Use keystone-manage bootstrap command
https://review.openstack.org/#/c/255599/ implemented a keystone-manage bootstrap command as an alternative to using an admin token when bootstrapping the keystone service. Admin tokens have been deprecated as of Mitaka and will be removed in Ocata. The use of this command replaces tasks to create the admin user, its password, role, and project and the keystone service endpoints. The keystone_auth_admin_token variable has been removed and its use in any tasks against the keystone library have been replaced with login credentials for the admin user. The functional test has been updated to use the current head of stable/mitaka and master for keystone and requirements respectively. The policy and api-paste files have also been updated from the head of keystone stable/mitaka. This change will require updates to make use of the same SHAs in the integrated openstack-ansible repo and in a majority of the OpenStack service roles' tests. Change-Id: I720fab85efe11a7512a124e44a73cf67b5f686b5
This commit is contained in:
Jimmy McCrory
parent
dc207459fe
commit
a08d7b1ce8
@ -32,7 +32,6 @@ details.
|
||||
# password used by the keystone service to interact with Galera
|
||||
keystone_container_mysql_password: "YourPassword"
|
||||
|
||||
keystone_auth_admin_token: "SuperSecreteTestToken"
|
||||
keystone_auth_admin_password: "SuperSecretePassword"
|
||||
keystone_service_password: "secrete"
|
||||
keystone_rabbitmq_password: "secrete"
|
||||
@ -56,7 +55,6 @@ Example Playbook
|
||||
keystone_venv_tag: "testing"
|
||||
keystone_developer_mode: true
|
||||
keystone_git_install_branch: a55128044f763f5cfe2fdc57c738eaca97636448
|
||||
keystone_auth_admin_token: "SuperSecreteTestToken"
|
||||
keystone_auth_admin_password: "SuperSecretePassword"
|
||||
keystone_service_password: "secrete"
|
||||
keystone_rabbitmq_password: "secrete"
|
||||
|
||||
@ -28,7 +28,9 @@
|
||||
keystone:
|
||||
command: ensure_domain
|
||||
domain_name: "{{ item.domain }}"
|
||||
token: "{{ keystone_auth_admin_token }}"
|
||||
login_user: "{{ keystone_admin_user_name }}"
|
||||
login_password: "{{ keystone_auth_admin_password }}"
|
||||
login_project_name: "{{ keystone_admin_tenant_name }}"
|
||||
endpoint: "{{ keystone_service_adminurl }}"
|
||||
insecure: "{{ keystone_service_adminuri_insecure }}"
|
||||
when: item.domain is defined
|
||||
@ -41,7 +43,9 @@
|
||||
command: ensure_project
|
||||
project_name: "{{ item.project }}"
|
||||
domain_name: "{{ item.domain | default('Default') }}"
|
||||
token: "{{ keystone_auth_admin_token }}"
|
||||
login_user: "{{ keystone_admin_user_name }}"
|
||||
login_password: "{{ keystone_auth_admin_password }}"
|
||||
login_project_name: "{{ keystone_admin_tenant_name }}"
|
||||
endpoint: "{{ keystone_service_adminurl }}"
|
||||
insecure: "{{ keystone_service_adminuri_insecure }}"
|
||||
when: item.project is defined
|
||||
@ -56,7 +60,9 @@
|
||||
password: "{{ item.password }}"
|
||||
project_name: "{{ item.project }}"
|
||||
domain_name: "{{ item.domain | default('Default') }}"
|
||||
token: "{{ keystone_auth_admin_token }}"
|
||||
login_user: "{{ keystone_admin_user_name }}"
|
||||
login_password: "{{ keystone_auth_admin_password }}"
|
||||
login_project_name: "{{ keystone_admin_tenant_name }}"
|
||||
endpoint: "{{ keystone_service_adminurl }}"
|
||||
insecure: "{{ keystone_service_adminuri_insecure }}"
|
||||
when: >
|
||||
@ -72,7 +78,9 @@
|
||||
command: ensure_group
|
||||
group_name: "{{ item.group }}"
|
||||
domain_name: "{{ item.domain | default('Default') }}"
|
||||
token: "{{ keystone_auth_admin_token }}"
|
||||
login_user: "{{ keystone_admin_user_name }}"
|
||||
login_password: "{{ keystone_auth_admin_password }}"
|
||||
login_project_name: "{{ keystone_admin_tenant_name }}"
|
||||
endpoint: "{{ keystone_service_adminurl }}"
|
||||
insecure: "{{ keystone_service_adminuri_insecure }}"
|
||||
when: item.group is defined
|
||||
@ -84,7 +92,9 @@
|
||||
keystone:
|
||||
command: "ensure_role"
|
||||
role_name: "{{ item.role | default('_member_') }}"
|
||||
token: "{{ keystone_auth_admin_token }}"
|
||||
login_user: "{{ keystone_admin_user_name }}"
|
||||
login_password: "{{ keystone_auth_admin_password }}"
|
||||
login_project_name: "{{ keystone_admin_tenant_name }}"
|
||||
endpoint: "{{ keystone_service_adminurl }}"
|
||||
insecure: "{{ keystone_service_adminuri_insecure }}"
|
||||
when: >
|
||||
@ -100,7 +110,9 @@
|
||||
group_name: "{{ item.group }}"
|
||||
project_name: "{{ item.project }}"
|
||||
role_name: "{{ item.role | default('_member_') }}"
|
||||
token: "{{ keystone_auth_admin_token }}"
|
||||
login_user: "{{ keystone_admin_user_name }}"
|
||||
login_password: "{{ keystone_auth_admin_password }}"
|
||||
login_project_name: "{{ keystone_admin_tenant_name }}"
|
||||
endpoint: "{{ keystone_service_adminurl }}"
|
||||
insecure: "{{ keystone_service_adminuri_insecure }}"
|
||||
when: >
|
||||
@ -115,7 +127,9 @@
|
||||
command: ensure_mapping
|
||||
mapping_name: "{{ item.protocol.mapping.name }}"
|
||||
mapping_rules: "{{ item.protocol.mapping.rules }}"
|
||||
token: "{{ keystone_auth_admin_token }}"
|
||||
login_user: "{{ keystone_admin_user_name }}"
|
||||
login_password: "{{ keystone_auth_admin_password }}"
|
||||
login_project_name: "{{ keystone_admin_tenant_name }}"
|
||||
endpoint: "{{ keystone_service_adminurl }}"
|
||||
insecure: "{{ keystone_service_adminuri_insecure }}"
|
||||
when: item.protocol.mapping.name is defined
|
||||
@ -129,7 +143,9 @@
|
||||
idp_name: "{{ item.name }}"
|
||||
idp_remote_ids: "{{ item.entity_ids }}"
|
||||
idp_enabled: true
|
||||
token: "{{ keystone_auth_admin_token }}"
|
||||
login_user: "{{ keystone_admin_user_name }}"
|
||||
login_password: "{{ keystone_auth_admin_password }}"
|
||||
login_project_name: "{{ keystone_admin_tenant_name }}"
|
||||
endpoint: "{{ keystone_service_adminurl }}"
|
||||
insecure: "{{ keystone_service_adminuri_insecure }}"
|
||||
when: item.name is defined
|
||||
@ -143,7 +159,9 @@
|
||||
protocol_name: "{{ item.protocol.name }}"
|
||||
idp_name: "{{ item.idp.name }}"
|
||||
mapping_name: "{{ item.protocol.mapping.name }}"
|
||||
token: "{{ keystone_auth_admin_token }}"
|
||||
login_user: "{{ keystone_admin_user_name }}"
|
||||
login_password: "{{ keystone_auth_admin_password }}"
|
||||
login_project_name: "{{ keystone_admin_tenant_name }}"
|
||||
endpoint: "{{ keystone_service_adminurl }}"
|
||||
insecure: "{{ keystone_service_adminuri_insecure }}"
|
||||
when: item.protocol.name is defined
|
||||
|
||||
@ -16,7 +16,9 @@
|
||||
- name: Register service providers
|
||||
keystone:
|
||||
command: "ensure_service_provider"
|
||||
token: "{{ keystone_auth_admin_token }}"
|
||||
login_user: "{{ keystone_admin_user_name }}"
|
||||
login_password: "{{ keystone_auth_admin_password }}"
|
||||
login_project_name: "{{ keystone_admin_tenant_name }}"
|
||||
endpoint: "{{ keystone_service_adminurl }}"
|
||||
sp_name: "{{ item.id }}"
|
||||
sp_url: "{{ item.sp_url }}"
|
||||
|
||||
@ -18,7 +18,9 @@
|
||||
keystone:
|
||||
command: ensure_domain
|
||||
domain_name: "{{ item.key }}"
|
||||
token: "{{ keystone_auth_admin_token }}"
|
||||
login_user: "{{ keystone_admin_user_name }}"
|
||||
login_password: "{{ keystone_auth_admin_password }}"
|
||||
login_project_name: "{{ keystone_admin_tenant_name }}"
|
||||
endpoint: "{{ keystone_service_adminurl }}"
|
||||
insecure: "{{ keystone_service_adminuri_insecure }}"
|
||||
with_dict: keystone_ldap
|
||||
|
||||
@ -42,11 +42,36 @@
|
||||
- keystone-db-sync
|
||||
- keystone-setup
|
||||
|
||||
- name: Bootstrap keystone admin and endpoint
|
||||
command: |
|
||||
{{ keystone_bin }}/keystone-manage bootstrap \
|
||||
--bootstrap-username {{ keystone_admin_user_name }} \
|
||||
--bootstrap-password {{ keystone_auth_admin_password }} \
|
||||
--bootstrap-project-name {{ keystone_admin_tenant_name }} \
|
||||
--bootstrap-role-name {{ keystone_role_name }} \
|
||||
--bootstrap-service-name {{ keystone_service_name }} \
|
||||
--bootstrap-region-id {{ keystone_service_region }} \
|
||||
--bootstrap-admin-url {{ keystone_service_adminurl }} \
|
||||
--bootstrap-public-url {{ keystone_service_publicurl }} \
|
||||
--bootstrap-internal-url {{ keystone_service_internalurl }}
|
||||
become: yes
|
||||
become_user: "{{ keystone_system_user_name }}"
|
||||
register: add_service
|
||||
until: add_service|success
|
||||
retries: 5
|
||||
delay: 10
|
||||
tags:
|
||||
- keystone-api-setup
|
||||
- keystone-service-add
|
||||
- keystone-setup
|
||||
|
||||
# Create a service tenant
|
||||
- name: Ensure service tenant
|
||||
keystone:
|
||||
command: "ensure_tenant"
|
||||
token: "{{ keystone_auth_admin_token }}"
|
||||
login_user: "{{ keystone_admin_user_name }}"
|
||||
login_password: "{{ keystone_auth_admin_password }}"
|
||||
login_project_name: "{{ keystone_admin_tenant_name }}"
|
||||
endpoint: "{{ keystone_service_adminurl }}"
|
||||
tenant_name: "{{ keystone_service_tenant_name }}"
|
||||
description: "{{ keystone_service_description }}"
|
||||
@ -59,82 +84,13 @@
|
||||
- keystone-api-setup
|
||||
- keystone-setup
|
||||
|
||||
# Create an admin tenant
|
||||
- name: Ensure admin tenant
|
||||
keystone:
|
||||
command: "ensure_tenant"
|
||||
token: "{{ keystone_auth_admin_token }}"
|
||||
endpoint: "{{ keystone_service_adminurl }}"
|
||||
tenant_name: "{{ keystone_admin_tenant_name }}"
|
||||
description: "{{ keystone_admin_description }}"
|
||||
insecure: "{{ keystone_service_adminuri_insecure }}"
|
||||
register: add_service
|
||||
until: add_service|success
|
||||
retries: 5
|
||||
delay: 10
|
||||
tags:
|
||||
- keystone-api-setup
|
||||
- keystone-setup
|
||||
|
||||
# Create an admin user
|
||||
- name: Ensure Admin user
|
||||
keystone:
|
||||
command: "ensure_user"
|
||||
token: "{{ keystone_auth_admin_token }}"
|
||||
endpoint: "{{ keystone_service_adminurl }}"
|
||||
user_name: "{{ keystone_admin_user_name }}"
|
||||
tenant_name: "{{ keystone_admin_tenant_name }}"
|
||||
password: "{{ keystone_auth_admin_password }}"
|
||||
insecure: "{{ keystone_service_adminuri_insecure }}"
|
||||
register: add_service
|
||||
when: not keystone_service_in_ldap | bool
|
||||
until: add_service|success
|
||||
retries: 5
|
||||
delay: 10
|
||||
tags:
|
||||
- keystone-api-setup
|
||||
- keystone-setup
|
||||
|
||||
# Create an admin role
|
||||
- name: Ensure Admin role
|
||||
keystone:
|
||||
command: "ensure_role"
|
||||
token: "{{ keystone_auth_admin_token }}"
|
||||
endpoint: "{{ keystone_service_adminurl }}"
|
||||
role_name: "{{ keystone_role_name }}"
|
||||
insecure: "{{ keystone_service_adminuri_insecure }}"
|
||||
register: add_service
|
||||
until: add_service|success
|
||||
retries: 5
|
||||
delay: 10
|
||||
tags:
|
||||
- keystone-api-setup
|
||||
- keystone-setup
|
||||
|
||||
# Add a role to the user
|
||||
- name: Ensure Admin user to Admin role
|
||||
keystone:
|
||||
command: "ensure_user_role"
|
||||
token: "{{ keystone_auth_admin_token }}"
|
||||
endpoint: "{{ keystone_service_adminurl }}"
|
||||
user_name: "{{ keystone_admin_user_name }}"
|
||||
tenant_name: "{{ keystone_admin_tenant_name }}"
|
||||
role_name: "{{ keystone_role_name }}"
|
||||
insecure: "{{ keystone_service_adminuri_insecure }}"
|
||||
register: add_service
|
||||
when: not keystone_service_in_ldap | bool
|
||||
until: add_service|success
|
||||
retries: 5
|
||||
delay: 10
|
||||
tags:
|
||||
- keystone-api-setup
|
||||
- keystone-setup
|
||||
|
||||
# Add the default user role
|
||||
- name: Ensure default keystone user role
|
||||
keystone:
|
||||
command: "ensure_role"
|
||||
token: "{{ keystone_auth_admin_token }}"
|
||||
login_user: "{{ keystone_admin_user_name }}"
|
||||
login_password: "{{ keystone_auth_admin_password }}"
|
||||
login_project_name: "{{ keystone_admin_tenant_name }}"
|
||||
endpoint: "{{ keystone_service_adminurl }}"
|
||||
role_name: "{{ keystone_default_role_name }}"
|
||||
insecure: "{{ keystone_service_adminuri_insecure }}"
|
||||
@ -151,7 +107,9 @@
|
||||
- name: Ensure Keystone Service
|
||||
keystone:
|
||||
command: "ensure_service"
|
||||
token: "{{ keystone_auth_admin_token }}"
|
||||
login_user: "{{ keystone_admin_user_name }}"
|
||||
login_password: "{{ keystone_auth_admin_password }}"
|
||||
login_project_name: "{{ keystone_admin_tenant_name }}"
|
||||
endpoint: "{{ keystone_service_adminurl }}"
|
||||
service_name: "{{ keystone_service_name }}"
|
||||
service_type: "{{ keystone_service_type }}"
|
||||
@ -170,7 +128,9 @@
|
||||
- name: Ensure Keystone user
|
||||
keystone:
|
||||
command: "ensure_user"
|
||||
token: "{{ keystone_auth_admin_token }}"
|
||||
login_user: "{{ keystone_admin_user_name }}"
|
||||
login_password: "{{ keystone_auth_admin_password }}"
|
||||
login_project_name: "{{ keystone_admin_tenant_name }}"
|
||||
endpoint: "{{ keystone_service_adminurl }}"
|
||||
user_name: "{{ keystone_service_user_name }}"
|
||||
tenant_name: "{{ keystone_service_tenant_name }}"
|
||||
@ -189,7 +149,9 @@
|
||||
- name: Ensure Keystone user to Admin role
|
||||
keystone:
|
||||
command: "ensure_user_role"
|
||||
token: "{{ keystone_auth_admin_token }}"
|
||||
login_user: "{{ keystone_admin_user_name }}"
|
||||
login_password: "{{ keystone_auth_admin_password }}"
|
||||
login_project_name: "{{ keystone_admin_tenant_name }}"
|
||||
endpoint: "{{ keystone_service_adminurl }}"
|
||||
user_name: "{{ keystone_service_user_name }}"
|
||||
tenant_name: "{{ keystone_service_tenant_name }}"
|
||||
@ -203,29 +165,3 @@
|
||||
- keystone-api-setup
|
||||
- keystone-service-add
|
||||
- keystone-setup
|
||||
|
||||
# Create an endpoint
|
||||
- name: Ensure Keystone Endpoint
|
||||
keystone:
|
||||
command: "ensure_endpoint"
|
||||
token: "{{ keystone_auth_admin_token }}"
|
||||
endpoint: "{{ keystone_service_adminurl }}"
|
||||
region_name: "{{ keystone_service_region }}"
|
||||
service_name: "{{ keystone_service_name }}"
|
||||
service_type: "{{ keystone_service_type }}"
|
||||
insecure: "{{ keystone_service_adminuri_insecure }}"
|
||||
endpoint_list:
|
||||
- url: "{{ keystone_service_publicurl }}"
|
||||
interface: "public"
|
||||
- url: "{{ keystone_service_adminurl }}"
|
||||
interface: "admin"
|
||||
- url: "{{ keystone_service_internalurl }}"
|
||||
interface: "internal"
|
||||
register: add_service
|
||||
until: add_service|success
|
||||
retries: 5
|
||||
delay: 10
|
||||
tags:
|
||||
- keystone-api-setup
|
||||
- keystone-service-add
|
||||
- keystone-setup
|
||||
|
||||
@ -13,16 +13,16 @@ use = egg:keystone#build_auth_context
|
||||
use = egg:keystone#token_auth
|
||||
|
||||
[filter:admin_token_auth]
|
||||
# This is deprecated in the M release and will be removed in the O release.
|
||||
# Use `keystone-manage bootstrap` and remove this from the pipelines below.
|
||||
use = egg:keystone#admin_token_auth
|
||||
|
||||
[filter:json_body]
|
||||
use = egg:keystone#json_body
|
||||
|
||||
[filter:user_crud_extension]
|
||||
use = egg:keystone#user_crud_extension
|
||||
|
||||
[filter:crud_extension]
|
||||
use = egg:keystone#crud_extension
|
||||
[filter:cors]
|
||||
use = egg:oslo.middleware#cors
|
||||
oslo_config_project = keystone
|
||||
|
||||
[filter:ec2_extension]
|
||||
use = egg:keystone#ec2_extension
|
||||
@ -33,9 +33,6 @@ use = egg:keystone#ec2_extension_v3
|
||||
[filter:s3_extension]
|
||||
use = egg:keystone#s3_extension
|
||||
|
||||
[filter:simple_cert_extension]
|
||||
use = egg:keystone#simple_cert_extension
|
||||
|
||||
[filter:url_normalize]
|
||||
use = egg:keystone#url_normalize
|
||||
|
||||
@ -54,17 +51,17 @@ use = egg:keystone#admin_service
|
||||
[pipeline:public_api]
|
||||
# The last item in this pipeline must be public_service or an equivalent
|
||||
# application. It cannot be a filter.
|
||||
pipeline = sizelimit url_normalize request_id build_auth_context token_auth admin_token_auth json_body ec2_extension user_crud_extension public_service
|
||||
pipeline = cors sizelimit url_normalize request_id admin_token_auth build_auth_context token_auth json_body ec2_extension public_service
|
||||
|
||||
[pipeline:admin_api]
|
||||
# The last item in this pipeline must be admin_service or an equivalent
|
||||
# application. It cannot be a filter.
|
||||
pipeline = sizelimit url_normalize request_id build_auth_context token_auth admin_token_auth json_body ec2_extension s3_extension crud_extension admin_service
|
||||
pipeline = cors sizelimit url_normalize request_id admin_token_auth build_auth_context token_auth json_body ec2_extension s3_extension admin_service
|
||||
|
||||
[pipeline:api_v3]
|
||||
# The last item in this pipeline must be service_v3 or an equivalent
|
||||
# application. It cannot be a filter.
|
||||
pipeline = sizelimit url_normalize request_id build_auth_context token_auth admin_token_auth json_body ec2_extension_v3 s3_extension simple_cert_extension service_v3
|
||||
pipeline = cors sizelimit url_normalize request_id admin_token_auth build_auth_context token_auth json_body ec2_extension_v3 s3_extension service_v3
|
||||
|
||||
[app:public_version_service]
|
||||
use = egg:keystone#public_version_service
|
||||
@ -73,10 +70,10 @@ use = egg:keystone#public_version_service
|
||||
use = egg:keystone#admin_version_service
|
||||
|
||||
[pipeline:public_version_api]
|
||||
pipeline = sizelimit url_normalize public_version_service
|
||||
pipeline = cors sizelimit url_normalize public_version_service
|
||||
|
||||
[pipeline:admin_version_api]
|
||||
pipeline = sizelimit url_normalize admin_version_service
|
||||
pipeline = cors sizelimit url_normalize admin_version_service
|
||||
|
||||
[composite:main]
|
||||
use = egg:Paste#urlmap
|
||||
|
||||
@ -3,7 +3,6 @@
|
||||
[DEFAULT]
|
||||
verbose = {{ verbose }}
|
||||
debug = {{ debug }}
|
||||
admin_token = {{ keystone_auth_admin_token }}
|
||||
{% if keystone_public_endpoint is defined %}
|
||||
public_endpoint = {{ keystone_public_endpoint }}
|
||||
{% endif %}
|
||||
|
||||
@ -34,7 +34,7 @@
|
||||
"identity:update_domain": "rule:admin_required",
|
||||
"identity:delete_domain": "rule:admin_required",
|
||||
|
||||
"identity:get_project": "rule:admin_required",
|
||||
"identity:get_project": "rule:admin_required or project_id:%(target.project.id)s",
|
||||
"identity:list_projects": "rule:admin_required",
|
||||
"identity:list_user_projects": "rule:admin_or_owner",
|
||||
"identity:create_project": "rule:admin_required",
|
||||
@ -75,6 +75,18 @@
|
||||
"identity:create_role": "rule:admin_required",
|
||||
"identity:update_role": "rule:admin_required",
|
||||
"identity:delete_role": "rule:admin_required",
|
||||
"identity:get_domain_role": "rule:admin_required",
|
||||
"identity:list_domain_roles": "rule:admin_required",
|
||||
"identity:create_domain_role": "rule:admin_required",
|
||||
"identity:update_domain_role": "rule:admin_required",
|
||||
"identity:delete_domain_role": "rule:admin_required",
|
||||
|
||||
"identity:get_implied_role": "rule:admin_required ",
|
||||
"identity:list_implied_roles": "rule:admin_required",
|
||||
"identity:create_implied_role": "rule:admin_required",
|
||||
"identity:delete_implied_role": "rule:admin_required",
|
||||
"identity:list_role_inference_rules": "rule:admin_required",
|
||||
"identity:check_implied_role": "rule:admin_required",
|
||||
|
||||
"identity:check_grant": "rule:admin_required",
|
||||
"identity:list_grants": "rule:admin_required",
|
||||
|
||||
@ -11,7 +11,6 @@
|
||||
keystone_galera_database: keystone
|
||||
keystone_venv_tag: "testing"
|
||||
keystone_developer_mode: true
|
||||
keystone_auth_admin_token: "SuperSecreteTestToken"
|
||||
keystone_auth_admin_password: "SuperSecretePassword"
|
||||
keystone_database_enabled: false
|
||||
keystone_service_setup: false
|
||||
|
||||
@ -191,9 +191,8 @@
|
||||
keystone_galera_database: keystone
|
||||
keystone_venv_tag: "testing"
|
||||
keystone_developer_mode: true
|
||||
keystone_git_install_branch: a55128044f763f5cfe2fdc57c738eaca97636448
|
||||
keystone_requirements_git_install_branch: 332278d456e06870150835564342570ec9d5f5a0
|
||||
keystone_auth_admin_token: "SuperSecreteTestToken"
|
||||
keystone_git_install_branch: 9692d40a78651f59db679def493f9712c96e0596 # HEAD of "stable/mitaka" as of 16.03.2016
|
||||
keystone_requirements_git_install_branch: 983af4a5d05bfa0f2c1d4ec80e3ee44a5abc2752 # HEAD of "master" as of 16.03.2016
|
||||
keystone_auth_admin_password: "SuperSecretePassword"
|
||||
keystone_service_password: "secrete"
|
||||
keystone_rabbitmq_password: "secrete"
|
||||
|
||||
Loading…
Reference in New Issue
Block a user