Remove keystone admin token

Admin token has been deprecated upstream. It will be removed in O. We switch over to the new `keystone-manage bootstrap` method for creating the initial admin user, role, and project. Co-Authored-By: Sam Yaple <sam@yaple.net> Change-Id: I6ca90e8d4c3b71009e24b049b2efbc08c05ebfbf
2016-02-29 18:54:02 +00:00 · 2016-02-29 18:54:02 +00:00 · 4edd0baf8d
commit 4edd0baf8d
parent f1bf9a4a1e
7 changed files with 95 additions and 48 deletions
--- a/ansible/roles/ironic/templates/ironic.conf.j2
+++ b/ansible/roles/ironic/templates/ironic.conf.j2
@ -1,7 +1,8 @@
 [DEFAULT]
 debug = {{ ironic_logging_debug }}

-admin_token = {{ keystone_admin_token }}
+admin_user = {{ openstack_auth.username }}
+admin_password = {{ keystone_admin_password }}

 {% if service_name == 'ironic-api' %}
 [api]
--- a/ansible/roles/keystone/defaults/main.yml
+++ b/ansible/roles/keystone/defaults/main.yml
@ -24,7 +24,10 @@ keystone_public_address: "{{ kolla_external_fqdn }}"
 keystone_admin_address: "{{ kolla_internal_fqdn }}"
 keystone_internal_address: "{{ kolla_internal_fqdn }}"

+keystone_admin_url: "{{ admin_protocol }}://{{ kolla_internal_fqdn }}:{{ keystone_admin_port }}"
+keystone_internal_url: "{{ internal_protocol }}://{{ kolla_internal_fqdn }}:{{ keystone_admin_port }}"
+keystone_public_url: "{{ public_protocol }}://{{ kolla_external_fqdn }}:{{ keystone_public_port }}"
+
 keystone_logging_debug: "{{ openstack_logging_debug }}"

 openstack_keystone_auth: "{'auth_url':'{{ openstack_auth_v2.auth_url }}','username':'{{ openstack_auth_v2.username }}','password':'{{ openstack_auth_v2.password }}','project_name':'{{ openstack_auth_v2.project_name }}'}"
-openstack_keystone_token_auth: "{'endpoint':'{{ openstack_auth_v2.auth_url }}','token':'{{ keystone_admin_token }}'}"
--- a/ansible/roles/keystone/tasks/register.yml
+++ b/ansible/roles/keystone/tasks/register.yml
@ -1,39 +1,7 @@
 ---
- name: Creating the admin project, user and role
-  command: docker exec -t kolla_toolbox /usr/bin/ansible localhost
-    -m kolla_keystone_user
-    -a "project=admin
-        user=admin
-        password={{ keystone_admin_password }}
-        role=admin
-        region_name={{ openstack_region_name }}
-        auth_type=admin_token
-        auth={{ '{{ openstack_keystone_token_auth }}' }}"
-    -e "{'openstack_keystone_token_auth':{{ openstack_keystone_token_auth }}}"
-  register: keystone_admin_user
-  changed_when: "{{ keystone_admin_user.stdout.find('localhost | SUCCESS => ') != -1 and (keystone_admin_user.stdout.split('localhost | SUCCESS => ')[1]|from_json).changed }}"
-  until: keystone_admin_user.stdout.split()[2] == 'SUCCESS'
-  retries: 10
-  delay: 5
-  run_once: True
-
- name: Creating the Keystone service and endpoint
-  command: docker exec -t kolla_toolbox /usr/bin/ansible localhost
-    -m kolla_keystone_service
-    -a "service_name=keystone
-        service_type=identity
-        description='Openstack Identity'
-        endpoint_region={{ openstack_region_name }}
-        admin_url='{{ admin_protocol }}://{{ kolla_internal_fqdn }}:{{ keystone_admin_port }}'
-        internal_url='{{ internal_protocol }}://{{ kolla_internal_fqdn }}:{{ keystone_admin_port }}'
-        public_url='{{ public_protocol }}://{{ kolla_external_fqdn }}:{{ keystone_public_port }}'
-        region_name={{ openstack_region_name }}
-        auth_type=admin_token
-        auth={{ '{{ openstack_keystone_token_auth }}' }}"
-    -e "{'openstack_keystone_token_auth':{{ openstack_keystone_token_auth }}}"
-  register: keystone_endpoint
-  changed_when: "{{ keystone_endpoint.stdout.find('localhost | SUCCESS => ') != -1 and (keystone_endpoint.stdout.split('localhost | SUCCESS => ')[1]|from_json).changed }}"
-  until: keystone_endpoint.stdout.split()[2] == 'SUCCESS'
-  retries: 10
-  delay: 5
+- name: Creating admin project, user, role, service, and endpoint
+  command: docker exec -t keystone kolla_keystone_bootstrap {{ openstack_auth.username }} {{ openstack_auth.password }} {{ openstack_auth.project_name }} admin {{ keystone_admin_url }} {{ keystone_internal_url }} {{ keystone_public_url }} {{ openstack_region_name }}
+  register: keystone_bootstrap
+  changed_when: "{{ (keystone_bootstrap.stdout | from_json).changed }}"
+  failed_when: "{{ (keystone_bootstrap.stdout | from_json).failed }}"
  run_once: True
--- a/ansible/roles/keystone/templates/keystone.conf.j2
+++ b/ansible/roles/keystone/templates/keystone.conf.j2
@ -4,7 +4,5 @@ debug = {{ keystone_logging_debug }}
 # NOTE(elemoine) log_dir alone does not work for Keystone
 log_file = /var/log/kolla/keystone/keystone.log

-admin_token = {{ keystone_admin_token }}
-
 [database]
 connection = mysql+pymysql://{{ keystone_database_user }}:{{ keystone_database_password }}@{{ keystone_database_address }}/{{ keystone_database_name }}
--- a/docker/keystone/Dockerfile.j2
+++ b/docker/keystone/Dockerfile.j2
@ -60,16 +60,12 @@ RUN ln -s keystone-source/* keystone \

 {% endif %}

-# NOTE(SamYaple): This is to reintroduce a deprecated option as a quick-fix
-# until the correct new procedure is implemented.
-# TODO(SamYaple): Replace this with `keystone-manage bootstrap`
-RUN sed -i 's|token_auth json_body|token_auth admin_token_auth json_body|g' /etc/keystone/keystone-paste.ini
-
 RUN usermod -a -G kolla keystone \
    && chown -R keystone: /var/www/cgi-bin/keystone \
    && chmod 755 /var/www/cgi-bin/keystone/*

+COPY keystone_bootstrap.sh /usr/local/bin/kolla_keystone_bootstrap
 COPY extend_start.sh /usr/local/bin/kolla_extend_start
-RUN chmod 755 /usr/local/bin/kolla_extend_start
+RUN chmod 755 /usr/local/bin/kolla_extend_start /usr/local/bin/kolla_keystone_bootstrap

 {{ include_footer }}
--- a/docker/keystone/keystone_bootstrap.sh
+++ b/docker/keystone/keystone_bootstrap.sh
@ -0,0 +1,82 @@
+#!/bin/bash
+
+# NOTE(SamYaple): Kolla needs to wraps `keystone-manage bootstrap` to ensure
+# any change is reported correctly for idempotency. This script will exit with
+# valid json that can be parsed with information about if the task has failed
+# and if anything changed.
+
+USERNAME=$1
+PASSWORD=$2
+PROJECT=$3
+ROLE=$4
+ADMIN_URL=$5
+INTERNAL_URL=$6
+PUBLIC_URL=$7
+REGION=$8
+
+function get_token {
+    unset OS_TOKEN OS_URL
+    OS_TOKEN=$(openstack --os-identity-api-version 3 --os-username "${USERNAME}" --os-password "${PASSWORD}" --os-project-name "${PROJECT}" --os-auth-url "${ADMIN_URL}" token issue 2>&1 | awk '/ id / {print $4}')
+    OS_URL="${ADMIN_URL}/v3"
+}
+
+function fail_json {
+    echo '{"failed": true, "msg": "'$1'"}'
+    exit 1
+}
+
+function exit_json {
+    echo '{"failed": false, "changed": '"${changed}"'}'
+}
+
+function create_service {
+    if [[ ! $(openstack --os-identity-api-version 3 --os-token "${OS_TOKEN}" --os-url "${OS_URL}" service list 2>&1 | awk '/identity/') ]]; then
+        openstack --os-identity-api-version 3 --os-token "${OS_TOKEN}" --os-url "${OS_URL}" service create identity --name keystone 2>&1 > /dev/null
+        changed="true"
+    fi
+}
+
+function create_endpoints {
+    endpoints=$(openstack --os-identity-api-version 3 --os-token "${OS_TOKEN}" --os-url "${OS_URL}" endpoint list)
+    if [[ $(echo "${endpoints}" | awk '$6 == "keystone" && $4 == "'"${REGION}"'" && $12 == "admin" {print $14;exit}') != "${ADMIN_URL}" ]]; then
+        openstack --os-identity-api-version 3 --os-token "${OS_TOKEN}" --os-url "${OS_URL}" endpoint create --region "${REGION}" keystone admin "${ADMIN_URL}" 2>&1 > /dev/null
+        changed="true"
+    fi
+    if [[ $(echo "${endpoints}" | awk '$6 == "keystone" && $4 == "'"${REGION}"'" && $12 == "internal" {print $14;exit}') != "${INTERNAL_URL}" ]]; then
+        openstack --os-identity-api-version 3 --os-token "${OS_TOKEN}" --os-url "${OS_URL}" endpoint create --region "${REGION}" keystone internal "${INTERNAL_URL}" 2>&1 > /dev/null
+        changed="true"
+    fi
+    if [[ $(echo "${endpoints}" | awk '$6 == "keystone" && $4 == "'"${REGION}"'" && $12 == "public" {print $14;exit}') != "${PUBLIC_URL}" ]]; then
+        openstack --os-identity-api-version 3 --os-token "${OS_TOKEN}" --os-url "${OS_URL}" endpoint create --region "${REGION}" keystone public "${PUBLIC_URL}" 2>&1 > /dev/null
+        changed="true"
+    fi
+}
+
+changed="false"
+get_token
+if [[ ! $(openstack --os-identity-api-version 3 --os-token "${OS_TOKEN}" --os-url "${OS_URL}" user list 2>&1 | awk '/'"${USERNAME}"'/') ]]; then
+    keystone_bootstrap=$(keystone-manage bootstrap --bootstrap-username "${USERNAME}" --bootstrap-password "${PASSWORD}" --bootstrap-project-name "${PROJECT}" --bootstrap-role-name "${ROLE}" 2>&1)
+    if [[ $? != 0 ]]; then
+        fail_json "${keystone_bootstrap}"
+    fi
+
+    changed=$(echo "${keystone_bootstrap}" | awk '
+        /Domain default already exists, skipping creation./ ||
+        /Project '"${PROJECT}"' already exists, skipping creation./ ||
+        /User '"${USERNAME}"' already exists, skipping creation./ ||
+        /Role '"${ROLE}"' exists, skipping creation./ ||
+        /User '"${USERNAME}"' already has '"${ROLE}"' on '"${PROJECT}"'./ {count++}
+        END {
+            if (count == 5) changed="false"; else changed="true"
+            print changed
+        }'
+    )
+fi
+
+get_token
+if [[ ! "${OS_TOKEN}" ]]; then
+    fail_json "Unable to issue token"
+fi
+create_service
+create_endpoints
+exit_json
--- a/etc/kolla/passwords.yml
+++ b/etc/kolla/passwords.yml
@ -25,7 +25,6 @@ docker_registry_password:
 ####################
 # OpenStack options
 ####################
-keystone_admin_token: "password"
 keystone_admin_password: "password"
 keystone_database_password: "password"