| e263c82e |
#!/bin/bash
# |
| d81a0274 |
# lib/keystone
# Functions to control the configuration and operation of **Keystone**
# Dependencies: |
| 6a5aa7c6 |
#
# - ``functions`` file |
| bd24a8d0 |
# - ``tls`` file |
| 6a5aa7c6 |
# - ``DEST``, ``STACK_USER`` |
| c4b06713 |
# - ``FILES`` |
| 6a5aa7c6 |
# - ``IDENTITY_API_VERSION``
# - ``BASE_SQL_CONN``
# - ``SERVICE_HOST``, ``SERVICE_PROTOCOL``
# - ``S3_SERVICE_PORT`` (template backend only) |
| d81a0274 |
# ``stack.sh`` calls the entry points in this order:
# |
| 6a5aa7c6 |
# - install_keystone
# - configure_keystone
# - _config_keystone_apache_wsgi
# - init_keystone
# - start_keystone |
| 923be5f7 |
# - bootstrap_keystone |
| 6a5aa7c6 |
# - create_keystone_accounts
# - stop_keystone
# - cleanup_keystone |
| d81a0274 |
|
| 7903b795 |
# Save trace setting |
| 523f4880 |
_XTRACE_KEYSTONE=$(set +o | grep xtrace) |
| 7903b795 |
set +o xtrace |
| d81a0274 |
# Defaults
# --------
# Set up default directories |
| 21a9077d |
GITDIR["keystoneauth"]=$DEST/keystoneauth |
| e08ab104 |
GITDIR["python-keystoneclient"]=$DEST/python-keystoneclient |
| 658312ca |
GITDIR["keystonemiddleware"]=$DEST/keystonemiddleware |
| d81a0274 |
KEYSTONE_DIR=$DEST/keystone |
| f8ae647f |
# Keystone virtual environment
if [[ ${USE_VENV} = True ]]; then
PROJECT_VENV["keystone"]=${KEYSTONE_DIR}.venv
KEYSTONE_BIN_DIR=${PROJECT_VENV["keystone"]}/bin
else
KEYSTONE_BIN_DIR=$(get_python_exec_prefix)
fi
|
| d81a0274 |
KEYSTONE_CONF_DIR=${KEYSTONE_CONF_DIR:-/etc/keystone}
KEYSTONE_CONF=$KEYSTONE_CONF_DIR/keystone.conf |
| 2f8c88e0 |
KEYSTONE_PUBLIC_UWSGI_CONF=$KEYSTONE_CONF_DIR/keystone-uwsgi-public.ini
KEYSTONE_ADMIN_UWSGI_CONF=$KEYSTONE_CONF_DIR/keystone-uwsgi-admin.ini
KEYSTONE_PUBLIC_UWSGI=$KEYSTONE_BIN_DIR/keystone-wsgi-public
KEYSTONE_ADMIN_UWSGI=$KEYSTONE_BIN_DIR/keystone-wsgi-admin |
| d81a0274 |
|
| a0305366 |
# KEYSTONE_DEPLOY defines how keystone is deployed, allowed values:
# - mod_wsgi : Run keystone under Apache HTTPd mod_wsgi |
| edc11c2f |
# - uwsgi : Run keystone under uwsgi |
| 6ed53156 |
if [[ "$WSGI_MODE" == "uwsgi" ]]; then
KEYSTONE_DEPLOY=uwsgi
else
KEYSTONE_DEPLOY=mod_wsgi |
| a0305366 |
fi
|
| 331a64f9 |
# Select the token persistence backend driver |
| 5bd96f96 |
KEYSTONE_TOKEN_BACKEND=${KEYSTONE_TOKEN_BACKEND:-sql}
|
| 331a64f9 |
# Select the Identity backend driver |
| cd77058e |
KEYSTONE_IDENTITY_BACKEND=${KEYSTONE_IDENTITY_BACKEND:-sql}
|
| 331a64f9 |
# Select the Assignment backend driver |
| cd77058e |
KEYSTONE_ASSIGNMENT_BACKEND=${KEYSTONE_ASSIGNMENT_BACKEND:-sql}
|
| 3526276a |
# Select the Role backend driver
KEYSTONE_ROLE_BACKEND=${KEYSTONE_ROLE_BACKEND:-sql}
# Select the Resource backend driver
KEYSTONE_RESOURCE_BACKEND=${KEYSTONE_RESOURCE_BACKEND:-sql}
|
| 331a64f9 |
# Select Keystone's token provider (and format)
# Choose from 'uuid', 'pki', 'pkiz', or 'fernet' |
| dc486bc1 |
KEYSTONE_TOKEN_FORMAT=${KEYSTONE_TOKEN_FORMAT:-fernet} |
| 1e1fce85 |
KEYSTONE_TOKEN_FORMAT=$(echo ${KEYSTONE_TOKEN_FORMAT} | tr '[:upper:]' '[:lower:]') |
| bc071bce |
|
| d81a0274 |
# Set Keystone interface configuration
KEYSTONE_AUTH_HOST=${KEYSTONE_AUTH_HOST:-$SERVICE_HOST}
KEYSTONE_AUTH_PORT=${KEYSTONE_AUTH_PORT:-35357} |
| c83a7e12 |
KEYSTONE_AUTH_PORT_INT=${KEYSTONE_AUTH_PORT_INT:-35358}
KEYSTONE_AUTH_PROTOCOL=${KEYSTONE_AUTH_PROTOCOL:-$SERVICE_PROTOCOL}
# Public facing bits |
| d81a0274 |
KEYSTONE_SERVICE_HOST=${KEYSTONE_SERVICE_HOST:-$SERVICE_HOST}
KEYSTONE_SERVICE_PORT=${KEYSTONE_SERVICE_PORT:-5000} |
| c83a7e12 |
KEYSTONE_SERVICE_PORT_INT=${KEYSTONE_SERVICE_PORT_INT:-5001}
KEYSTONE_SERVICE_PROTOCOL=${KEYSTONE_SERVICE_PROTOCOL:-$SERVICE_PROTOCOL} |
| d81a0274 |
|
| 041fa712 |
# Bind hosts
KEYSTONE_ADMIN_BIND_HOST=${KEYSTONE_ADMIN_BIND_HOST:-$KEYSTONE_SERVICE_HOST} |
| cbcbd8f3 |
|
| 0b1465b6 |
# Set the project for service accounts in Keystone |
| cbcbd8f3 |
SERVICE_DOMAIN_NAME=${SERVICE_DOMAIN_NAME:-Default} |
| 0b1465b6 |
SERVICE_PROJECT_NAME=${SERVICE_PROJECT_NAME:-service} |
| 982b9911 |
# Note 2016-03 : SERVICE_TENANT_NAME is kept for backwards
# compatibility; we should be using SERVICE_PROJECT_NAME now |
| 0b1465b6 |
SERVICE_TENANT_NAME=${SERVICE_PROJECT_NAME:-service} |
| b7490da9 |
|
| bd24a8d0 |
# if we are running with SSL use https protocols |
| f3b2f4c8 |
if is_service_enabled tls-proxy; then |
| bd24a8d0 |
KEYSTONE_AUTH_PROTOCOL="https"
KEYSTONE_SERVICE_PROTOCOL="https"
fi
|
| 6ed53156 |
KEYSTONE_SERVICE_URI=${KEYSTONE_SERVICE_PROTOCOL}://${KEYSTONE_SERVICE_HOST}/identity |
| bb443112 |
# for compat
KEYSTONE_AUTH_URI=$KEYSTONE_SERVICE_URI |
| 3561d7f9 |
|
| b74e01c3 |
# V3 URIs
KEYSTONE_AUTH_URI_V3=$KEYSTONE_AUTH_URI/v3
KEYSTONE_SERVICE_URI_V3=$KEYSTONE_SERVICE_URI/v3
|
| b51a8862 |
# Security compliance
KEYSTONE_SECURITY_COMPLIANCE_ENABLED=${KEYSTONE_SECURITY_COMPLIANCE_ENABLED:-True}
KEYSTONE_LOCKOUT_FAILURE_ATTEMPTS=${KEYSTONE_LOCKOUT_FAILURE_ATTEMPTS:-2} |
| dcd4b64c |
KEYSTONE_LOCKOUT_DURATION=${KEYSTONE_LOCKOUT_DURATION:-10} |
| b51a8862 |
KEYSTONE_UNIQUE_LAST_PASSWORD_COUNT=${KEYSTONE_UNIQUE_LAST_PASSWORD_COUNT:-2}
|
| 2b6e9ac4 |
# Number of bcrypt hashing rounds, increasing number exponentially increases required
# resources to generate password hash. This is very effective way to protect from
# bruteforce attacks. 4 is minimal value that can be specified for bcrypt and
# it works way faster than default 12. Minimal value is great for CI and development
# however may not be suitable for real production.
KEYSTONE_PASSWORD_HASH_ROUNDS=${KEYSTONE_PASSWORD_HASH_ROUNDS:-4} |
| 5ce44cd6 |
|
| cc6b4435 |
# Functions
# --------- |
| 5ce44cd6 |
# Test if Keystone is enabled
# is_keystone_enabled
function is_keystone_enabled { |
| 902158bb |
[[ ,${DISABLED_SERVICES} =~ ,"keystone" ]] && return 1 |
| 5ce44cd6 |
[[ ,${ENABLED_SERVICES}, =~ ,"key", ]] && return 0
return 1
}
|
| d81a0274 |
# cleanup_keystone() - Remove residual data files, anything left over from previous
# runs that a clean run would need to clean up |
| aee18c74 |
function cleanup_keystone { |
| aa33c878 |
if [ "$KEYSTONE_DEPLOY" == "mod_wsgi" ]; then
# These files will be created if we are running WSGI_MODE="mod_wsgi"
disable_apache_site keystone
sudo rm -f $(apache_site_config_for keystone)
else
stop_process "keystone"
# TODO: remove admin at pike-2
remove_uwsgi_config "$KEYSTONE_PUBLIC_UWSGI_CONF" "$KEYSTONE_PUBLIC_UWSGI"
remove_uwsgi_config "$KEYSTONE_ADMIN_UWSGI_CONF" "$KEYSTONE_ADMIN_UWSGI"
sudo rm -f $(apache_site_config_for keystone-wsgi-public)
sudo rm -f $(apache_site_config_for keystone-wsgi-admin)
fi |
| a00e5f88 |
}
# _config_keystone_apache_wsgi() - Set WSGI config files of Keystone |
| aee18c74 |
function _config_keystone_apache_wsgi { |
| ada886dd |
local keystone_apache_conf
keystone_apache_conf=$(apache_site_config_for keystone) |
| a1e1f512 |
keystone_ssl_listen="#" |
| 18d4778c |
local keystone_ssl=""
local keystone_certfile=""
local keystone_keyfile=""
local keystone_service_port=$KEYSTONE_SERVICE_PORT
local keystone_auth_port=$KEYSTONE_AUTH_PORT |
| f8ae647f |
local venv_path="" |
| 18d4778c |
if is_service_enabled tls-proxy; then
keystone_service_port=$KEYSTONE_SERVICE_PORT_INT
keystone_auth_port=$KEYSTONE_AUTH_PORT_INT
fi |
| f8ae647f |
if [[ ${USE_VENV} = True ]]; then |
| 3a2c86aa |
venv_path="python-path=${PROJECT_VENV["keystone"]}/lib/$(python_version)/site-packages" |
| f8ae647f |
fi |
| d074dc7f |
|
| 970ee908 |
sudo cp $FILES/apache-keystone.template $keystone_apache_conf |
| a00e5f88 |
sudo sed -e " |
| 18d4778c |
s|%PUBLICPORT%|$keystone_service_port|g;
s|%ADMINPORT%|$keystone_auth_port|g; |
| a00e5f88 |
s|%APACHE_NAME%|$APACHE_NAME|g; |
| a1e1f512 |
s|%SSLLISTEN%|$keystone_ssl_listen|g; |
| 18d4778c |
s|%SSLENGINE%|$keystone_ssl|g;
s|%SSLCERTFILE%|$keystone_certfile|g;
s|%SSLKEYFILE%|$keystone_keyfile|g; |
| f8ae647f |
s|%USER%|$STACK_USER|g;
s|%VIRTUALENV%|$venv_path|g |
| 2ad1a42c |
s|%KEYSTONE_BIN%|$KEYSTONE_BIN_DIR|g |
| 970ee908 |
" -i $keystone_apache_conf |
| a00e5f88 |
}
|
| d81a0274 |
# configure_keystone() - Set config files, create data dirs, etc |
| aee18c74 |
function configure_keystone { |
| 8421c2b9 |
sudo install -d -o $STACK_USER $KEYSTONE_CONF_DIR |
| d81a0274 |
if [[ "$KEYSTONE_CONF_DIR" != "$KEYSTONE_DIR/etc" ]]; then |
| fe628b9f |
install -m 600 /dev/null $KEYSTONE_CONF |
| e0bb4472 |
fi |
| fe628b9f |
# Populate ``keystone.conf`` |
| f127e2f3 |
if is_service_enabled ldap; then |
| cc363971 |
iniset $KEYSTONE_CONF identity domain_config_dir "$KEYSTONE_CONF_DIR/domains"
iniset $KEYSTONE_CONF identity domain_specific_drivers_enabled "True" |
| f127e2f3 |
fi |
| 331a64f9 |
iniset $KEYSTONE_CONF identity driver "$KEYSTONE_IDENTITY_BACKEND" |
| 2b6e9ac4 |
iniset $KEYSTONE_CONF identity password_hash_rounds $KEYSTONE_PASSWORD_HASH_ROUNDS |
| 331a64f9 |
iniset $KEYSTONE_CONF assignment driver "$KEYSTONE_ASSIGNMENT_BACKEND" |
| 3526276a |
iniset $KEYSTONE_CONF role driver "$KEYSTONE_ROLE_BACKEND"
iniset $KEYSTONE_CONF resource driver "$KEYSTONE_RESOURCE_BACKEND" |
| f127e2f3 |
|
| a8ffe8a4 |
# Enable caching
iniset $KEYSTONE_CONF cache enabled "True" |
| 0a318ab8 |
iniset $KEYSTONE_CONF cache backend "dogpile.cache.memcached" |
| 75ace7a5 |
iniset $KEYSTONE_CONF cache memcache_servers localhost:11211 |
| a8ffe8a4 |
|
| 2dd110ce |
iniset_rpc_backend keystone $KEYSTONE_CONF |
| 8464a4cb |
|
| edc11c2f |
local service_port=$KEYSTONE_SERVICE_PORT
local auth_port=$KEYSTONE_AUTH_PORT
|
| c83a7e12 |
if is_service_enabled tls-proxy; then
# Set the service ports for a proxy to take the originals |
| edc11c2f |
service_port=$KEYSTONE_SERVICE_PORT_INT
auth_port=$KEYSTONE_AUTH_PORT_INT |
| 841fdafa |
fi |
| cdba7b0e |
|
| 841fdafa |
# Override the endpoints advertised by keystone (the public_endpoint and
# admin_endpoint) so that clients use the correct endpoint. By default, the
# keystone server uses the public_port and admin_port which isn't going to
# work when you want to use a different port (in the case of proxy), or you
# don't want the port (in the case of putting keystone on a path in
# apache). |
| 6ed53156 |
iniset $KEYSTONE_CONF DEFAULT public_endpoint $KEYSTONE_SERVICE_URI
iniset $KEYSTONE_CONF DEFAULT admin_endpoint $KEYSTONE_AUTH_URI |
| c83a7e12 |
|
| 1e1fce85 |
if [[ "$KEYSTONE_TOKEN_FORMAT" != "" ]]; then |
| 331a64f9 |
iniset $KEYSTONE_CONF token provider $KEYSTONE_TOKEN_FORMAT |
| 3763141c |
fi
|
| 16d3ad05 |
iniset $KEYSTONE_CONF database connection `database_connection_url keystone` |
| d81a0274 |
|
| 331a64f9 |
iniset $KEYSTONE_CONF token driver "$KEYSTONE_TOKEN_BACKEND" |
| 5bd96f96 |
|
| d81a0274 |
# Set up logging
if [ "$SYSLOG" != "False" ]; then |
| 4968d1ad |
iniset $KEYSTONE_CONF DEFAULT use_syslog "True"
fi
# Format logging |
| 27f66e98 |
setup_logging $KEYSTONE_CONF |
| a00e5f88 |
|
| 0fc336df |
iniset $KEYSTONE_CONF DEFAULT debug $ENABLE_DEBUG_LOG_LEVEL
|
| a0305366 |
if [ "$KEYSTONE_DEPLOY" == "mod_wsgi" ]; then |
| da1cc578 |
iniset $KEYSTONE_CONF DEFAULT logging_exception_prefix "%(asctime)s.%(msecs)03d %(process)d TRACE %(name)s %(instance)s" |
| a00e5f88 |
_config_keystone_apache_wsgi |
| 556eeb0d |
else # uwsgi |
| 6ed53156 |
write_uwsgi_config "$KEYSTONE_PUBLIC_UWSGI_CONF" "$KEYSTONE_PUBLIC_UWSGI" "/identity"
write_uwsgi_config "$KEYSTONE_ADMIN_UWSGI_CONF" "$KEYSTONE_ADMIN_UWSGI" "/identity_admin" |
| a00e5f88 |
fi |
| 0abde393 |
iniset $KEYSTONE_CONF DEFAULT max_token_size 16384 |
| 85a17ea1 |
|
| cef5e40e |
iniset $KEYSTONE_CONF fernet_tokens key_repository "$KEYSTONE_CONF_DIR/fernet-keys/" |
| 9ea49753 |
|
| 69d4a71d |
iniset $KEYSTONE_CONF credential key_repository "$KEYSTONE_CONF_DIR/credential-keys/"
|
| 9ea49753 |
# Configure the project created by the 'keystone-manage bootstrap' as the cloud-admin project.
# The users from this project are globally admin as before, but it also
# allows policy changes in order to clarify the adminess scope. |
| 4440da85 |
#iniset $KEYSTONE_CONF resource admin_project_domain_name Default
#iniset $KEYSTONE_CONF resource admin_project_name admin |
| b51a8862 |
if [[ "$KEYSTONE_SECURITY_COMPLIANCE_ENABLED" = True ]]; then
iniset $KEYSTONE_CONF security_compliance lockout_failure_attempts $KEYSTONE_LOCKOUT_FAILURE_ATTEMPTS
iniset $KEYSTONE_CONF security_compliance lockout_duration $KEYSTONE_LOCKOUT_DURATION
iniset $KEYSTONE_CONF security_compliance unique_last_password_count $KEYSTONE_UNIQUE_LAST_PASSWORD_COUNT
fi |
| d81a0274 |
}
|
| d835de89 |
# create_keystone_accounts() - Sets up common required keystone accounts
|
| 0b1465b6 |
# Project User Roles |
| d835de89 |
# ------------------------------------------------------------------ |
| 42a59c2b |
# admin admin admin |
| d835de89 |
# service -- -- |
| 42a59c2b |
# -- -- service
# -- -- ResellerAdmin |
| a7d0c6fa |
# -- -- member |
| d835de89 |
# demo admin admin |
| a7d0c6fa |
# demo demo member, anotherrole |
| c67d22e2 |
# alt_demo admin admin |
| a7d0c6fa |
# alt_demo alt_demo member, anotherrole
# invisible_to_admin demo member |
| d835de89 |
|
| 0b1465b6 |
# Group Users Roles Project |
| 4599fd17 |
# ------------------------------------------------------------------ |
| 50f75a9f |
# admins admin admin admin |
| a7d0c6fa |
# nonadmins demo, alt_demo member, anotherrole demo, alt_demo |
| 4599fd17 |
|
| d835de89 |
# Migrated from keystone_data.sh |
| aee18c74 |
function create_keystone_accounts { |
| d835de89 |
|
| a7d0c6fa |
# The keystone bootstrapping process (performed via keystone-manage
# bootstrap) creates an admin user, admin role, member role, and admin
# project. As a sanity check we exercise the CLI to retrieve the IDs for
# these values. |
| 0b1465b6 |
local admin_project
admin_project=$(openstack project show "admin" -f value -c id) |
| ada886dd |
local admin_user |
| 923be5f7 |
admin_user=$(openstack user show "admin" -f value -c id) |
| ee37d20f |
local admin_role="admin" |
| a7d0c6fa |
local member_role="member" |
| 923be5f7 |
|
| 59c6377a |
get_or_add_user_domain_role $admin_role $admin_user default |
| d835de89 |
|
| 42a59c2b |
# Create service project/role |
| cbcbd8f3 |
get_or_create_domain "$SERVICE_DOMAIN_NAME" |
| 0afe207c |
get_or_create_project "$SERVICE_PROJECT_NAME" "$SERVICE_DOMAIN_NAME" |
| 42a59c2b |
# Service role, so service users do not have to be admins |
| 0abde393 |
get_or_create_role service |
| 42a59c2b |
# The ResellerAdmin role is used by Nova and Ceilometer so we need to keep it. |
| 0b1465b6 |
# The admin role in swift allows a user to act as an admin for their project,
# but ResellerAdmin is needed for a user to act as any project. The name of this |
| 42a59c2b |
# role is also configurable in swift-proxy.conf |
| 0abde393 |
get_or_create_role ResellerAdmin |
| d835de89 |
|
| d3654058 |
# another_role demonstrates that an arbitrary role may be created and used |
| d835de89 |
# TODO(sleepsonthefloor): show how this can be used for rbac in the future! |
| ee37d20f |
local another_role="anotherrole"
get_or_create_role $another_role |
| d835de89 |
|
| 0b1465b6 |
# invisible project - admin can't see this one
local invis_project
invis_project=$(get_or_create_project "invisible_to_admin" default) |
| d835de89 |
# demo |
| 0b1465b6 |
local demo_project
demo_project=$(get_or_create_project "demo" default) |
| ada886dd |
local demo_user
demo_user=$(get_or_create_user "demo" \ |
| 9d7e776b |
"$ADMIN_PASSWORD" "default" "demo@example.com") |
| c50c983c |
|
| 0b1465b6 |
get_or_add_user_project_role $member_role $demo_user $demo_project
get_or_add_user_project_role $admin_role $admin_user $demo_project
get_or_add_user_project_role $another_role $demo_user $demo_project
get_or_add_user_project_role $member_role $demo_user $invis_project |
| d835de89 |
|
| c67d22e2 |
# alt_demo |
| 0b1465b6 |
local alt_demo_project
alt_demo_project=$(get_or_create_project "alt_demo" default) |
| c67d22e2 |
local alt_demo_user
alt_demo_user=$(get_or_create_user "alt_demo" \
"$ADMIN_PASSWORD" "default" "alt_demo@example.com")
|
| 0b1465b6 |
get_or_add_user_project_role $member_role $alt_demo_user $alt_demo_project
get_or_add_user_project_role $admin_role $admin_user $alt_demo_project
get_or_add_user_project_role $another_role $alt_demo_user $alt_demo_project |
| c67d22e2 |
# groups |
| ada886dd |
local admin_group
admin_group=$(get_or_create_group "admins" \ |
| 4599fd17 |
"default" "openstack admin group") |
| ada886dd |
local non_admin_group
non_admin_group=$(get_or_create_group "nonadmins" \ |
| 4599fd17 |
"default" "non-admin group")
|
| 0b1465b6 |
get_or_add_group_project_role $member_role $non_admin_group $demo_project
get_or_add_group_project_role $another_role $non_admin_group $demo_project
get_or_add_group_project_role $member_role $non_admin_group $alt_demo_project
get_or_add_group_project_role $another_role $non_admin_group $alt_demo_project
get_or_add_group_project_role $admin_role $admin_group $admin_project |
| cc363971 |
if is_service_enabled ldap; then
create_ldap_domain
fi |
| d835de89 |
}
|
| 85ff5323 |
# Create a user that is capable of verifying keystone tokens for use with auth_token middleware.
#
# create_service_user <name> [role]
# |
| 7f685485 |
# We always add the service role, other roles are also allowed to be added as historically |
| 85ff5323 |
# a lot of projects have configured themselves with the admin or other role here if they are
# using this user for other purposes beyond simply auth_token middleware.
function create_service_user { |
| cbcbd8f3 |
get_or_create_user "$1" "$SERVICE_PASSWORD" "$SERVICE_DOMAIN_NAME" |
| 7f685485 |
get_or_add_user_project_role service "$1" "$SERVICE_PROJECT_NAME" "$SERVICE_DOMAIN_NAME" "$SERVICE_DOMAIN_NAME"
if [[ -n "$2" ]]; then
get_or_add_user_project_role "$2" "$1" "$SERVICE_PROJECT_NAME" "$SERVICE_DOMAIN_NAME" "$SERVICE_DOMAIN_NAME"
fi |
| 85ff5323 |
}
|
| 0595237e |
# Configure the service to use the auth token middleware.
# |
| 1f82f430 |
# configure_auth_token_middleware conf_file admin_user signing_dir [section] |
| 0595237e |
#
# section defaults to keystone_authtoken, which is where auth_token looks in
# the .conf file. If the paste config file is used (api-paste.ini) then
# provide the section name for the auth_token filter.
function configure_auth_token_middleware {
local conf_file=$1
local admin_user=$2 |
| 1f82f430 |
local signing_dir=$3
local section=${4:-keystone_authtoken} |
| 0595237e |
|
| f7dc06cb |
iniset $conf_file $section auth_type password |
| 38d4782c |
iniset $conf_file $section auth_url $KEYSTONE_SERVICE_URI |
| 78b7726d |
iniset $conf_file $section username $admin_user
iniset $conf_file $section password $SERVICE_PASSWORD |
| cbcbd8f3 |
iniset $conf_file $section user_domain_name "$SERVICE_DOMAIN_NAME" |
| 7580a0c3 |
iniset $conf_file $section project_name $SERVICE_PROJECT_NAME |
| cbcbd8f3 |
iniset $conf_file $section project_domain_name "$SERVICE_DOMAIN_NAME" |
| 78b7726d |
|
| 18d4778c |
iniset $conf_file $section cafile $SSL_BUNDLE_FILE |
| 1f82f430 |
iniset $conf_file $section signing_dir $signing_dir |
| b2330c89 |
iniset $conf_file $section memcached_servers localhost:11211 |
| 21fe4e76 |
}
|
| d81a0274 |
# init_keystone() - Initialize databases, etc. |
| aee18c74 |
function init_keystone { |
| b9e25135 |
if is_service_enabled ldap; then
init_ldap
fi
|
| ea3e87d4 |
if [[ "$RECREATE_KEYSTONE_DB" == True ]]; then
# (Re)create keystone database
recreate_database keystone
fi |
| d81a0274 |
|
| 633dbc3d |
time_start "dbsync" |
| d81a0274 |
# Initialize keystone database |
| 4f55c2d5 |
$KEYSTONE_BIN_DIR/keystone-manage --config-file $KEYSTONE_CONF db_sync |
| 633dbc3d |
time_stop "dbsync" |
| d81a0274 |
|
| cef5e40e |
if [[ "$KEYSTONE_TOKEN_FORMAT" == "pki" || "$KEYSTONE_TOKEN_FORMAT" == "pkiz" ]]; then |
| bc071bce |
# Set up certificates |
| 23431f35 |
rm -rf $KEYSTONE_CONF_DIR/ssl |
| 4f55c2d5 |
$KEYSTONE_BIN_DIR/keystone-manage --config-file $KEYSTONE_CONF pki_setup |
| bc071bce |
fi |
| cef5e40e |
if [[ "$KEYSTONE_TOKEN_FORMAT" == "fernet" ]]; then
rm -rf "$KEYSTONE_CONF_DIR/fernet-keys/" |
| 4f55c2d5 |
$KEYSTONE_BIN_DIR/keystone-manage --config-file $KEYSTONE_CONF fernet_setup |
| cef5e40e |
fi |
| 69d4a71d |
rm -rf "$KEYSTONE_CONF_DIR/credential-keys/"
$KEYSTONE_BIN_DIR/keystone-manage --config-file $KEYSTONE_CONF credential_setup
|
| d81a0274 |
}
|
| 21a9077d |
# install_keystoneauth() - Collect source and prepare
function install_keystoneauth {
if use_library_from_git "keystoneauth"; then
git_clone_by_name "keystoneauth"
setup_dev_lib "keystoneauth"
fi
}
|
| d81a0274 |
# install_keystoneclient() - Collect source and prepare |
| aee18c74 |
function install_keystoneclient { |
| e08ab104 |
if use_library_from_git "python-keystoneclient"; then
git_clone_by_name "python-keystoneclient"
setup_dev_lib "python-keystoneclient" |
| 5cb19069 |
fi |
| d81a0274 |
}
|
| 58936fdb |
# install_keystonemiddleware() - Collect source and prepare
function install_keystonemiddleware { |
| f8ae647f |
# install_keystonemiddleware() is called when keystonemiddleware is needed
# to provide an opportunity to install it from the source repo |
| 658312ca |
if use_library_from_git "keystonemiddleware"; then
git_clone_by_name "keystonemiddleware"
setup_dev_lib "keystonemiddleware" |
| f8ae647f |
else
# When not installing from repo, keystonemiddleware is still needed... |
| 60996b1b |
pip_install_gr keystonemiddleware |
| 658312ca |
fi |
| 5997ce3a |
# Install the memcache library so keystonemiddleware can cache tokens in a
# shared location.
pip_install_gr python-memcached |
| 58936fdb |
}
|
| d81a0274 |
# install_keystone() - Collect source and prepare |
| aee18c74 |
function install_keystone { |
| f127e2f3 |
# only install ldap if the service has been enabled
if is_service_enabled ldap; then
install_ldap
fi |
| 5997ce3a |
|
| d81a0274 |
git_clone $KEYSTONE_REPO $KEYSTONE_DIR $KEYSTONE_BRANCH |
| 1b4b4be7 |
setup_develop $KEYSTONE_DIR |
| 6a4d3eb5 |
if is_service_enabled ldap; then
setup_develop $KEYSTONE_DIR ldap
fi
|
| a0305366 |
if [ "$KEYSTONE_DEPLOY" == "mod_wsgi" ]; then |
| a00e5f88 |
install_apache_wsgi |
| d8589fa0 |
elif [ "$KEYSTONE_DEPLOY" == "uwsgi" ]; then
pip_install uwsgi |
| a00e5f88 |
fi |
| d81a0274 |
}
|
| 0eebeb41 |
# start_keystone() - Start running processes |
| aee18c74 |
function start_keystone { |
| c83a7e12 |
# Get right service port for testing
local service_port=$KEYSTONE_SERVICE_PORT |
| 18d4778c |
local auth_protocol=$KEYSTONE_AUTH_PROTOCOL |
| c83a7e12 |
if is_service_enabled tls-proxy; then
service_port=$KEYSTONE_SERVICE_PORT_INT |
| 18d4778c |
auth_protocol="http" |
| c83a7e12 |
fi
|
| a0305366 |
if [ "$KEYSTONE_DEPLOY" == "mod_wsgi" ]; then |
| c4b06713 |
enable_apache_site keystone |
| a00e5f88 |
restart_apache_server |
| 556eeb0d |
else # uwsgi |
| aceb27e8 |
run_process keystone "$KEYSTONE_BIN_DIR/uwsgi --procname-prefix keystone --ini $KEYSTONE_PUBLIC_UWSGI_CONF" "" |
| a00e5f88 |
fi
|
| d835de89 |
echo "Waiting for keystone to start..." |
| be4c953e |
# Check that the keystone service is running. Even if the tls tunnel
# should be enabled, make sure the internal port is checked using
# unencryted traffic at this point. |
| 841fdafa |
# If running in Apache, use the path rather than port.
|
| 6ed53156 |
local service_uri=$auth_protocol://$KEYSTONE_SERVICE_HOST/identity/v$IDENTITY_API_VERSION/ |
| 841fdafa |
if ! wait_for_service $SERVICE_TIMEOUT $service_uri; then |
| 101b4248 |
die $LINENO "keystone did not start" |
| d835de89 |
fi |
| c83a7e12 |
# Start proxies if enabled
if is_service_enabled tls-proxy; then |
| 4b49e409 |
start_tls_proxy keystone-service '*' $KEYSTONE_SERVICE_PORT $KEYSTONE_SERVICE_HOST $KEYSTONE_SERVICE_PORT_INT
start_tls_proxy keystone-auth '*' $KEYSTONE_AUTH_PORT $KEYSTONE_AUTH_HOST $KEYSTONE_AUTH_PORT_INT |
| c83a7e12 |
fi |
| 5997ce3a |
# (re)start memcached to make sure we have a clean memcache.
restart_service memcached |
| d81a0274 |
}
# stop_keystone() - Stop running processes |
| aee18c74 |
function stop_keystone { |
| a0305366 |
if [ "$KEYSTONE_DEPLOY" == "mod_wsgi" ]; then |
| c4b06713 |
disable_apache_site keystone
restart_apache_server |
| 9c5ffd8d |
else |
| bb443112 |
stop_process keystone |
| c4b06713 |
fi |
| d81a0274 |
} |
| 7903b795 |
|
| 923be5f7 |
# bootstrap_keystone() - Initialize user, role and project
# This function uses the following GLOBAL variables:
# - ``KEYSTONE_BIN_DIR``
# - ``ADMIN_PASSWORD``
# - ``IDENTITY_API_VERSION``
# - ``KEYSTONE_AUTH_URI``
# - ``REGION_NAME``
# - ``KEYSTONE_SERVICE_PROTOCOL``
# - ``KEYSTONE_SERVICE_HOST``
# - ``KEYSTONE_SERVICE_PORT``
function bootstrap_keystone { |
| 32bf2c4f |
$KEYSTONE_BIN_DIR/keystone-manage bootstrap \
--bootstrap-username admin \
--bootstrap-password "$ADMIN_PASSWORD" \
--bootstrap-project-name admin \
--bootstrap-role-name admin \
--bootstrap-service-name keystone \
--bootstrap-region-id "$REGION_NAME" \ |
| 8dda061a |
--bootstrap-admin-url "$KEYSTONE_AUTH_URI" \ |
| bfff93e1 |
--bootstrap-public-url "$KEYSTONE_SERVICE_URI" |
| 923be5f7 |
} |
| 1a6d4492 |
|
| cc363971 |
# create_ldap_domain() - Create domain file and initialize domain with a user
function create_ldap_domain {
# Creates domain Users
openstack --os-identity-api-version=3 domain create --description "LDAP domain" Users
# Create domain file inside etc/keystone/domains
KEYSTONE_LDAP_DOMAIN_FILE=$KEYSTONE_CONF_DIR/domains/keystone.Users.conf
mkdir -p "$KEYSTONE_CONF_DIR/domains"
touch "$KEYSTONE_LDAP_DOMAIN_FILE"
# Set identity driver 'ldap'
iniset $KEYSTONE_LDAP_DOMAIN_FILE identity driver "ldap"
# LDAP settings for Users domain
iniset $KEYSTONE_LDAP_DOMAIN_FILE ldap user_tree_dn "ou=Users,$LDAP_BASE_DN"
iniset $KEYSTONE_LDAP_DOMAIN_FILE ldap user_objectclass "inetOrgPerson"
iniset $KEYSTONE_LDAP_DOMAIN_FILE ldap user_name_attribute "cn"
iniset $KEYSTONE_LDAP_DOMAIN_FILE ldap user_mail_attribute "mail"
iniset $KEYSTONE_LDAP_DOMAIN_FILE ldap user_id_attribute "uid"
iniset $KEYSTONE_LDAP_DOMAIN_FILE ldap user "cn=Manager,dc=openstack,dc=org"
iniset $KEYSTONE_LDAP_DOMAIN_FILE ldap url "ldap://localhost"
iniset $KEYSTONE_LDAP_DOMAIN_FILE ldap suffix $LDAP_BASE_DN
iniset $KEYSTONE_LDAP_DOMAIN_FILE ldap password $LDAP_PASSWORD
iniset $KEYSTONE_LDAP_DOMAIN_FILE ldap group_tree_dn "ou=Groups,$LDAP_BASE_DN"
iniset $KEYSTONE_LDAP_DOMAIN_FILE ldap group_objectclass "groupOfNames"
iniset $KEYSTONE_LDAP_DOMAIN_FILE ldap group_name_attribute "cn"
iniset $KEYSTONE_LDAP_DOMAIN_FILE ldap group_id_attribute "cn"
# Restart apache and identity services to associate domain and conf file
sudo service apache2 reload
sudo systemctl restart devstack@keystone
# Create LDAP user.ldif and add user to LDAP backend
local tmp_ldap_dir
tmp_ldap_dir=$(mktemp -d -t ldap.$$.XXXXXXXXXX)
_ldap_varsubst $FILES/ldap/user.ldif.in $slappass >$tmp_ldap_dir/user.ldif
sudo ldapadd -x -w $LDAP_PASSWORD -D "$LDAP_MANAGER_DN" -H $LDAP_URL -c -f $tmp_ldap_dir/user.ldif
rm -rf $tmp_ldap_dir
local admin_project
admin_project=$(get_or_create_project "admin" default)
local ldap_user
ldap_user=$(openstack user show --domain=Users demo -f value -c id)
local admin_role="admin"
get_or_create_role $admin_role
# Grant demo LDAP user access to project and role
get_or_add_user_project_role $admin_role $ldap_user $admin_project
}
|
| 7903b795 |
# Restore xtrace |
| 523f4880 |
$_XTRACE_KEYSTONE |
| 584d90ec |
|
| 6a5aa7c6 |
# Tell emacs to use shell-script-mode
## Local variables:
## mode: shell-script
## End: |