From 78b7726dddb2e317370cfc4699a93c759cabed9a Mon Sep 17 00:00:00 2001 From: Jamie Lennox Date: Fri, 19 Dec 2014 12:56:01 +1000 Subject: [PATCH] Configure auth_token middleware by auth plugin As of release 1.3 auth_token middleware can be configured to use any authentication plugin. This allows us to move to the more generic password mechanism which will default to using keystone v3 if available. This will allow in future revisions to move the devstack service users out of the default domain. Work will need to be done in heat to remove it's dependency on the (supposed to be private) keystone_authtoken CONF values. Change-Id: Ieac26806bd420aa08fc79bbc6a11eb6a1c15c7df --- lib/heat | 13 ++++++++++++- lib/keystone | 26 +++++++++----------------- 2 files changed, 21 insertions(+), 18 deletions(-) diff --git a/lib/heat b/lib/heat index 4e72caeb54..019f668ae4 100644 --- a/lib/heat +++ b/lib/heat @@ -114,7 +114,18 @@ function configure_heat { setup_colorized_logging $HEAT_CONF DEFAULT tenant user fi - configure_auth_token_middleware $HEAT_CONF heat $HEAT_AUTH_CACHE_DIR + # NOTE(jamielennox): heat re-uses specific values from the + # keystone_authtoken middleware group and so currently fails when using the + # auth plugin setup. This should be fixed in heat. Heat is also the only + # service that requires the auth_uri to include a /v2.0. Remove this custom + # setup when bug #1300246 is resolved. + iniset $HEAT_CONF keystone_authtoken identity_uri $KEYSTONE_AUTH_URI + iniset $HEAT_CONF keystone_authtoken auth_uri $KEYSTONE_SERVICE_URI/v2.0 + iniset $HEAT_CONF keystone_authtoken admin_user heat + iniset $HEAT_CONF keystone_authtoken admin_password $SERVICE_PASSWORD + iniset $HEAT_CONF keystone_authtoken admin_tenant_name $SERVICE_TENANT_NAME + iniset $HEAT_CONF keystone_authtoken cafile $SSL_BUNDLE_FILE + iniset $HEAT_CONF keystone_authtoken signing_dir $HEAT_AUTH_CACHE_DIR if is_ssl_enabled_service "key"; then iniset $HEAT_CONF clients_keystone ca_file $SSL_BUNDLE_FILE diff --git a/lib/keystone b/lib/keystone index 1599fa5738..9c15688062 100644 --- a/lib/keystone +++ b/lib/keystone @@ -407,15 +407,6 @@ function create_keystone_accounts { fi } -# Configure the API version for the OpenStack projects. -# configure_API_version conf_file version [section] -function configure_API_version { - local conf_file=$1 - local api_version=$2 - local section=${3:-keystone_authtoken} - iniset $conf_file $section auth_uri $KEYSTONE_SERVICE_PROTOCOL://$KEYSTONE_SERVICE_HOST:$KEYSTONE_SERVICE_PORT/v$api_version -} - # Configure the service to use the auth token middleware. # # configure_auth_token_middleware conf_file admin_user signing_dir [section] @@ -429,15 +420,16 @@ function configure_auth_token_middleware { local signing_dir=$3 local section=${4:-keystone_authtoken} - iniset $conf_file $section auth_host $KEYSTONE_AUTH_HOST - iniset $conf_file $section auth_port $KEYSTONE_AUTH_PORT - iniset $conf_file $section auth_protocol $KEYSTONE_AUTH_PROTOCOL - iniset $conf_file $section identity_uri $KEYSTONE_AUTH_URI + iniset $conf_file $section auth_plugin password + iniset $conf_file $section auth_url $KEYSTONE_AUTH_URI + iniset $conf_file $section username $admin_user + iniset $conf_file $section password $SERVICE_PASSWORD + iniset $conf_file $section user_domain_id default + iniset $conf_file $section project_name $SERVICE_TENANT_NAME + iniset $conf_file $section project_domain_id default + + iniset $conf_file $section auth_uri $KEYSTONE_SERVICE_URI iniset $conf_file $section cafile $SSL_BUNDLE_FILE - configure_API_version $conf_file $IDENTITY_API_VERSION $section - iniset $conf_file $section admin_tenant_name $SERVICE_TENANT_NAME - iniset $conf_file $section admin_user $admin_user - iniset $conf_file $section admin_password $SERVICE_PASSWORD iniset $conf_file $section signing_dir $signing_dir }