Add robust ldap domain-specific config

This patch set provides PATCH capability for ldap-backed domain config,
and prevents silent failure if the configuration contains erroneous
setting.  This also moves from loading .conf files into DB directly,
and uses the API endpoints.

Change-Id: I17a19046fa96e0f3e8fb029c156ba79c924a0097
Signed-off-by: Tin Lam <tin@irrational.io>
This commit is contained in:
Tin Lam 2018-04-05 18:41:12 -05:00
parent 44841fbffc
commit 2873435274
6 changed files with 65 additions and 6 deletions

View File

@ -0,0 +1,42 @@
import requests
import json
import yaml
import sys
def main(args):
base_url, token, domainId, domainName, filename = args[1], args[2], args[3], args[4], args[5]
url = "%s/domains/%s/config" % (base_url, domainId)
print("Connecting to url: %r" % url)
headers = {
'Content-Type': "application/json",
'X-Auth-Token': token,
'Cache-Control': "no-cache"
}
response = requests.request("GET", url, headers=headers)
if response.status_code == 404:
print("domain config not found - put")
action = "PUT"
else:
print("domain config found - patch")
action = "PATCH"
with open(filename, "rb") as f:
data = {"config": json.load(f)}
response = requests.request(action, url,
data=json.dumps(data),
headers=headers)
print("Response code on action [%s]: %s" % (action, response.status_code))
if (int(response.status_code) / 100) != 2:
sys.exit(1)
if __name__ == "__main__":
if len(sys.argv) != 6:
sys.exit(1)
main(sys.argv)

View File

@ -16,7 +16,17 @@ See the License for the specific language governing permissions and
limitations under the License. limitations under the License.
*/}} */}}
set -ex set -e
endpt={{ tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" }}
path={{ .Values.conf.keystone.identity.domain_config_dir | default "/etc/keystonedomains" }}
{{- range $k, $v := .Values.conf.ks_domains }} {{- range $k, $v := .Values.conf.ks_domains }}
keystone-manage domain_config_upload --domain-name {{ $k }} || true
filename=${path}/keystone.{{ $k }}.json
python /tmp/domain-manage.py \
$endpt \
$(openstack token issue -f value -c id) \
$(openstack domain show {{ $k }} -f value -c id) \
{{ $k }} $filename
{{- end }} {{- end }}

View File

@ -45,6 +45,8 @@ data:
{{ tuple "bin/_domain-manage-init.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} {{ tuple "bin/_domain-manage-init.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
domain-manage.sh: | domain-manage.sh: |
{{ tuple "bin/_domain-manage.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} {{ tuple "bin/_domain-manage.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
domain-manage.py: |
{{ tuple "bin/_domain-manage.py.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
rabbit-init.sh: | rabbit-init.sh: |
{{- include "helm-toolkit.scripts.rabbit_init" . | indent 4 }} {{- include "helm-toolkit.scripts.rabbit_init" . | indent 4 }}
{{- end }} {{- end }}

View File

@ -50,7 +50,7 @@ data:
sso_callback_template.html: | sso_callback_template.html: |
{{- tuple .Values.conf.sso_callback_template "etc/_sso_callback_template.html.tpl" . | include "helm-toolkit.utils.configmap_templater" }} {{- tuple .Values.conf.sso_callback_template "etc/_sso_callback_template.html.tpl" . | include "helm-toolkit.utils.configmap_templater" }}
{{- range $k, $v := .Values.conf.ks_domains }} {{- range $k, $v := .Values.conf.ks_domains }}
keystone.{{ $k }}.conf: | keystone.{{ $k }}.json: |
{{ include "helm-toolkit.utils.to_oslo_conf" $v | indent 4 }} {{ toJson $v | indent 4 }}
{{- end }} {{- end }}
{{- end }} {{- end }}

View File

@ -75,14 +75,18 @@ spec:
mountPath: /tmp/domain-manage.sh mountPath: /tmp/domain-manage.sh
subPath: domain-manage.sh subPath: domain-manage.sh
readOnly: true readOnly: true
- name: keystone-bin
mountPath: /tmp/domain-manage.py
subPath: domain-manage.py
readOnly: true
- name: keystone-etc - name: keystone-etc
mountPath: /etc/keystone/keystone.conf mountPath: /etc/keystone/keystone.conf
subPath: keystone.conf subPath: keystone.conf
readOnly: true readOnly: true
{{- range $k, $v := .Values.conf.ks_domains }} {{- range $k, $v := .Values.conf.ks_domains }}
- name: keystone-etc - name: keystone-etc
mountPath: {{ $envAll.Values.conf.keystone.identity.domain_config_dir | default "/etc/keystonedomains" }}/keystone.{{ $k }}.conf mountPath: {{ $envAll.Values.conf.keystone.identity.domain_config_dir | default "/etc/keystonedomains" }}/keystone.{{ $k }}.json
subPath: keystone.{{ $k }}.conf subPath: keystone.{{ $k }}.json
readOnly: true readOnly: true
{{- end }} {{- end }}
{{- if eq .Values.conf.keystone.token.provider "fernet" }} {{- if eq .Values.conf.keystone.token.provider "fernet" }}

View File

@ -49,6 +49,7 @@ bootstrap:
enabled: true enabled: true
ks_user: admin ks_user: admin
script: | script: |
openstack role create --or-show _member_
openstack role add \ openstack role add \
--user="${OS_USERNAME}" \ --user="${OS_USERNAME}" \
--user-domain="${OS_USER_DOMAIN_NAME}" \ --user-domain="${OS_USER_DOMAIN_NAME}" \