From a08d7b1ce88ffaae6552ca0e73079e77581e4c54 Mon Sep 17 00:00:00 2001 From: Jimmy McCrory Date: Wed, 16 Mar 2016 20:39:31 -0700 Subject: [PATCH] Use keystone-manage bootstrap command https://review.openstack.org/#/c/255599/ implemented a keystone-manage bootstrap command as an alternative to using an admin token when bootstrapping the keystone service. Admin tokens have been deprecated as of Mitaka and will be removed in Ocata. The use of this command replaces tasks to create the admin user, its password, role, and project and the keystone service endpoints. The keystone_auth_admin_token variable has been removed and its use in any tasks against the keystone library have been replaced with login credentials for the admin user. The functional test has been updated to use the current head of stable/mitaka and master for keystone and requirements respectively. The policy and api-paste files have also been updated from the head of keystone stable/mitaka. This change will require updates to make use of the same SHAs in the integrated openstack-ansible repo and in a majority of the OpenStack service roles' tests. Change-Id: I720fab85efe11a7512a124e44a73cf67b5f686b5 --- README.rst | 2 - tasks/keystone_federation_sp_idp_setup.yml | 36 ++++-- tasks/keystone_idp_sp_setup.yml | 4 +- tasks/keystone_ldap_setup.yml | 4 +- tasks/keystone_service_setup.yml | 140 ++++++--------------- templates/keystone-paste.ini.j2 | 23 ++-- templates/keystone.conf.j2 | 1 - templates/policy.json.j2 | 14 ++- tests/stand-alone.yml | 1 - tests/test.yml | 5 +- 10 files changed, 96 insertions(+), 134 deletions(-) diff --git a/README.rst b/README.rst index 11cbcfe7..c1a226e5 100644 --- a/README.rst +++ b/README.rst @@ -32,7 +32,6 @@ details. # password used by the keystone service to interact with Galera keystone_container_mysql_password: "YourPassword" - keystone_auth_admin_token: "SuperSecreteTestToken" keystone_auth_admin_password: "SuperSecretePassword" keystone_service_password: "secrete" keystone_rabbitmq_password: "secrete" @@ -56,7 +55,6 @@ Example Playbook keystone_venv_tag: "testing" keystone_developer_mode: true keystone_git_install_branch: a55128044f763f5cfe2fdc57c738eaca97636448 - keystone_auth_admin_token: "SuperSecreteTestToken" keystone_auth_admin_password: "SuperSecretePassword" keystone_service_password: "secrete" keystone_rabbitmq_password: "secrete" diff --git a/tasks/keystone_federation_sp_idp_setup.yml b/tasks/keystone_federation_sp_idp_setup.yml index 9d0bb7ee..f0e0f888 100644 --- a/tasks/keystone_federation_sp_idp_setup.yml +++ b/tasks/keystone_federation_sp_idp_setup.yml @@ -28,7 +28,9 @@ keystone: command: ensure_domain domain_name: "{{ item.domain }}" - token: "{{ keystone_auth_admin_token }}" + login_user: "{{ keystone_admin_user_name }}" + login_password: "{{ keystone_auth_admin_password }}" + login_project_name: "{{ keystone_admin_tenant_name }}" endpoint: "{{ keystone_service_adminurl }}" insecure: "{{ keystone_service_adminuri_insecure }}" when: item.domain is defined @@ -41,7 +43,9 @@ command: ensure_project project_name: "{{ item.project }}" domain_name: "{{ item.domain | default('Default') }}" - token: "{{ keystone_auth_admin_token }}" + login_user: "{{ keystone_admin_user_name }}" + login_password: "{{ keystone_auth_admin_password }}" + login_project_name: "{{ keystone_admin_tenant_name }}" endpoint: "{{ keystone_service_adminurl }}" insecure: "{{ keystone_service_adminuri_insecure }}" when: item.project is defined @@ -56,7 +60,9 @@ password: "{{ item.password }}" project_name: "{{ item.project }}" domain_name: "{{ item.domain | default('Default') }}" - token: "{{ keystone_auth_admin_token }}" + login_user: "{{ keystone_admin_user_name }}" + login_password: "{{ keystone_auth_admin_password }}" + login_project_name: "{{ keystone_admin_tenant_name }}" endpoint: "{{ keystone_service_adminurl }}" insecure: "{{ keystone_service_adminuri_insecure }}" when: > @@ -72,7 +78,9 @@ command: ensure_group group_name: "{{ item.group }}" domain_name: "{{ item.domain | default('Default') }}" - token: "{{ keystone_auth_admin_token }}" + login_user: "{{ keystone_admin_user_name }}" + login_password: "{{ keystone_auth_admin_password }}" + login_project_name: "{{ keystone_admin_tenant_name }}" endpoint: "{{ keystone_service_adminurl }}" insecure: "{{ keystone_service_adminuri_insecure }}" when: item.group is defined @@ -84,7 +92,9 @@ keystone: command: "ensure_role" role_name: "{{ item.role | default('_member_') }}" - token: "{{ keystone_auth_admin_token }}" + login_user: "{{ keystone_admin_user_name }}" + login_password: "{{ keystone_auth_admin_password }}" + login_project_name: "{{ keystone_admin_tenant_name }}" endpoint: "{{ keystone_service_adminurl }}" insecure: "{{ keystone_service_adminuri_insecure }}" when: > @@ -100,7 +110,9 @@ group_name: "{{ item.group }}" project_name: "{{ item.project }}" role_name: "{{ item.role | default('_member_') }}" - token: "{{ keystone_auth_admin_token }}" + login_user: "{{ keystone_admin_user_name }}" + login_password: "{{ keystone_auth_admin_password }}" + login_project_name: "{{ keystone_admin_tenant_name }}" endpoint: "{{ keystone_service_adminurl }}" insecure: "{{ keystone_service_adminuri_insecure }}" when: > @@ -115,7 +127,9 @@ command: ensure_mapping mapping_name: "{{ item.protocol.mapping.name }}" mapping_rules: "{{ item.protocol.mapping.rules }}" - token: "{{ keystone_auth_admin_token }}" + login_user: "{{ keystone_admin_user_name }}" + login_password: "{{ keystone_auth_admin_password }}" + login_project_name: "{{ keystone_admin_tenant_name }}" endpoint: "{{ keystone_service_adminurl }}" insecure: "{{ keystone_service_adminuri_insecure }}" when: item.protocol.mapping.name is defined @@ -129,7 +143,9 @@ idp_name: "{{ item.name }}" idp_remote_ids: "{{ item.entity_ids }}" idp_enabled: true - token: "{{ keystone_auth_admin_token }}" + login_user: "{{ keystone_admin_user_name }}" + login_password: "{{ keystone_auth_admin_password }}" + login_project_name: "{{ keystone_admin_tenant_name }}" endpoint: "{{ keystone_service_adminurl }}" insecure: "{{ keystone_service_adminuri_insecure }}" when: item.name is defined @@ -143,7 +159,9 @@ protocol_name: "{{ item.protocol.name }}" idp_name: "{{ item.idp.name }}" mapping_name: "{{ item.protocol.mapping.name }}" - token: "{{ keystone_auth_admin_token }}" + login_user: "{{ keystone_admin_user_name }}" + login_password: "{{ keystone_auth_admin_password }}" + login_project_name: "{{ keystone_admin_tenant_name }}" endpoint: "{{ keystone_service_adminurl }}" insecure: "{{ keystone_service_adminuri_insecure }}" when: item.protocol.name is defined diff --git a/tasks/keystone_idp_sp_setup.yml b/tasks/keystone_idp_sp_setup.yml index bf5ebce0..3263b32b 100644 --- a/tasks/keystone_idp_sp_setup.yml +++ b/tasks/keystone_idp_sp_setup.yml @@ -16,7 +16,9 @@ - name: Register service providers keystone: command: "ensure_service_provider" - token: "{{ keystone_auth_admin_token }}" + login_user: "{{ keystone_admin_user_name }}" + login_password: "{{ keystone_auth_admin_password }}" + login_project_name: "{{ keystone_admin_tenant_name }}" endpoint: "{{ keystone_service_adminurl }}" sp_name: "{{ item.id }}" sp_url: "{{ item.sp_url }}" diff --git a/tasks/keystone_ldap_setup.yml b/tasks/keystone_ldap_setup.yml index 5b8383bd..cd7c9b29 100644 --- a/tasks/keystone_ldap_setup.yml +++ b/tasks/keystone_ldap_setup.yml @@ -18,7 +18,9 @@ keystone: command: ensure_domain domain_name: "{{ item.key }}" - token: "{{ keystone_auth_admin_token }}" + login_user: "{{ keystone_admin_user_name }}" + login_password: "{{ keystone_auth_admin_password }}" + login_project_name: "{{ keystone_admin_tenant_name }}" endpoint: "{{ keystone_service_adminurl }}" insecure: "{{ keystone_service_adminuri_insecure }}" with_dict: keystone_ldap diff --git a/tasks/keystone_service_setup.yml b/tasks/keystone_service_setup.yml index 174285bd..57ef307e 100644 --- a/tasks/keystone_service_setup.yml +++ b/tasks/keystone_service_setup.yml @@ -42,11 +42,36 @@ - keystone-db-sync - keystone-setup +- name: Bootstrap keystone admin and endpoint + command: | + {{ keystone_bin }}/keystone-manage bootstrap \ + --bootstrap-username {{ keystone_admin_user_name }} \ + --bootstrap-password {{ keystone_auth_admin_password }} \ + --bootstrap-project-name {{ keystone_admin_tenant_name }} \ + --bootstrap-role-name {{ keystone_role_name }} \ + --bootstrap-service-name {{ keystone_service_name }} \ + --bootstrap-region-id {{ keystone_service_region }} \ + --bootstrap-admin-url {{ keystone_service_adminurl }} \ + --bootstrap-public-url {{ keystone_service_publicurl }} \ + --bootstrap-internal-url {{ keystone_service_internalurl }} + become: yes + become_user: "{{ keystone_system_user_name }}" + register: add_service + until: add_service|success + retries: 5 + delay: 10 + tags: + - keystone-api-setup + - keystone-service-add + - keystone-setup + # Create a service tenant - name: Ensure service tenant keystone: command: "ensure_tenant" - token: "{{ keystone_auth_admin_token }}" + login_user: "{{ keystone_admin_user_name }}" + login_password: "{{ keystone_auth_admin_password }}" + login_project_name: "{{ keystone_admin_tenant_name }}" endpoint: "{{ keystone_service_adminurl }}" tenant_name: "{{ keystone_service_tenant_name }}" description: "{{ keystone_service_description }}" @@ -59,82 +84,13 @@ - keystone-api-setup - keystone-setup -# Create an admin tenant -- name: Ensure admin tenant - keystone: - command: "ensure_tenant" - token: "{{ keystone_auth_admin_token }}" - endpoint: "{{ keystone_service_adminurl }}" - tenant_name: "{{ keystone_admin_tenant_name }}" - description: "{{ keystone_admin_description }}" - insecure: "{{ keystone_service_adminuri_insecure }}" - register: add_service - until: add_service|success - retries: 5 - delay: 10 - tags: - - keystone-api-setup - - keystone-setup - -# Create an admin user -- name: Ensure Admin user - keystone: - command: "ensure_user" - token: "{{ keystone_auth_admin_token }}" - endpoint: "{{ keystone_service_adminurl }}" - user_name: "{{ keystone_admin_user_name }}" - tenant_name: "{{ keystone_admin_tenant_name }}" - password: "{{ keystone_auth_admin_password }}" - insecure: "{{ keystone_service_adminuri_insecure }}" - register: add_service - when: not keystone_service_in_ldap | bool - until: add_service|success - retries: 5 - delay: 10 - tags: - - keystone-api-setup - - keystone-setup - -# Create an admin role -- name: Ensure Admin role - keystone: - command: "ensure_role" - token: "{{ keystone_auth_admin_token }}" - endpoint: "{{ keystone_service_adminurl }}" - role_name: "{{ keystone_role_name }}" - insecure: "{{ keystone_service_adminuri_insecure }}" - register: add_service - until: add_service|success - retries: 5 - delay: 10 - tags: - - keystone-api-setup - - keystone-setup - -# Add a role to the user -- name: Ensure Admin user to Admin role - keystone: - command: "ensure_user_role" - token: "{{ keystone_auth_admin_token }}" - endpoint: "{{ keystone_service_adminurl }}" - user_name: "{{ keystone_admin_user_name }}" - tenant_name: "{{ keystone_admin_tenant_name }}" - role_name: "{{ keystone_role_name }}" - insecure: "{{ keystone_service_adminuri_insecure }}" - register: add_service - when: not keystone_service_in_ldap | bool - until: add_service|success - retries: 5 - delay: 10 - tags: - - keystone-api-setup - - keystone-setup - # Add the default user role - name: Ensure default keystone user role keystone: command: "ensure_role" - token: "{{ keystone_auth_admin_token }}" + login_user: "{{ keystone_admin_user_name }}" + login_password: "{{ keystone_auth_admin_password }}" + login_project_name: "{{ keystone_admin_tenant_name }}" endpoint: "{{ keystone_service_adminurl }}" role_name: "{{ keystone_default_role_name }}" insecure: "{{ keystone_service_adminuri_insecure }}" @@ -151,7 +107,9 @@ - name: Ensure Keystone Service keystone: command: "ensure_service" - token: "{{ keystone_auth_admin_token }}" + login_user: "{{ keystone_admin_user_name }}" + login_password: "{{ keystone_auth_admin_password }}" + login_project_name: "{{ keystone_admin_tenant_name }}" endpoint: "{{ keystone_service_adminurl }}" service_name: "{{ keystone_service_name }}" service_type: "{{ keystone_service_type }}" @@ -170,7 +128,9 @@ - name: Ensure Keystone user keystone: command: "ensure_user" - token: "{{ keystone_auth_admin_token }}" + login_user: "{{ keystone_admin_user_name }}" + login_password: "{{ keystone_auth_admin_password }}" + login_project_name: "{{ keystone_admin_tenant_name }}" endpoint: "{{ keystone_service_adminurl }}" user_name: "{{ keystone_service_user_name }}" tenant_name: "{{ keystone_service_tenant_name }}" @@ -189,7 +149,9 @@ - name: Ensure Keystone user to Admin role keystone: command: "ensure_user_role" - token: "{{ keystone_auth_admin_token }}" + login_user: "{{ keystone_admin_user_name }}" + login_password: "{{ keystone_auth_admin_password }}" + login_project_name: "{{ keystone_admin_tenant_name }}" endpoint: "{{ keystone_service_adminurl }}" user_name: "{{ keystone_service_user_name }}" tenant_name: "{{ keystone_service_tenant_name }}" @@ -203,29 +165,3 @@ - keystone-api-setup - keystone-service-add - keystone-setup - -# Create an endpoint -- name: Ensure Keystone Endpoint - keystone: - command: "ensure_endpoint" - token: "{{ keystone_auth_admin_token }}" - endpoint: "{{ keystone_service_adminurl }}" - region_name: "{{ keystone_service_region }}" - service_name: "{{ keystone_service_name }}" - service_type: "{{ keystone_service_type }}" - insecure: "{{ keystone_service_adminuri_insecure }}" - endpoint_list: - - url: "{{ keystone_service_publicurl }}" - interface: "public" - - url: "{{ keystone_service_adminurl }}" - interface: "admin" - - url: "{{ keystone_service_internalurl }}" - interface: "internal" - register: add_service - until: add_service|success - retries: 5 - delay: 10 - tags: - - keystone-api-setup - - keystone-service-add - - keystone-setup diff --git a/templates/keystone-paste.ini.j2 b/templates/keystone-paste.ini.j2 index 0d731d0a..4f3b0a28 100644 --- a/templates/keystone-paste.ini.j2 +++ b/templates/keystone-paste.ini.j2 @@ -13,16 +13,16 @@ use = egg:keystone#build_auth_context use = egg:keystone#token_auth [filter:admin_token_auth] +# This is deprecated in the M release and will be removed in the O release. +# Use `keystone-manage bootstrap` and remove this from the pipelines below. use = egg:keystone#admin_token_auth [filter:json_body] use = egg:keystone#json_body -[filter:user_crud_extension] -use = egg:keystone#user_crud_extension - -[filter:crud_extension] -use = egg:keystone#crud_extension +[filter:cors] +use = egg:oslo.middleware#cors +oslo_config_project = keystone [filter:ec2_extension] use = egg:keystone#ec2_extension @@ -33,9 +33,6 @@ use = egg:keystone#ec2_extension_v3 [filter:s3_extension] use = egg:keystone#s3_extension -[filter:simple_cert_extension] -use = egg:keystone#simple_cert_extension - [filter:url_normalize] use = egg:keystone#url_normalize @@ -54,17 +51,17 @@ use = egg:keystone#admin_service [pipeline:public_api] # The last item in this pipeline must be public_service or an equivalent # application. It cannot be a filter. -pipeline = sizelimit url_normalize request_id build_auth_context token_auth admin_token_auth json_body ec2_extension user_crud_extension public_service +pipeline = cors sizelimit url_normalize request_id admin_token_auth build_auth_context token_auth json_body ec2_extension public_service [pipeline:admin_api] # The last item in this pipeline must be admin_service or an equivalent # application. It cannot be a filter. -pipeline = sizelimit url_normalize request_id build_auth_context token_auth admin_token_auth json_body ec2_extension s3_extension crud_extension admin_service +pipeline = cors sizelimit url_normalize request_id admin_token_auth build_auth_context token_auth json_body ec2_extension s3_extension admin_service [pipeline:api_v3] # The last item in this pipeline must be service_v3 or an equivalent # application. It cannot be a filter. -pipeline = sizelimit url_normalize request_id build_auth_context token_auth admin_token_auth json_body ec2_extension_v3 s3_extension simple_cert_extension service_v3 +pipeline = cors sizelimit url_normalize request_id admin_token_auth build_auth_context token_auth json_body ec2_extension_v3 s3_extension service_v3 [app:public_version_service] use = egg:keystone#public_version_service @@ -73,10 +70,10 @@ use = egg:keystone#public_version_service use = egg:keystone#admin_version_service [pipeline:public_version_api] -pipeline = sizelimit url_normalize public_version_service +pipeline = cors sizelimit url_normalize public_version_service [pipeline:admin_version_api] -pipeline = sizelimit url_normalize admin_version_service +pipeline = cors sizelimit url_normalize admin_version_service [composite:main] use = egg:Paste#urlmap diff --git a/templates/keystone.conf.j2 b/templates/keystone.conf.j2 index b5789e44..f45ced26 100644 --- a/templates/keystone.conf.j2 +++ b/templates/keystone.conf.j2 @@ -3,7 +3,6 @@ [DEFAULT] verbose = {{ verbose }} debug = {{ debug }} -admin_token = {{ keystone_auth_admin_token }} {% if keystone_public_endpoint is defined %} public_endpoint = {{ keystone_public_endpoint }} {% endif %} diff --git a/templates/policy.json.j2 b/templates/policy.json.j2 index 47aa9efd..797af24d 100644 --- a/templates/policy.json.j2 +++ b/templates/policy.json.j2 @@ -34,7 +34,7 @@ "identity:update_domain": "rule:admin_required", "identity:delete_domain": "rule:admin_required", - "identity:get_project": "rule:admin_required", + "identity:get_project": "rule:admin_required or project_id:%(target.project.id)s", "identity:list_projects": "rule:admin_required", "identity:list_user_projects": "rule:admin_or_owner", "identity:create_project": "rule:admin_required", @@ -75,6 +75,18 @@ "identity:create_role": "rule:admin_required", "identity:update_role": "rule:admin_required", "identity:delete_role": "rule:admin_required", + "identity:get_domain_role": "rule:admin_required", + "identity:list_domain_roles": "rule:admin_required", + "identity:create_domain_role": "rule:admin_required", + "identity:update_domain_role": "rule:admin_required", + "identity:delete_domain_role": "rule:admin_required", + + "identity:get_implied_role": "rule:admin_required ", + "identity:list_implied_roles": "rule:admin_required", + "identity:create_implied_role": "rule:admin_required", + "identity:delete_implied_role": "rule:admin_required", + "identity:list_role_inference_rules": "rule:admin_required", + "identity:check_implied_role": "rule:admin_required", "identity:check_grant": "rule:admin_required", "identity:list_grants": "rule:admin_required", diff --git a/tests/stand-alone.yml b/tests/stand-alone.yml index a6f4cb5f..c37f89af 100644 --- a/tests/stand-alone.yml +++ b/tests/stand-alone.yml @@ -11,7 +11,6 @@ keystone_galera_database: keystone keystone_venv_tag: "testing" keystone_developer_mode: true - keystone_auth_admin_token: "SuperSecreteTestToken" keystone_auth_admin_password: "SuperSecretePassword" keystone_database_enabled: false keystone_service_setup: false diff --git a/tests/test.yml b/tests/test.yml index 5b6b8149..f6d7f530 100644 --- a/tests/test.yml +++ b/tests/test.yml @@ -191,9 +191,8 @@ keystone_galera_database: keystone keystone_venv_tag: "testing" keystone_developer_mode: true - keystone_git_install_branch: a55128044f763f5cfe2fdc57c738eaca97636448 - keystone_requirements_git_install_branch: 332278d456e06870150835564342570ec9d5f5a0 - keystone_auth_admin_token: "SuperSecreteTestToken" + keystone_git_install_branch: 9692d40a78651f59db679def493f9712c96e0596 # HEAD of "stable/mitaka" as of 16.03.2016 + keystone_requirements_git_install_branch: 983af4a5d05bfa0f2c1d4ec80e3ee44a5abc2752 # HEAD of "master" as of 16.03.2016 keystone_auth_admin_password: "SuperSecretePassword" keystone_service_password: "secrete" keystone_rabbitmq_password: "secrete"