Add robust ldap domain-specific config
This patch set provides PATCH capability for ldap-backed domain config, and prevents silent failure if the configuration contains erroneous setting. This also moves from loading .conf files into DB directly, and uses the API endpoints. Change-Id: I17a19046fa96e0f3e8fb029c156ba79c924a0097 Signed-off-by: Tin Lam <tin@irrational.io>
This commit is contained in:
parent
44841fbffc
commit
2873435274
42
keystone/templates/bin/_domain-manage.py.tpl
Normal file
42
keystone/templates/bin/_domain-manage.py.tpl
Normal file
@ -0,0 +1,42 @@
|
||||
import requests
|
||||
import json
|
||||
import yaml
|
||||
import sys
|
||||
|
||||
|
||||
def main(args):
|
||||
base_url, token, domainId, domainName, filename = args[1], args[2], args[3], args[4], args[5]
|
||||
url = "%s/domains/%s/config" % (base_url, domainId)
|
||||
print("Connecting to url: %r" % url)
|
||||
|
||||
headers = {
|
||||
'Content-Type': "application/json",
|
||||
'X-Auth-Token': token,
|
||||
'Cache-Control': "no-cache"
|
||||
}
|
||||
|
||||
response = requests.request("GET", url, headers=headers)
|
||||
|
||||
if response.status_code == 404:
|
||||
print("domain config not found - put")
|
||||
action = "PUT"
|
||||
else:
|
||||
print("domain config found - patch")
|
||||
action = "PATCH"
|
||||
|
||||
with open(filename, "rb") as f:
|
||||
data = {"config": json.load(f)}
|
||||
|
||||
response = requests.request(action, url,
|
||||
data=json.dumps(data),
|
||||
headers=headers)
|
||||
|
||||
|
||||
print("Response code on action [%s]: %s" % (action, response.status_code))
|
||||
if (int(response.status_code) / 100) != 2:
|
||||
sys.exit(1)
|
||||
|
||||
if __name__ == "__main__":
|
||||
if len(sys.argv) != 6:
|
||||
sys.exit(1)
|
||||
main(sys.argv)
|
@ -16,7 +16,17 @@ See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/}}
|
||||
|
||||
set -ex
|
||||
set -e
|
||||
endpt={{ tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" }}
|
||||
path={{ .Values.conf.keystone.identity.domain_config_dir | default "/etc/keystonedomains" }}
|
||||
|
||||
{{- range $k, $v := .Values.conf.ks_domains }}
|
||||
keystone-manage domain_config_upload --domain-name {{ $k }} || true
|
||||
|
||||
filename=${path}/keystone.{{ $k }}.json
|
||||
python /tmp/domain-manage.py \
|
||||
$endpt \
|
||||
$(openstack token issue -f value -c id) \
|
||||
$(openstack domain show {{ $k }} -f value -c id) \
|
||||
{{ $k }} $filename
|
||||
|
||||
{{- end }}
|
||||
|
@ -45,6 +45,8 @@ data:
|
||||
{{ tuple "bin/_domain-manage-init.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
|
||||
domain-manage.sh: |
|
||||
{{ tuple "bin/_domain-manage.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
|
||||
domain-manage.py: |
|
||||
{{ tuple "bin/_domain-manage.py.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
|
||||
rabbit-init.sh: |
|
||||
{{- include "helm-toolkit.scripts.rabbit_init" . | indent 4 }}
|
||||
{{- end }}
|
||||
|
@ -50,7 +50,7 @@ data:
|
||||
sso_callback_template.html: |
|
||||
{{- tuple .Values.conf.sso_callback_template "etc/_sso_callback_template.html.tpl" . | include "helm-toolkit.utils.configmap_templater" }}
|
||||
{{- range $k, $v := .Values.conf.ks_domains }}
|
||||
keystone.{{ $k }}.conf: |
|
||||
{{ include "helm-toolkit.utils.to_oslo_conf" $v | indent 4 }}
|
||||
keystone.{{ $k }}.json: |
|
||||
{{ toJson $v | indent 4 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
@ -75,14 +75,18 @@ spec:
|
||||
mountPath: /tmp/domain-manage.sh
|
||||
subPath: domain-manage.sh
|
||||
readOnly: true
|
||||
- name: keystone-bin
|
||||
mountPath: /tmp/domain-manage.py
|
||||
subPath: domain-manage.py
|
||||
readOnly: true
|
||||
- name: keystone-etc
|
||||
mountPath: /etc/keystone/keystone.conf
|
||||
subPath: keystone.conf
|
||||
readOnly: true
|
||||
{{- range $k, $v := .Values.conf.ks_domains }}
|
||||
- name: keystone-etc
|
||||
mountPath: {{ $envAll.Values.conf.keystone.identity.domain_config_dir | default "/etc/keystonedomains" }}/keystone.{{ $k }}.conf
|
||||
subPath: keystone.{{ $k }}.conf
|
||||
mountPath: {{ $envAll.Values.conf.keystone.identity.domain_config_dir | default "/etc/keystonedomains" }}/keystone.{{ $k }}.json
|
||||
subPath: keystone.{{ $k }}.json
|
||||
readOnly: true
|
||||
{{- end }}
|
||||
{{- if eq .Values.conf.keystone.token.provider "fernet" }}
|
||||
|
@ -49,6 +49,7 @@ bootstrap:
|
||||
enabled: true
|
||||
ks_user: admin
|
||||
script: |
|
||||
openstack role create --or-show _member_
|
||||
openstack role add \
|
||||
--user="${OS_USERNAME}" \
|
||||
--user-domain="${OS_USER_DOMAIN_NAME}" \
|
||||
|
Loading…
Reference in New Issue
Block a user