Fixing up keystone to work under the redux version.

2012-02-16 14:20:54 -08:00 · 2012-02-16 14:20:54 -08:00 · d754290c7a
commit d754290c7a
parent 9c3a88a690
5 changed files with 182 additions and 150 deletions
--- a/conf/pips/keystone.json
+++ b/conf/pips/keystone.json
@ -4,6 +4,9 @@
    "ubuntu-oneiric": {
        "passlib": {
            "version": "1.5.3"
+        },
+        "pyCLI": {
+            "version": "2.0.2"
        }
    },
    "rhel-6": {
@ -26,6 +29,9 @@
        #https://answers.launchpad.net/nova/+question/174160
        "PasteDeploy": {
            "version": "1.5"
+        },
+        "pyCLI": {
+            "version": "2.0.2"
        }
    }
 }
--- a/conf/templates/keystone/keystone.conf.tpl
+++ b/conf/templates/keystone/keystone.conf.tpl
@ -1,116 +1,95 @@
-# From commit fcd135252b
+# From devstack commit bd13b708f2

 [DEFAULT]
-
-# Show more verbose log output (sets INFO log level output)
-verbose = False
-
-# Show debugging output in logs (sets DEBUG log level output)
-debug = False
-
-# Which backend store should Keystone use by default.
-# Default: 'sqlite'
-# Available choices are 'sqlite' [future will include LDAP, PAM, etc]
-default_store = sqlite
-
-# Log to this file. Make sure you do not set the same log
-# file for both the API and registry servers!
-log_file = %DEST%/keystone/keystone.log
-
-# List of backends to be configured
-backends = keystone.backends.sqlalchemy
-#For LDAP support, add: ,keystone.backends.ldap
-
-# Dictionary Maps every service to a header.Missing services would get header
-# X_(SERVICE_NAME) Key => Service Name, Value => Header Name
-service_header_mappings = {
-	'nova' : 'X-Server-Management-Url',
-	'swift' : 'X-Storage-Url',
-	'cdn' : 'X-CDN-Management-Url'}
-
-#List of extensions currently supported
-extensions= osksadm,oskscatalog
-
-# Address to bind the API server
-# TODO Properties defined within app not available via pipeline.
-service_host = 0.0.0.0
-
-# Port the bind the API server to
-service_port = 5000
-
-# SSL for API server
-service_ssl = False
-
-# Address to bind the Admin API server
-admin_host = 0.0.0.0
-
-# Port the bind the Admin API server to
+public_port = 5000
 admin_port = 35357
+admin_token = %SERVICE_TOKEN%
+compute_port = 3000
+verbose = True
+debug = True

-# SSL for API Admin server
-admin_ssl = False
+# commented out so devstack logs to stdout
+# log_file = %DEST%/keystone/keystone.log

-# Keystone certificate file (modify as needed)
-# Only required if *_ssl is set to True
-certfile = /etc/keystone/ssl/certs/keystone.pem
+# ================= Syslog Options ============================
+# Send logs to syslog (/dev/log) instead of to file specified
+# by `log-file`
+use_syslog = False

-# Keystone private key file (modify as needed)
-# Only required if *_ssl is set to True
-keyfile = /etc/keystone/ssl/private/keystonekey.pem
+# Facility to use. If unset defaults to LOG_USER.
+# syslog_log_facility = LOG_LOCAL0

-# Keystone trusted CA certificates  (modify as needed)
-# Only required if *_ssl is set to True
-ca_certs = /etc/keystone/ssl/certs/ca.pem
+[sql]
+connection = %SQL_CONN%
+idle_timeout = 30
+min_pool_size = 5
+max_pool_size = 10
+pool_timeout = 200

-# Client certificate required
-# Only relevant if *_ssl is set to True
-cert_required = True
+[identity]
+driver = keystone.identity.backends.sql.Identity

-#Role that allows to perform admin operations.
-keystone_admin_role = admin
+[catalog]
+driver = keystone.catalog.backends.templated.TemplatedCatalog
+template_file = %KEYSTONE_DIR%/etc/default_catalog.templates

-#Role that allows to perform service admin operations.
-keystone_service_admin_role = KeystoneServiceAdmin
+[token]
+driver = keystone.token.backends.kvs.Token

-#Tells whether password user need to be hashed in the backend
-hash_password = True
+[policy]
+driver = keystone.policy.backends.simple.SimpleMatch

-[keystone.backends.sqlalchemy]
-# SQLAlchemy connection string for the reference implementation registry
-# server. Any valid SQLAlchemy connection string is fine.
-# See: http://bit.ly/ideIpI
-sql_connection = %SQL_CONN%
-backend_entities = ['UserRoleAssociation', 'Endpoints', 'Role', 'Tenant',
-                    'User', 'Credentials', 'EndpointTemplates', 'Token',
-                    'Service']
-
-# Period in seconds after which SQLAlchemy should reestablish its connection
-# to the database.
-sql_idle_timeout = 30
-
-[pipeline:admin]
-pipeline =
-    urlrewritefilter
-    admin_api
-
-[pipeline:keystone-legacy-auth]
-pipeline =
-    urlrewritefilter
-    legacy_auth
-    service_api
-
-[app:service_api]
-paste.app_factory = keystone.server:service_app_factory
-
-[app:admin_api]
-paste.app_factory = keystone.server:admin_app_factory
-
-[filter:urlrewritefilter]
-paste.filter_factory = keystone.middleware.url:filter_factory
-
-[filter:legacy_auth]
-paste.filter_factory = keystone.frontends.legacy_token_auth:filter_factory
+[ec2]
+driver = keystone.contrib.ec2.backends.sql.Ec2

 [filter:debug]
-paste.filter_factory = keystone.common.wsgi:debug_filter_factory
+paste.filter_factory = keystone.common.wsgi:Debug.factory

+[filter:token_auth]
+paste.filter_factory = keystone.middleware:TokenAuthMiddleware.factory
+
+[filter:admin_token_auth]
+paste.filter_factory = keystone.middleware:AdminTokenAuthMiddleware.factory
+
+[filter:json_body]
+paste.filter_factory = keystone.middleware:JsonBodyMiddleware.factory
+
+[filter:crud_extension]
+paste.filter_factory = keystone.contrib.admin_crud:CrudExtension.factory
+
+[filter:ec2_extension]
+paste.filter_factory = keystone.contrib.ec2:Ec2Extension.factory
+
+[app:public_service]
+paste.app_factory = keystone.service:public_app_factory
+
+[app:admin_service]
+paste.app_factory = keystone.service:admin_app_factory
+
+[pipeline:public_api]
+pipeline = token_auth admin_token_auth json_body debug ec2_extension public_service
+
+[pipeline:admin_api]
+pipeline = token_auth admin_token_auth json_body debug ec2_extension crud_extension admin_service
+
+[app:public_version_service]
+paste.app_factory = keystone.service:public_version_app_factory
+
+[app:admin_version_service]
+paste.app_factory = keystone.service:admin_version_app_factory
+
+[pipeline:public_version_api]
+pipeline = public_version_service
+
+[pipeline:admin_version_api]
+pipeline = admin_version_service
+
+[composite:main]
+use = egg:Paste#urlmap
+/v2.0 = public_api
+/ = public_version_api
+
+[composite:admin]
+use = egg:Paste#urlmap
+/v2.0 = admin_api
+/ = admin_version_service
--- a/conf/templates/keystone/keystone_data.sh.tpl
+++ b/conf/templates/keystone/keystone_data.sh.tpl
@ -1,65 +1,106 @@
 #!/bin/bash

-# From commit 30439a6dc4
+# From devstack commit bd13b708f2 with some modifications

-# Order actually matters in this file so be careful!
+# These are used by keystone commands below (?)
+export SERVICE_TOKEN=$SERVICE_TOKEN
+export SERVICE_ENDPOINT=$SERVICE_ENDPOINT

-# This was added (so that it dies on errors)
-set -o errexit
+function get_id () {
+    echo `$@ | grep id | awk '{print $4}'`
+}

-BIN_DIR=${BIN_DIR:-.}
+# Added! (NOT IN ORIGINAL)
+ADMIN_USERNAME=%ADMIN_USERNAME%
+ADMIN_PASSWORD=%ADMIN_PASSWORD%
+DEMO_USER_NAME=%DEMO_USER_NAME%
+INVIS_USER_NAME=invisible_to_admin
+MEMBER_ROLE_NAME=Member
+KEYSTONE_ADMIN_ROLE_NAME=KeystoneAdmin
+KEYSTONE_SERVICE_ADMIN_ROLE_NAME=KeystoneServiceAdmin
+SYSADMIN_ROLE_NAME=sysadmin
+NETADMIN_ROLE_NAME=netadmin

 # Tenants
-$BIN_DIR/keystone-manage tenant add admin
-$BIN_DIR/keystone-manage tenant add demo
-$BIN_DIR/keystone-manage tenant add invisible_to_admin
+ADMIN_TENANT=`get_id keystone tenant-create --name=$ADMIN_USERNAME`
+DEMO_TENANT=`get_id keystone tenant-create --name=$DEMO_USER_NAME`
+INVIS_TENANT=`get_id keystone tenant-create --name=$INVIS_USER_NAME`
+

 # Users
-$BIN_DIR/keystone-manage user add admin %ADMIN_PASSWORD%
-$BIN_DIR/keystone-manage user add demo %ADMIN_PASSWORD%
+ADMIN_USER=`get_id keystone user-create \
+                                 --name=$ADMIN_USERNAME \
+                                 --pass="$ADMIN_PASSWORD" \
+                                 --email=admin@example.com`
+
+DEMO_USER=`get_id keystone user-create \
+                                 --name=$DEMO_USER_NAME \
+                                 --pass="$ADMIN_PASSWORD" \
+                                 --email=admin@example.com`

 # Roles
-$BIN_DIR/keystone-manage role add admin
-$BIN_DIR/keystone-manage role add Member
-$BIN_DIR/keystone-manage role add KeystoneAdmin
-$BIN_DIR/keystone-manage role add KeystoneServiceAdmin
-$BIN_DIR/keystone-manage role add sysadmin
-$BIN_DIR/keystone-manage role add netadmin
+ADMIN_ROLE=`get_id keystone role-create --name=$ADMIN_USERNAME`
+MEMBER_ROLE=`get_id keystone role-create --name=$MEMBER_ROLE_NAME`
+KEYSTONEADMIN_ROLE=`get_id keystone role-create --name=$KEYSTONE_ADMIN_ROLE_NAME`
+KEYSTONESERVICE_ROLE=`get_id keystone role-create --name=$KEYSTONE_SERVICE_ADMIN_ROLE_NAME`
+SYSADMIN_ROLE=`get_id keystone role-create --name=$SYSADMIN_ROLE_NAME`
+NETADMIN_ROLE=`get_id keystone role-create --name=$NETADMIN_ROLE_NAME`

-# Grants
-$BIN_DIR/keystone-manage role grant admin admin admin
-$BIN_DIR/keystone-manage role grant Member demo demo
-$BIN_DIR/keystone-manage role grant sysadmin demo demo
-$BIN_DIR/keystone-manage role grant netadmin demo demo
-$BIN_DIR/keystone-manage role grant Member demo invisible_to_admin
-$BIN_DIR/keystone-manage role grant admin admin demo
-$BIN_DIR/keystone-manage role grant admin admin
-$BIN_DIR/keystone-manage role grant KeystoneAdmin admin
-$BIN_DIR/keystone-manage role grant KeystoneServiceAdmin admin
+
+# Add Roles to Users in Tenants
+keystone add-user-role $ADMIN_USER $ADMIN_ROLE $ADMIN_TENANT
+keystone add-user-role $DEMO_USER $MEMBER_ROLE $DEMO_TENANT
+keystone add-user-role $DEMO_USER $SYSADMIN_ROLE $DEMO_TENANT
+keystone add-user-role $DEMO_USER $NETADMIN_ROLE $DEMO_TENANT
+keystone add-user-role $DEMO_USER $MEMBER_ROLE $INVIS_TENANT
+keystone add-user-role $ADMIN_USER $ADMIN_ROLE $DEMO_TENANT
+
+# TODO(termie): these two might be dubious
+keystone add-user-role $ADMIN_USER $KEYSTONEADMIN_ROLE $ADMIN_TENANT
+keystone add-user-role $ADMIN_USER $KEYSTONESERVICE_ROLE $ADMIN_TENANT

 # Services
-$BIN_DIR/keystone-manage service add nova compute "Nova Compute Service"
-$BIN_DIR/keystone-manage service add ec2 ec2 "EC2 Compatability Layer"
-$BIN_DIR/keystone-manage service add glance image "Glance Image Service"
-$BIN_DIR/keystone-manage service add keystone identity "Keystone Identity Service"
+keystone service-create \
+                                 --name=nova \
+                                 --type=compute \
+                                 --description="Nova Compute Service"
+
+keystone service-create \
+                                 --name=ec2 \
+                                 --type=ec2 \
+                                 --description="EC2 Compatibility Layer"
+
+keystone service-create \
+                                 --name=glance \
+                                 --type=image \
+                                 --description="Glance Image Service"
+
+keystone service-create \
+                                 --name=keystone \
+                                 --type=identity \
+                                 --description="Keystone Identity Service"
 if [[ "$ENABLED_SERVICES" =~ "swift" ]]; then
-    $BIN_DIR/keystone-manage service add swift object-store "Swift Service"
+    keystone service-create \
+                                 --name=swift \
+                                 --type="object-store" \
+                                 --description="Swift Service"
 fi

-# endpointTemplates for those templates
-$BIN_DIR/keystone-manage $* endpointTemplates add RegionOne nova http://%SERVICE_HOST%:8774/v1.1/%tenant_id% http://%SERVICE_HOST%:8774/v1.1/%tenant_id%  http://%SERVICE_HOST%:8774/v1.1/%tenant_id% 1 1
-$BIN_DIR/keystone-manage $* endpointTemplates add RegionOne ec2 http://%SERVICE_HOST%:8773/services/Cloud http://%SERVICE_HOST%:8773/services/Admin http://%SERVICE_HOST%:8773/services/Cloud 1 1
-$BIN_DIR/keystone-manage $* endpointTemplates add RegionOne glance http://%SERVICE_HOST%:9292/v1 http://%SERVICE_HOST%:9292/v1 http://%SERVICE_HOST%:9292/v1 1 1
-$BIN_DIR/keystone-manage $* endpointTemplates add RegionOne keystone %KEYSTONE_SERVICE_PROTOCOL%://%KEYSTONE_SERVICE_HOST%:%KEYSTONE_SERVICE_PORT%/v2.0 %KEYSTONE_AUTH_PROTOCOL%://%KEYSTONE_AUTH_HOST%:%KEYSTONE_AUTH_PORT%/v2.0 %KEYSTONE_SERVICE_PROTOCOL%://%KEYSTONE_SERVICE_HOST%:%KEYSTONE_SERVICE_PORT%/v2.0 1 1
-if [[ "$ENABLED_SERVICES" =~ "swift" ]]; then
-    $BIN_DIR/keystone-manage $* endpointTemplates add RegionOne swift http://%SERVICE_HOST%:8080/v1/AUTH_%tenant_id% http://%SERVICE_HOST%:8080/ http://%SERVICE_HOST%:8080/v1/AUTH_%tenant_id% 1 1
-fi
+# create ec2 creds and parse the secret and access key returned
+RESULT=`keystone ec2-create-credentials --tenant_id=$ADMIN_TENANT --user_id=$ADMIN_USER`
+    echo `$@ | grep id | awk '{print $4}'`
+ADMIN_ACCESS=`echo "$RESULT" | grep access | awk '{print $4}'`
+ADMIN_SECRET=`echo "$RESULT" | grep secret | awk '{print $4}'`

-# Tokens
-$BIN_DIR/keystone-manage token add %SERVICE_TOKEN% admin admin 2015-02-05T00:00
+RESULT=`keystone ec2-create-credentials --tenant_id=$DEMO_TENANT --user_id=$DEMO_USER`
+DEMO_ACCESS=`echo "$RESULT" | grep access | awk '{print $4}'`
+DEMO_SECRET=`echo "$RESULT" | grep secret | awk '{print $4}'`

-# EC2 related creds - note we are setting the secret key to ADMIN_PASSWORD
-# but keystone doesn't parse them - it is just a blob from keystone's
-# point of view
-$BIN_DIR/keystone-manage credentials add admin EC2 'admin' '%ADMIN_PASSWORD%' admin || echo "no support for adding credentials"
-$BIN_DIR/keystone-manage credentials add demo EC2 'demo' '%ADMIN_PASSWORD%' demo || echo "no support for adding credentials"
+# write the secret and access to ec2rc to stderr for 
+# pickup by devstack py! (CHANGED!)
+cat 1>&2 <<EOF
+ADMIN_ACCESS=$ADMIN_ACCESS
+ADMIN_SECRET=$ADMIN_SECRET
+DEMO_ACCESS=$DEMO_ACCESS
+DEMO_SECRET=$DEMO_SECRET
+EOF
--- a/devstack/components/keystone.py
+++ b/devstack/components/keystone.py
@ -175,12 +175,12 @@ class KeystoneInstaller(comp.PythonInstallComponent):
            host_ip = self.cfg.get('host', 'ip')
            mp['DEST'] = self.appdir
            mp['SQL_CONN'] = self.cfg.get_dbdsn(DB_NAME)
-            mp['SERVICE_HOST'] = host_ip
-            mp['ADMIN_HOST'] = host_ip
+            mp['KEYSTONE_DIR'] = self.appdir
        elif config_fn == MANAGE_DATA_CONF:
            host_ip = self.cfg.get('host', 'ip')
            mp['ADMIN_PASSWORD'] = self.cfg.get('passwords', 'horizon_keystone_admin')
-            mp['SERVICE_HOST'] = host_ip
+            mp['ADMIN_USERNAME'] = 'admin'
+            mp['DEMO_USER_NAME'] = 'demo'
            mp.update(get_shared_params(self.cfg))
        else:
            mp['DEST'] = self.appdir
--- a/devstack/shell.py
+++ b/devstack/shell.py
@ -145,10 +145,16 @@ def execute(*cmd, **kwargs):
                cmd=str_cmd)
    else:
        #log it anyway
+        if not result:
+            result = ("", "")
        if rc not in check_exit_code:
            (stdout, stderr) = result
            LOG.debug("A failure may of just happened when running command \"%s\" [%s] (%s, %s)", str_cmd,
                rc, stdout.strip(), stderr.strip())
+        #log for debugging figuring stuff out
+        (stdout, stderr) = result
+        LOG.debug("Received stdout: %s" % (stdout))
+        LOG.debug("Received stderr: %s" % (stderr))
        return result