Add robust ldap domain-specific config
This patch set provides PATCH capability for ldap-backed domain config, and prevents silent failure if the configuration contains erroneous setting. This also moves from loading .conf files into DB directly, and uses the API endpoints. Change-Id: I17a19046fa96e0f3e8fb029c156ba79c924a0097 Signed-off-by: Tin Lam <tin@irrational.io>
This commit is contained in:
parent
44841fbffc
commit
2873435274
42
keystone/templates/bin/_domain-manage.py.tpl
Normal file
42
keystone/templates/bin/_domain-manage.py.tpl
Normal file
@ -0,0 +1,42 @@
|
|||||||
|
import requests
|
||||||
|
import json
|
||||||
|
import yaml
|
||||||
|
import sys
|
||||||
|
|
||||||
|
|
||||||
|
def main(args):
|
||||||
|
base_url, token, domainId, domainName, filename = args[1], args[2], args[3], args[4], args[5]
|
||||||
|
url = "%s/domains/%s/config" % (base_url, domainId)
|
||||||
|
print("Connecting to url: %r" % url)
|
||||||
|
|
||||||
|
headers = {
|
||||||
|
'Content-Type': "application/json",
|
||||||
|
'X-Auth-Token': token,
|
||||||
|
'Cache-Control': "no-cache"
|
||||||
|
}
|
||||||
|
|
||||||
|
response = requests.request("GET", url, headers=headers)
|
||||||
|
|
||||||
|
if response.status_code == 404:
|
||||||
|
print("domain config not found - put")
|
||||||
|
action = "PUT"
|
||||||
|
else:
|
||||||
|
print("domain config found - patch")
|
||||||
|
action = "PATCH"
|
||||||
|
|
||||||
|
with open(filename, "rb") as f:
|
||||||
|
data = {"config": json.load(f)}
|
||||||
|
|
||||||
|
response = requests.request(action, url,
|
||||||
|
data=json.dumps(data),
|
||||||
|
headers=headers)
|
||||||
|
|
||||||
|
|
||||||
|
print("Response code on action [%s]: %s" % (action, response.status_code))
|
||||||
|
if (int(response.status_code) / 100) != 2:
|
||||||
|
sys.exit(1)
|
||||||
|
|
||||||
|
if __name__ == "__main__":
|
||||||
|
if len(sys.argv) != 6:
|
||||||
|
sys.exit(1)
|
||||||
|
main(sys.argv)
|
@ -16,7 +16,17 @@ See the License for the specific language governing permissions and
|
|||||||
limitations under the License.
|
limitations under the License.
|
||||||
*/}}
|
*/}}
|
||||||
|
|
||||||
set -ex
|
set -e
|
||||||
|
endpt={{ tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" }}
|
||||||
|
path={{ .Values.conf.keystone.identity.domain_config_dir | default "/etc/keystonedomains" }}
|
||||||
|
|
||||||
{{- range $k, $v := .Values.conf.ks_domains }}
|
{{- range $k, $v := .Values.conf.ks_domains }}
|
||||||
keystone-manage domain_config_upload --domain-name {{ $k }} || true
|
|
||||||
|
filename=${path}/keystone.{{ $k }}.json
|
||||||
|
python /tmp/domain-manage.py \
|
||||||
|
$endpt \
|
||||||
|
$(openstack token issue -f value -c id) \
|
||||||
|
$(openstack domain show {{ $k }} -f value -c id) \
|
||||||
|
{{ $k }} $filename
|
||||||
|
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
@ -45,6 +45,8 @@ data:
|
|||||||
{{ tuple "bin/_domain-manage-init.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
|
{{ tuple "bin/_domain-manage-init.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
|
||||||
domain-manage.sh: |
|
domain-manage.sh: |
|
||||||
{{ tuple "bin/_domain-manage.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
|
{{ tuple "bin/_domain-manage.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
|
||||||
|
domain-manage.py: |
|
||||||
|
{{ tuple "bin/_domain-manage.py.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
|
||||||
rabbit-init.sh: |
|
rabbit-init.sh: |
|
||||||
{{- include "helm-toolkit.scripts.rabbit_init" . | indent 4 }}
|
{{- include "helm-toolkit.scripts.rabbit_init" . | indent 4 }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
@ -50,7 +50,7 @@ data:
|
|||||||
sso_callback_template.html: |
|
sso_callback_template.html: |
|
||||||
{{- tuple .Values.conf.sso_callback_template "etc/_sso_callback_template.html.tpl" . | include "helm-toolkit.utils.configmap_templater" }}
|
{{- tuple .Values.conf.sso_callback_template "etc/_sso_callback_template.html.tpl" . | include "helm-toolkit.utils.configmap_templater" }}
|
||||||
{{- range $k, $v := .Values.conf.ks_domains }}
|
{{- range $k, $v := .Values.conf.ks_domains }}
|
||||||
keystone.{{ $k }}.conf: |
|
keystone.{{ $k }}.json: |
|
||||||
{{ include "helm-toolkit.utils.to_oslo_conf" $v | indent 4 }}
|
{{ toJson $v | indent 4 }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
@ -75,14 +75,18 @@ spec:
|
|||||||
mountPath: /tmp/domain-manage.sh
|
mountPath: /tmp/domain-manage.sh
|
||||||
subPath: domain-manage.sh
|
subPath: domain-manage.sh
|
||||||
readOnly: true
|
readOnly: true
|
||||||
|
- name: keystone-bin
|
||||||
|
mountPath: /tmp/domain-manage.py
|
||||||
|
subPath: domain-manage.py
|
||||||
|
readOnly: true
|
||||||
- name: keystone-etc
|
- name: keystone-etc
|
||||||
mountPath: /etc/keystone/keystone.conf
|
mountPath: /etc/keystone/keystone.conf
|
||||||
subPath: keystone.conf
|
subPath: keystone.conf
|
||||||
readOnly: true
|
readOnly: true
|
||||||
{{- range $k, $v := .Values.conf.ks_domains }}
|
{{- range $k, $v := .Values.conf.ks_domains }}
|
||||||
- name: keystone-etc
|
- name: keystone-etc
|
||||||
mountPath: {{ $envAll.Values.conf.keystone.identity.domain_config_dir | default "/etc/keystonedomains" }}/keystone.{{ $k }}.conf
|
mountPath: {{ $envAll.Values.conf.keystone.identity.domain_config_dir | default "/etc/keystonedomains" }}/keystone.{{ $k }}.json
|
||||||
subPath: keystone.{{ $k }}.conf
|
subPath: keystone.{{ $k }}.json
|
||||||
readOnly: true
|
readOnly: true
|
||||||
{{- end }}
|
{{- end }}
|
||||||
{{- if eq .Values.conf.keystone.token.provider "fernet" }}
|
{{- if eq .Values.conf.keystone.token.provider "fernet" }}
|
||||||
|
@ -49,6 +49,7 @@ bootstrap:
|
|||||||
enabled: true
|
enabled: true
|
||||||
ks_user: admin
|
ks_user: admin
|
||||||
script: |
|
script: |
|
||||||
|
openstack role create --or-show _member_
|
||||||
openstack role add \
|
openstack role add \
|
||||||
--user="${OS_USERNAME}" \
|
--user="${OS_USERNAME}" \
|
||||||
--user-domain="${OS_USER_DOMAIN_NAME}" \
|
--user-domain="${OS_USER_DOMAIN_NAME}" \
|
||||||
|
Loading…
Reference in New Issue
Block a user