| e263c82e |
#!/bin/bash
# |
| d81a0274 |
# lib/keystone
# Functions to control the configuration and operation of **Keystone**
# Dependencies: |
| 6a5aa7c6 |
#
# - ``functions`` file |
| bd24a8d0 |
# - ``tls`` file |
| 6a5aa7c6 |
# - ``DEST``, ``STACK_USER`` |
| c4b06713 |
# - ``FILES`` |
| 6a5aa7c6 |
# - ``IDENTITY_API_VERSION``
# - ``BASE_SQL_CONN``
# - ``SERVICE_HOST``, ``SERVICE_PROTOCOL``
# - ``SERVICE_TOKEN``
# - ``S3_SERVICE_PORT`` (template backend only) |
| d81a0274 |
# ``stack.sh`` calls the entry points in this order:
# |
| 6a5aa7c6 |
# - install_keystone
# - configure_keystone
# - _config_keystone_apache_wsgi
# - init_keystone
# - start_keystone
# - create_keystone_accounts
# - stop_keystone
# - cleanup_keystone
# - _cleanup_keystone_apache_wsgi |
| d81a0274 |
|
| 7903b795 |
# Save trace setting
XTRACE=$(set +o | grep xtrace)
set +o xtrace |
| d81a0274 |
# Defaults
# --------
# Set up default directories |
| e08ab104 |
GITDIR["python-keystoneclient"]=$DEST/python-keystoneclient |
| 658312ca |
GITDIR["keystonemiddleware"]=$DEST/keystonemiddleware |
| d81a0274 |
KEYSTONE_DIR=$DEST/keystone |
| f8ae647f |
# Keystone virtual environment
if [[ ${USE_VENV} = True ]]; then
PROJECT_VENV["keystone"]=${KEYSTONE_DIR}.venv
KEYSTONE_BIN_DIR=${PROJECT_VENV["keystone"]}/bin
else
KEYSTONE_BIN_DIR=$(get_python_exec_prefix)
fi
|
| d81a0274 |
KEYSTONE_CONF_DIR=${KEYSTONE_CONF_DIR:-/etc/keystone}
KEYSTONE_CONF=$KEYSTONE_CONF_DIR/keystone.conf |
| e0bb4472 |
KEYSTONE_PASTE_INI=${KEYSTONE_PASTE_INI:-$KEYSTONE_CONF_DIR/keystone-paste.ini} |
| bc071bce |
KEYSTONE_AUTH_CACHE_DIR=${KEYSTONE_AUTH_CACHE_DIR:-/var/cache/keystone} |
| 8732afe2 |
if is_suse; then
KEYSTONE_WSGI_DIR=${KEYSTONE_WSGI_DIR:-/srv/www/htdocs/keystone}
else
KEYSTONE_WSGI_DIR=${KEYSTONE_WSGI_DIR:-/var/www/keystone}
fi |
| d81a0274 |
|
| 00da58a0 |
# Set up additional extensions, such as oauth1, federation
# Example of KEYSTONE_EXTENSIONS=oauth1,federation
KEYSTONE_EXTENSIONS=${KEYSTONE_EXTENSIONS:-}
|
| 46455a34 |
# Toggle for deploying Keystone under HTTPD + mod_wsgi |
| e6dd4e66 |
KEYSTONE_USE_MOD_WSGI=${KEYSTONE_USE_MOD_WSGI:-${ENABLE_HTTPD_MOD_WSGI_SERVICES}} |
| 46455a34 |
|
| bc071bce |
# Select the backend for Keystone's service catalog |
| b80379c3 |
KEYSTONE_CATALOG_BACKEND=${KEYSTONE_CATALOG_BACKEND:-sql} |
| d81a0274 |
KEYSTONE_CATALOG=$KEYSTONE_CONF_DIR/default_catalog.templates
|
| 5bd96f96 |
# Select the backend for Tokens
KEYSTONE_TOKEN_BACKEND=${KEYSTONE_TOKEN_BACKEND:-sql}
|
| cd77058e |
# Select the backend for Identity
KEYSTONE_IDENTITY_BACKEND=${KEYSTONE_IDENTITY_BACKEND:-sql}
# Select the backend for Assignment
KEYSTONE_ASSIGNMENT_BACKEND=${KEYSTONE_ASSIGNMENT_BACKEND:-sql}
|
| bc071bce |
# Select Keystone's token format |
| 754c4408 |
# Choose from 'UUID', 'PKI', or 'PKIZ' |
| 53753293 |
KEYSTONE_TOKEN_FORMAT=${KEYSTONE_TOKEN_FORMAT:-} |
| 1e1fce85 |
KEYSTONE_TOKEN_FORMAT=$(echo ${KEYSTONE_TOKEN_FORMAT} | tr '[:upper:]' '[:lower:]') |
| bc071bce |
|
| d81a0274 |
# Set Keystone interface configuration
KEYSTONE_AUTH_HOST=${KEYSTONE_AUTH_HOST:-$SERVICE_HOST}
KEYSTONE_AUTH_PORT=${KEYSTONE_AUTH_PORT:-35357} |
| c83a7e12 |
KEYSTONE_AUTH_PORT_INT=${KEYSTONE_AUTH_PORT_INT:-35358}
KEYSTONE_AUTH_PROTOCOL=${KEYSTONE_AUTH_PROTOCOL:-$SERVICE_PROTOCOL}
# Public facing bits |
| d81a0274 |
KEYSTONE_SERVICE_HOST=${KEYSTONE_SERVICE_HOST:-$SERVICE_HOST}
KEYSTONE_SERVICE_PORT=${KEYSTONE_SERVICE_PORT:-5000} |
| c83a7e12 |
KEYSTONE_SERVICE_PORT_INT=${KEYSTONE_SERVICE_PORT_INT:-5001}
KEYSTONE_SERVICE_PROTOCOL=${KEYSTONE_SERVICE_PROTOCOL:-$SERVICE_PROTOCOL} |
| d81a0274 |
|
| 041fa712 |
# Bind hosts
KEYSTONE_ADMIN_BIND_HOST=${KEYSTONE_ADMIN_BIND_HOST:-$KEYSTONE_SERVICE_HOST} |
| b7490da9 |
# Set the tenant for service accounts in Keystone
SERVICE_TENANT_NAME=${SERVICE_TENANT_NAME:-service}
|
| cd77058e |
# valid identity backends as per dir keystone/identity/backends
KEYSTONE_VALID_IDENTITY_BACKENDS=kvs,ldap,pam,sql
# valid assignment backends as per dir keystone/identity/backends
KEYSTONE_VALID_ASSIGNMENT_BACKENDS=kvs,ldap,sql |
| d81a0274 |
|
| bd24a8d0 |
# if we are running with SSL use https protocols |
| 18d4778c |
if is_ssl_enabled_service "key" || is_service_enabled tls-proxy; then |
| bd24a8d0 |
KEYSTONE_AUTH_PROTOCOL="https"
KEYSTONE_SERVICE_PROTOCOL="https"
fi
|
| 3561d7f9 |
# complete URIs
KEYSTONE_AUTH_URI=${KEYSTONE_AUTH_PROTOCOL}://${KEYSTONE_AUTH_HOST}:${KEYSTONE_AUTH_PORT}
KEYSTONE_SERVICE_URI=${KEYSTONE_SERVICE_PROTOCOL}://${KEYSTONE_SERVICE_HOST}:${KEYSTONE_SERVICE_PORT}
|
| b74e01c3 |
# V3 URIs
KEYSTONE_AUTH_URI_V3=$KEYSTONE_AUTH_URI/v3
KEYSTONE_SERVICE_URI_V3=$KEYSTONE_SERVICE_URI/v3
|
| 5ce44cd6 |
|
| cc6b4435 |
# Functions
# --------- |
| 5ce44cd6 |
# Test if Keystone is enabled
# is_keystone_enabled
function is_keystone_enabled {
[[ ,${ENABLED_SERVICES}, =~ ,"key", ]] && return 0
return 1
}
|
| d81a0274 |
# cleanup_keystone() - Remove residual data files, anything left over from previous
# runs that a clean run would need to clean up |
| aee18c74 |
function cleanup_keystone { |
| c4b06713 |
_cleanup_keystone_apache_wsgi |
| d81a0274 |
}
|
| a00e5f88 |
# _cleanup_keystone_apache_wsgi() - Remove wsgi files, disable and remove apache vhost file |
| aee18c74 |
function _cleanup_keystone_apache_wsgi { |
| 305c4deb |
sudo rm -f $KEYSTONE_WSGI_DIR/* |
| 970ee908 |
sudo rm -f $(apache_site_config_for keystone) |
| a00e5f88 |
}
# _config_keystone_apache_wsgi() - Set WSGI config files of Keystone |
| aee18c74 |
function _config_keystone_apache_wsgi { |
| a00e5f88 |
sudo mkdir -p $KEYSTONE_WSGI_DIR
|
| 970ee908 |
local keystone_apache_conf=$(apache_site_config_for keystone) |
| 18d4778c |
local keystone_ssl=""
local keystone_certfile=""
local keystone_keyfile=""
local keystone_service_port=$KEYSTONE_SERVICE_PORT
local keystone_auth_port=$KEYSTONE_AUTH_PORT |
| f8ae647f |
local venv_path="" |
| 18d4778c |
if is_ssl_enabled_service key; then
keystone_ssl="SSLEngine On"
keystone_certfile="SSLCertificateFile $KEYSTONE_SSL_CERT"
keystone_keyfile="SSLCertificateKeyFile $KEYSTONE_SSL_KEY"
fi
if is_service_enabled tls-proxy; then
keystone_service_port=$KEYSTONE_SERVICE_PORT_INT
keystone_auth_port=$KEYSTONE_AUTH_PORT_INT
fi |
| f8ae647f |
if [[ ${USE_VENV} = True ]]; then |
| 3a2c86aa |
venv_path="python-path=${PROJECT_VENV["keystone"]}/lib/$(python_version)/site-packages" |
| f8ae647f |
fi |
| d074dc7f |
|
| a00e5f88 |
# copy proxy vhost and wsgi file
sudo cp $KEYSTONE_DIR/httpd/keystone.py $KEYSTONE_WSGI_DIR/main
sudo cp $KEYSTONE_DIR/httpd/keystone.py $KEYSTONE_WSGI_DIR/admin
|
| 970ee908 |
sudo cp $FILES/apache-keystone.template $keystone_apache_conf |
| a00e5f88 |
sudo sed -e " |
| 18d4778c |
s|%PUBLICPORT%|$keystone_service_port|g;
s|%ADMINPORT%|$keystone_auth_port|g; |
| a00e5f88 |
s|%APACHE_NAME%|$APACHE_NAME|g;
s|%PUBLICWSGI%|$KEYSTONE_WSGI_DIR/main|g;
s|%ADMINWSGI%|$KEYSTONE_WSGI_DIR/admin|g; |
| 18d4778c |
s|%SSLENGINE%|$keystone_ssl|g;
s|%SSLCERTFILE%|$keystone_certfile|g;
s|%SSLKEYFILE%|$keystone_keyfile|g; |
| f8ae647f |
s|%USER%|$STACK_USER|g;
s|%VIRTUALENV%|$venv_path|g |
| 970ee908 |
" -i $keystone_apache_conf |
| a00e5f88 |
}
|
| d81a0274 |
# configure_keystone() - Set config files, create data dirs, etc |
| aee18c74 |
function configure_keystone { |
| 8421c2b9 |
sudo install -d -o $STACK_USER $KEYSTONE_CONF_DIR |
| d81a0274 |
if [[ "$KEYSTONE_CONF_DIR" != "$KEYSTONE_DIR/etc" ]]; then |
| 8421c2b9 |
install -m 600 $KEYSTONE_DIR/etc/keystone.conf.sample $KEYSTONE_CONF |
| d81a0274 |
cp -p $KEYSTONE_DIR/etc/policy.json $KEYSTONE_CONF_DIR |
| e0bb4472 |
if [[ -f "$KEYSTONE_DIR/etc/keystone-paste.ini" ]]; then
cp -p "$KEYSTONE_DIR/etc/keystone-paste.ini" "$KEYSTONE_PASTE_INI"
fi
fi
if [[ -f "$KEYSTONE_PASTE_INI" ]]; then
iniset "$KEYSTONE_CONF" paste_deploy config_file "$KEYSTONE_PASTE_INI"
else
# compatibility with mixed cfg and paste.deploy configuration
KEYSTONE_PASTE_INI="$KEYSTONE_CONF" |
| d81a0274 |
fi
|
| 00da58a0 |
configure_keystone_extensions
|
| d81a0274 |
# Rewrite stock ``keystone.conf`` |
| c83a7e12 |
|
| f127e2f3 |
if is_service_enabled ldap; then
#Set all needed ldap values |
| b9e25135 |
iniset $KEYSTONE_CONF ldap password $LDAP_PASSWORD
iniset $KEYSTONE_CONF ldap user $LDAP_MANAGER_DN
iniset $KEYSTONE_CONF ldap suffix $LDAP_BASE_DN |
| f41024e4 |
iniset $KEYSTONE_CONF ldap use_dumb_member "True" |
| 2dc11fb5 |
iniset $KEYSTONE_CONF ldap user_attribute_ignore "enabled,email,tenants,default_project_id" |
| f41024e4 |
iniset $KEYSTONE_CONF ldap tenant_attribute_ignore "enabled"
iniset $KEYSTONE_CONF ldap tenant_domain_id_attribute "businessCategory"
iniset $KEYSTONE_CONF ldap tenant_desc_attribute "description" |
| b9e25135 |
iniset $KEYSTONE_CONF ldap tenant_tree_dn "ou=Projects,$LDAP_BASE_DN" |
| f41024e4 |
iniset $KEYSTONE_CONF ldap user_domain_id_attribute "businessCategory" |
| b9e25135 |
iniset $KEYSTONE_CONF ldap user_tree_dn "ou=Users,$LDAP_BASE_DN" |
| f41024e4 |
iniset $KEYSTONE_CONF DEFAULT member_role_id "9fe2ff9ee4384b1894a90878d3e92bab"
iniset $KEYSTONE_CONF DEFAULT member_role_name "_member_" |
| f127e2f3 |
fi
|
| cd77058e |
# check if identity backend is valid
if [[ "$KEYSTONE_VALID_IDENTITY_BACKENDS" =~ "$KEYSTONE_IDENTITY_BACKEND" ]]; then
iniset $KEYSTONE_CONF identity driver "keystone.identity.backends.$KEYSTONE_IDENTITY_BACKEND.Identity"
fi
# check if assignment backend is valid
if [[ "$KEYSTONE_VALID_ASSIGNMENT_BACKENDS" =~ "$KEYSTONE_ASSIGNMENT_BACKEND" ]]; then
iniset $KEYSTONE_CONF assignment driver "keystone.assignment.backends.$KEYSTONE_ASSIGNMENT_BACKEND.Assignment" |
| f127e2f3 |
fi
|
| 2dd110ce |
iniset_rpc_backend keystone $KEYSTONE_CONF |
| 8464a4cb |
|
| 7448edb0 |
iniset $KEYSTONE_CONF eventlet_server admin_bind_host "$KEYSTONE_ADMIN_BIND_HOST" |
| 245a4313 |
|
| bd24a8d0 |
# Register SSL certificates if provided
if is_ssl_enabled_service key; then
ensure_certificates KEYSTONE
|
| 7448edb0 |
iniset $KEYSTONE_CONF eventlet_server_ssl enable True
iniset $KEYSTONE_CONF eventlet_server_ssl certfile $KEYSTONE_SSL_CERT
iniset $KEYSTONE_CONF eventlet_server_ssl keyfile $KEYSTONE_SSL_KEY |
| bd24a8d0 |
fi
|
| c83a7e12 |
if is_service_enabled tls-proxy; then
# Set the service ports for a proxy to take the originals |
| 7448edb0 |
iniset $KEYSTONE_CONF eventlet_server public_port $KEYSTONE_SERVICE_PORT_INT
iniset $KEYSTONE_CONF eventlet_server admin_port $KEYSTONE_AUTH_PORT_INT |
| c83a7e12 |
fi
|
| d81a0274 |
iniset $KEYSTONE_CONF DEFAULT admin_token "$SERVICE_TOKEN" |
| 3763141c |
|
| 1e1fce85 |
if [[ "$KEYSTONE_TOKEN_FORMAT" != "" ]]; then
iniset $KEYSTONE_CONF token provider keystone.token.providers.$KEYSTONE_TOKEN_FORMAT.Provider |
| 3763141c |
fi
|
| 16d3ad05 |
iniset $KEYSTONE_CONF database connection `database_connection_url keystone` |
| d81a0274 |
iniset $KEYSTONE_CONF ec2 driver "keystone.contrib.ec2.backends.sql.Ec2"
|
| 5bd96f96 |
if [[ "$KEYSTONE_TOKEN_BACKEND" = "sql" ]]; then |
| 947d7468 |
iniset $KEYSTONE_CONF token driver keystone.token.persistence.backends.sql.Token |
| 61ae7c16 |
elif [[ "$KEYSTONE_TOKEN_BACKEND" = "memcache" ]]; then |
| 947d7468 |
iniset $KEYSTONE_CONF token driver keystone.token.persistence.backends.memcache.Token |
| 5bd96f96 |
else |
| 947d7468 |
iniset $KEYSTONE_CONF token driver keystone.token.persistence.backends.kvs.Token |
| 5bd96f96 |
fi
|
| d81a0274 |
if [[ "$KEYSTONE_CATALOG_BACKEND" = "sql" ]]; then
# Configure ``keystone.conf`` to use sql
iniset $KEYSTONE_CONF catalog driver keystone.catalog.backends.sql.Catalog
inicomment $KEYSTONE_CONF catalog template_file
else
cp -p $FILES/default_catalog.templates $KEYSTONE_CATALOG
# Add swift endpoints to service catalog if swift is enabled |
| 0c3a5584 |
if is_service_enabled s-proxy; then |
| d81a0274 |
echo "catalog.RegionOne.object_store.publicURL = http://%SERVICE_HOST%:8080/v1/AUTH_\$(tenant_id)s" >> $KEYSTONE_CATALOG
echo "catalog.RegionOne.object_store.adminURL = http://%SERVICE_HOST%:8080/" >> $KEYSTONE_CATALOG
echo "catalog.RegionOne.object_store.internalURL = http://%SERVICE_HOST%:8080/v1/AUTH_\$(tenant_id)s" >> $KEYSTONE_CATALOG
echo "catalog.RegionOne.object_store.name = Swift Service" >> $KEYSTONE_CATALOG
fi
|
| b05c8769 |
# Add neutron endpoints to service catalog if neutron is enabled
if is_service_enabled neutron; then |
| d81a0274 |
echo "catalog.RegionOne.network.publicURL = http://%SERVICE_HOST%:$Q_PORT/" >> $KEYSTONE_CATALOG
echo "catalog.RegionOne.network.adminURL = http://%SERVICE_HOST%:$Q_PORT/" >> $KEYSTONE_CATALOG
echo "catalog.RegionOne.network.internalURL = http://%SERVICE_HOST%:$Q_PORT/" >> $KEYSTONE_CATALOG |
| b05c8769 |
echo "catalog.RegionOne.network.name = Neutron Service" >> $KEYSTONE_CATALOG |
| d81a0274 |
fi
|
| 7e86dbe1 |
sed -e " |
| d81a0274 |
s,%SERVICE_HOST%,$SERVICE_HOST,g;
s,%S3_SERVICE_PORT%,$S3_SERVICE_PORT,g;
" -i $KEYSTONE_CATALOG
# Configure ``keystone.conf`` to use templates |
| 7fb5082c |
iniset $KEYSTONE_CONF catalog driver "keystone.catalog.backends.templated.Catalog" |
| d81a0274 |
iniset $KEYSTONE_CONF catalog template_file "$KEYSTONE_CATALOG"
fi
# Set up logging
if [ "$SYSLOG" != "False" ]; then |
| 4968d1ad |
iniset $KEYSTONE_CONF DEFAULT use_syslog "True"
fi
# Format logging |
| 46455a34 |
if [ "$LOG_COLOR" == "True" ] && [ "$SYSLOG" == "False" ] && [ "$KEYSTONE_USE_MOD_WSGI" == "False" ] ; then |
| 4968d1ad |
setup_colorized_logging $KEYSTONE_CONF DEFAULT |
| d81a0274 |
fi |
| a00e5f88 |
|
| 0fc336df |
iniset $KEYSTONE_CONF DEFAULT debug $ENABLE_DEBUG_LOG_LEVEL
|
| 46455a34 |
if [ "$KEYSTONE_USE_MOD_WSGI" == "True" ]; then |
| 2c2b1ccc |
# Eliminate the %(asctime)s.%(msecs)03d from the log format strings
iniset $KEYSTONE_CONF DEFAULT logging_context_format_string "%(process)d %(levelname)s %(name)s [%(request_id)s %(user_identity)s] %(instance)s%(message)s"
iniset $KEYSTONE_CONF DEFAULT logging_default_format_string "%(process)d %(levelname)s %(name)s [-] %(instance)s%(message)s"
iniset $KEYSTONE_CONF DEFAULT logging_debug_format_suffix "%(funcName)s %(pathname)s:%(lineno)d"
iniset $KEYSTONE_CONF DEFAULT logging_exception_prefix "%(process)d TRACE %(name)s %(instance)s" |
| a00e5f88 |
_config_keystone_apache_wsgi
fi |
| 0abde393 |
iniset $KEYSTONE_CONF DEFAULT max_token_size 16384 |
| 85a17ea1 |
|
| 7448edb0 |
iniset $KEYSTONE_CONF eventlet_server admin_workers "$API_WORKERS" |
| 85a17ea1 |
# Public workers will use the server default, typically number of CPU. |
| d81a0274 |
}
|
| 00da58a0 |
function configure_keystone_extensions {
# Add keystone extension into keystone v3 application pipeline
local extension_value
local api_v3
local extension
local api_v3_extension
for extension_value in ${KEYSTONE_EXTENSIONS//,/ }; do
if [[ -z "${extension_value}" ]]; then
continue
fi
api_v3=$(iniget $KEYSTONE_PASTE_INI pipeline:api_v3 pipeline)
extension=$(echo $api_v3 | sed -ne "/${extension_value}/ p;" )
if [[ -z $extension ]]; then
api_v3_extension=$(echo $api_v3 | sed -ne "s/service_v3/${extension_value}_extension service_v3/p;" )
iniset $KEYSTONE_PASTE_INI pipeline:api_v3 pipeline "$api_v3_extension"
fi
done
}
|
| d835de89 |
# create_keystone_accounts() - Sets up common required keystone accounts
# Tenant User Roles
# ------------------------------------------------------------------ |
| 42a59c2b |
# admin admin admin |
| d835de89 |
# service -- -- |
| 42a59c2b |
# -- -- service
# -- -- ResellerAdmin |
| d835de89 |
# -- -- Member
# demo admin admin
# demo demo Member, anotherrole
# invisible_to_admin demo Member
|
| 4599fd17 |
# Group Users Roles Tenant
# ------------------------------------------------------------------
# admins admin admin admin
# nonadmin demo Member, anotherrole demo
|
| d835de89 |
# Migrated from keystone_data.sh |
| aee18c74 |
function create_keystone_accounts { |
| d835de89 |
# admin |
| c50c983c |
local admin_tenant=$(get_or_create_project "admin") |
| 18f39bfb |
local admin_user=$(get_or_create_user "admin" "$ADMIN_PASSWORD") |
| c50c983c |
local admin_role=$(get_or_create_role "admin") |
| 9b215db5 |
get_or_add_user_project_role $admin_role $admin_user $admin_tenant |
| d835de89 |
|
| 42a59c2b |
# Create service project/role |
| 0abde393 |
get_or_create_project "$SERVICE_TENANT_NAME" |
| 42a59c2b |
# Service role, so service users do not have to be admins |
| 0abde393 |
get_or_create_role service |
| 42a59c2b |
# The ResellerAdmin role is used by Nova and Ceilometer so we need to keep it.
# The admin role in swift allows a user to act as an admin for their tenant,
# but ResellerAdmin is needed for a user to act as any tenant. The name of this
# role is also configurable in swift-proxy.conf |
| 0abde393 |
get_or_create_role ResellerAdmin |
| d835de89 |
# The Member role is used by Horizon and Swift so we need to keep it: |
| c50c983c |
local member_role=$(get_or_create_role "Member") |
| 0abde393 |
|
| d3654058 |
# another_role demonstrates that an arbitrary role may be created and used |
| d835de89 |
# TODO(sleepsonthefloor): show how this can be used for rbac in the future! |
| c50c983c |
local another_role=$(get_or_create_role "anotherrole") |
| d835de89 |
# invisible tenant - admin can't see this one |
| c50c983c |
local invis_tenant=$(get_or_create_project "invisible_to_admin") |
| d835de89 |
# demo |
| c50c983c |
local demo_tenant=$(get_or_create_project "demo")
local demo_user=$(get_or_create_user "demo" \ |
| 18f39bfb |
"$ADMIN_PASSWORD" "demo@example.com") |
| c50c983c |
|
| 9b215db5 |
get_or_add_user_project_role $member_role $demo_user $demo_tenant
get_or_add_user_project_role $admin_role $admin_user $demo_tenant
get_or_add_user_project_role $another_role $demo_user $demo_tenant
get_or_add_user_project_role $member_role $demo_user $invis_tenant |
| d835de89 |
|
| 4599fd17 |
local admin_group=$(get_or_create_group "admins" \
"default" "openstack admin group")
local non_admin_group=$(get_or_create_group "nonadmins" \
"default" "non-admin group")
get_or_add_group_project_role $member_role $non_admin_group $demo_tenant
get_or_add_group_project_role $another_role $non_admin_group $demo_tenant
get_or_add_group_project_role $admin_role $admin_group $admin_tenant |
| b74e01c3 |
|
| d835de89 |
# Keystone
if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then |
| 0abde393 |
KEYSTONE_SERVICE=$(get_or_create_service "keystone" \
"identity" "Keystone Identity Service")
get_or_create_endpoint $KEYSTONE_SERVICE \
"$REGION_NAME" \
"$KEYSTONE_SERVICE_PROTOCOL://$KEYSTONE_SERVICE_HOST:$KEYSTONE_SERVICE_PORT/v$IDENTITY_API_VERSION" \
"$KEYSTONE_AUTH_PROTOCOL://$KEYSTONE_AUTH_HOST:$KEYSTONE_AUTH_PORT/v$IDENTITY_API_VERSION" \
"$KEYSTONE_SERVICE_PROTOCOL://$KEYSTONE_SERVICE_HOST:$KEYSTONE_SERVICE_PORT/v$IDENTITY_API_VERSION" |
| d835de89 |
fi
}
|
| 85ff5323 |
# Create a user that is capable of verifying keystone tokens for use with auth_token middleware.
#
# create_service_user <name> [role]
#
# The role defaults to the service role. It is allowed to be provided as optional as historically
# a lot of projects have configured themselves with the admin or other role here if they are
# using this user for other purposes beyond simply auth_token middleware.
function create_service_user {
local role=${2:-service}
local user=$(get_or_create_user "$1" "$SERVICE_PASSWORD") |
| 9b215db5 |
get_or_add_user_project_role "$role" "$user" "$SERVICE_TENANT_NAME" |
| 85ff5323 |
}
|
| 0595237e |
# Configure the service to use the auth token middleware.
#
# configure_auth_token_middleware conf_file admin_user signing_dir [section]
#
# section defaults to keystone_authtoken, which is where auth_token looks in
# the .conf file. If the paste config file is used (api-paste.ini) then
# provide the section name for the auth_token filter.
function configure_auth_token_middleware {
local conf_file=$1
local admin_user=$2
local signing_dir=$3
local section=${4:-keystone_authtoken}
|
| 78b7726d |
iniset $conf_file $section auth_plugin password
iniset $conf_file $section auth_url $KEYSTONE_AUTH_URI
iniset $conf_file $section username $admin_user
iniset $conf_file $section password $SERVICE_PASSWORD
iniset $conf_file $section user_domain_id default
iniset $conf_file $section project_name $SERVICE_TENANT_NAME
iniset $conf_file $section project_domain_id default
iniset $conf_file $section auth_uri $KEYSTONE_SERVICE_URI |
| 18d4778c |
iniset $conf_file $section cafile $SSL_BUNDLE_FILE |
| 0595237e |
iniset $conf_file $section signing_dir $signing_dir |
| 21fe4e76 |
}
|
| d81a0274 |
# init_keystone() - Initialize databases, etc. |
| aee18c74 |
function init_keystone { |
| b9e25135 |
if is_service_enabled ldap; then
init_ldap
fi
|
| d81a0274 |
# (Re)create keystone database |
| 157c84b8 |
recreate_database keystone |
| d81a0274 |
# Initialize keystone database |
| f8ae647f |
$KEYSTONE_BIN_DIR/keystone-manage db_sync |
| d81a0274 |
|
| 00da58a0 |
local extension_value
for extension_value in ${KEYSTONE_EXTENSIONS//,/ }; do
if [[ -z "${extension_value}" ]]; then
continue
fi |
| f8ae647f |
$KEYSTONE_BIN_DIR/keystone-manage db_sync --extension "${extension_value}" |
| 00da58a0 |
done
|
| 1e1fce85 |
if [[ "$KEYSTONE_TOKEN_FORMAT" != "uuid" ]]; then |
| bc071bce |
# Set up certificates |
| 23431f35 |
rm -rf $KEYSTONE_CONF_DIR/ssl |
| f8ae647f |
$KEYSTONE_BIN_DIR/keystone-manage pki_setup |
| bc071bce |
# Create cache dir |
| 8421c2b9 |
sudo install -d -o $STACK_USER $KEYSTONE_AUTH_CACHE_DIR |
| 23431f35 |
rm -f $KEYSTONE_AUTH_CACHE_DIR/* |
| bc071bce |
fi |
| d81a0274 |
}
# install_keystoneclient() - Collect source and prepare |
| aee18c74 |
function install_keystoneclient { |
| e08ab104 |
if use_library_from_git "python-keystoneclient"; then
git_clone_by_name "python-keystoneclient"
setup_dev_lib "python-keystoneclient"
sudo install -D -m 0644 -o $STACK_USER {${GITDIR["python-keystoneclient"]}/tools/,/etc/bash_completion.d/}keystone.bash_completion |
| 5cb19069 |
fi |
| d81a0274 |
}
|
| 58936fdb |
# install_keystonemiddleware() - Collect source and prepare
function install_keystonemiddleware { |
| f8ae647f |
# install_keystonemiddleware() is called when keystonemiddleware is needed
# to provide an opportunity to install it from the source repo |
| 658312ca |
if use_library_from_git "keystonemiddleware"; then
git_clone_by_name "keystonemiddleware"
setup_dev_lib "keystonemiddleware" |
| f8ae647f |
else
# When not installing from repo, keystonemiddleware is still needed... |
| 60996b1b |
pip_install_gr keystonemiddleware |
| 658312ca |
fi |
| 58936fdb |
}
|
| d81a0274 |
# install_keystone() - Collect source and prepare |
| aee18c74 |
function install_keystone { |
| f127e2f3 |
# only install ldap if the service has been enabled
if is_service_enabled ldap; then
install_ldap
fi |
| 61ae7c16 |
if [[ "$KEYSTONE_TOKEN_BACKEND" = "memcache" ]]; then
# Install memcached and the memcache Python library that keystone uses.
# Unfortunately the Python library goes by different names in the .deb
# and .rpm circles.
install_package memcached
if is_ubuntu; then
install_package python-memcache
else
install_package python-memcached
fi
fi |
| d81a0274 |
git_clone $KEYSTONE_REPO $KEYSTONE_DIR $KEYSTONE_BRANCH |
| 1b4b4be7 |
setup_develop $KEYSTONE_DIR |
| 46455a34 |
if [ "$KEYSTONE_USE_MOD_WSGI" == "True" ]; then |
| a00e5f88 |
install_apache_wsgi |
| 18d4778c |
if is_ssl_enabled_service "key"; then
enable_mod_ssl
fi |
| a00e5f88 |
fi |
| d81a0274 |
}
# start_keystone() - Start running processes, including screen |
| aee18c74 |
function start_keystone { |
| c83a7e12 |
# Get right service port for testing
local service_port=$KEYSTONE_SERVICE_PORT |
| 18d4778c |
local auth_protocol=$KEYSTONE_AUTH_PROTOCOL |
| c83a7e12 |
if is_service_enabled tls-proxy; then
service_port=$KEYSTONE_SERVICE_PORT_INT |
| 18d4778c |
auth_protocol="http" |
| c83a7e12 |
fi
|
| 46455a34 |
if [ "$KEYSTONE_USE_MOD_WSGI" == "True" ]; then |
| c4b06713 |
enable_apache_site keystone |
| a00e5f88 |
restart_apache_server |
| 2f27a0ed |
tail_log key /var/log/$APACHE_NAME/keystone.log
tail_log key-access /var/log/$APACHE_NAME/keystone_access.log |
| a00e5f88 |
else
# Start Keystone in a screen window |
| f8ae647f |
run_process key "$KEYSTONE_BIN_DIR/keystone-all --config-file $KEYSTONE_CONF" |
| a00e5f88 |
fi
|
| d835de89 |
echo "Waiting for keystone to start..." |
| be4c953e |
# Check that the keystone service is running. Even if the tls tunnel
# should be enabled, make sure the internal port is checked using
# unencryted traffic at this point. |
| b5ab6468 |
if ! wait_for_service $SERVICE_TIMEOUT $auth_protocol://$KEYSTONE_SERVICE_HOST:$service_port/v$IDENTITY_API_VERSION/; then |
| 101b4248 |
die $LINENO "keystone did not start" |
| d835de89 |
fi |
| c83a7e12 |
# Start proxies if enabled
if is_service_enabled tls-proxy; then
start_tls_proxy '*' $KEYSTONE_SERVICE_PORT $KEYSTONE_SERVICE_HOST $KEYSTONE_SERVICE_PORT_INT &
start_tls_proxy '*' $KEYSTONE_AUTH_PORT $KEYSTONE_AUTH_HOST $KEYSTONE_AUTH_PORT_INT &
fi |
| d81a0274 |
}
# stop_keystone() - Stop running processes |
| aee18c74 |
function stop_keystone { |
| c4b06713 |
if [ "$KEYSTONE_USE_MOD_WSGI" == "True" ]; then
disable_apache_site keystone
restart_apache_server
fi |
| d81a0274 |
# Kill the Keystone screen window |
| 2f27a0ed |
stop_process key |
| d81a0274 |
} |
| 7903b795 |
|
| 1a6d4492 |
|
| 7903b795 |
# Restore xtrace
$XTRACE |
| 584d90ec |
|
| 6a5aa7c6 |
# Tell emacs to use shell-script-mode
## Local variables:
## mode: shell-script
## End: |