts.pp
@@ -0,0 +1,4 @@
+
+keystone_role { 'heat_stack_owner':
+  ensure => present,
+}
--- a/packstack/puppet/templates/provision_demo.pp
+++ b/packstack/puppet/templates/provision_demo.pp
@@ -8,6 +8,9 @@
  $admin_password            = '%(CONFIG_KEYSTONE_ADMIN_PW)s'
  $admin_tenant_name         = 'admin'

+  # Heat Using Trusts
+  $heat_using_trusts         = '%(CONFIG_HEAT_USING_TRUSTS)s'
+
  ## Glance
  $image_name                = 'cirros'
  $image_source              = 'http://download.cirros-cloud.net/0.3.1/cirros-0.3.1-x86_64-disk.img'
@@ -38,6 +41,13 @@
    password    => $password,
  }

+  if $heat_using_trusts == 'y' {
+    keystone_user_role { "${username}@${tenant_name}":
+      ensure  => present,
+      roles   => ['_member_', 'heat_stack_owner'],
+    }
+  }
+
  ## Images

  glance_image { $image_name:
--- a/packstack/puppet/templates/provision_tempest.pp
+++ b/packstack/puppet/templates/provision_tempest.pp
@@ -17,6 +17,9 @@ if '%(CONFIG_PROVISION_TEMPEST_USER)s' != '' {
  $admin_password            = '%(CONFIG_KEYSTONE_ADMIN_PW)s'
  $admin_tenant_name         = 'admin'

+  # Heat Using Trusts
+  $heat_using_trusts         = '%(CONFIG_HEAT_USING_TRUSTS)s'
+
  ## Glance
  $image_name                = 'cirros'
  $image_source              = 'http://download.cirros-cloud.net/0.3.1/cirros-0.3.1-x86_64-disk.img'
@@ -71,6 +74,13 @@ if '%(CONFIG_PROVISION_TEMPEST_USER)s' != '' {
    password    => $password,
  }

+  if $heat_using_trusts == 'y' {
+    keystone_user_role { "${username}@${tenant_name}":
+      ensure  => present,
+      roles   => ['_member_', 'heat_stack_owner'],
+    }
+  }
+
  ## Images

  glance_image { $image_name: