# lib/keystone
# Functions to control the configuration and operation of **Keystone**
# Dependencies:
# ``functions`` file
# ``BASE_SQL_CONN``
# ``SERVICE_HOST``, ``SERVICE_PROTOCOL``
# ``SERVICE_TOKEN``
# ``S3_SERVICE_PORT`` (template backend only)
# ``STACK_USER``
# ``stack.sh`` calls the entry points in this order:
#
# install_keystone
# configure_keystone
# init_keystone
# start_keystone
# create_keystone_accounts
# stop_keystone
# cleanup_keystone
# Save trace setting
XTRACE=$(set +o | grep xtrace)
set +o xtrace
# Defaults
# --------
# Set up default directories
KEYSTONE_DIR=$DEST/keystone
KEYSTONE_CONF_DIR=${KEYSTONE_CONF_DIR:-/etc/keystone}
KEYSTONE_CONF=$KEYSTONE_CONF_DIR/keystone.conf
KEYSTONE_PASTE_INI=${KEYSTONE_PASTE_INI:-$KEYSTONE_CONF_DIR/keystone-paste.ini}
KEYSTONE_AUTH_CACHE_DIR=${KEYSTONE_AUTH_CACHE_DIR:-/var/cache/keystone}
KEYSTONECLIENT_DIR=$DEST/python-keystoneclient
# Select the backend for Keystone's service catalog
KEYSTONE_CATALOG_BACKEND=${KEYSTONE_CATALOG_BACKEND:-sql}
KEYSTONE_CATALOG=$KEYSTONE_CONF_DIR/default_catalog.templates
# Select the backend for Tokens
KEYSTONE_TOKEN_BACKEND=${KEYSTONE_TOKEN_BACKEND:-sql}
# Select Keystone's token format
# Choose from 'UUID' and 'PKI'
KEYSTONE_TOKEN_FORMAT=${KEYSTONE_TOKEN_FORMAT:-PKI}
# Set Keystone interface configuration
KEYSTONE_AUTH_HOST=${KEYSTONE_AUTH_HOST:-$SERVICE_HOST}
KEYSTONE_AUTH_PORT=${KEYSTONE_AUTH_PORT:-35357}
KEYSTONE_AUTH_PORT_INT=${KEYSTONE_AUTH_PORT_INT:-35358}
KEYSTONE_AUTH_PROTOCOL=${KEYSTONE_AUTH_PROTOCOL:-$SERVICE_PROTOCOL}
# Public facing bits
KEYSTONE_SERVICE_HOST=${KEYSTONE_SERVICE_HOST:-$SERVICE_HOST}
KEYSTONE_SERVICE_PORT=${KEYSTONE_SERVICE_PORT:-5000}
KEYSTONE_SERVICE_PORT_INT=${KEYSTONE_SERVICE_PORT_INT:-5001}
KEYSTONE_SERVICE_PROTOCOL=${KEYSTONE_SERVICE_PROTOCOL:-$SERVICE_PROTOCOL}
# Set the tenant for service accounts in Keystone
SERVICE_TENANT_NAME=${SERVICE_TENANT_NAME:-service}
# Functions
# ---------
# cleanup_keystone() - Remove residual data files, anything left over from previous
# runs that a clean run would need to clean up
function cleanup_keystone() {
# kill instances (nova)
# delete image files (glance)
# This function intentionally left blank
:
}
# configure_keystone() - Set config files, create data dirs, etc
function configure_keystone() {
if [[ ! -d $KEYSTONE_CONF_DIR ]]; then
sudo mkdir -p $KEYSTONE_CONF_DIR
fi
sudo chown $STACK_USER $KEYSTONE_CONF_DIR
if [[ "$KEYSTONE_CONF_DIR" != "$KEYSTONE_DIR/etc" ]]; then
cp -p $KEYSTONE_DIR/etc/keystone.conf.sample $KEYSTONE_CONF
cp -p $KEYSTONE_DIR/etc/policy.json $KEYSTONE_CONF_DIR
if [[ -f "$KEYSTONE_DIR/etc/keystone-paste.ini" ]]; then
cp -p "$KEYSTONE_DIR/etc/keystone-paste.ini" "$KEYSTONE_PASTE_INI"
fi
fi
if [[ -f "$KEYSTONE_PASTE_INI" ]]; then
iniset "$KEYSTONE_CONF" paste_deploy config_file "$KEYSTONE_PASTE_INI"
else
# compatibility with mixed cfg and paste.deploy configuration
KEYSTONE_PASTE_INI="$KEYSTONE_CONF"
fi
# Rewrite stock ``keystone.conf``
if is_service_enabled ldap; then
#Set all needed ldap values
iniset $KEYSTONE_CONF ldap password $LDAP_PASSWORD
iniset $KEYSTONE_CONF ldap user "dc=Manager,dc=openstack,dc=org"
iniset $KEYSTONE_CONF ldap suffix "dc=openstack,dc=org"
iniset $KEYSTONE_CONF ldap use_dumb_member "True"
iniset $KEYSTONE_CONF ldap user_attribute_ignore "enabled,email,tenants,tenantId"
iniset $KEYSTONE_CONF ldap tenant_attribute_ignore "enabled"
iniset $KEYSTONE_CONF ldap tenant_domain_id_attribute "businessCategory"
iniset $KEYSTONE_CONF ldap tenant_desc_attribute "description"
iniset $KEYSTONE_CONF ldap tenant_tree_dn "ou=Projects,dc=openstack,dc=org"
iniset $KEYSTONE_CONF ldap user_domain_id_attribute "businessCategory"
iniset $KEYSTONE_CONF ldap user_tree_dn "ou=Users,dc=openstack,dc=org"
iniset $KEYSTONE_CONF DEFAULT member_role_id "9fe2ff9ee4384b1894a90878d3e92bab"
iniset $KEYSTONE_CONF DEFAULT member_role_name "_member_"
fi
if [[ "$KEYSTONE_IDENTITY_BACKEND" == "ldap" ]]; then
iniset $KEYSTONE_CONF identity driver "keystone.identity.backends.ldap.Identity"
fi
if is_service_enabled tls-proxy; then
# Set the service ports for a proxy to take the originals
iniset $KEYSTONE_CONF DEFAULT public_port $KEYSTONE_SERVICE_PORT_INT
iniset $KEYSTONE_CONF DEFAULT admin_port $KEYSTONE_AUTH_PORT_INT
fi
iniset $KEYSTONE_CONF DEFAULT admin_token "$SERVICE_TOKEN"
iniset $KEYSTONE_CONF signing token_format "$KEYSTONE_TOKEN_FORMAT"
iniset $KEYSTONE_CONF sql connection `database_connection_url keystone`
iniset $KEYSTONE_CONF ec2 driver "keystone.contrib.ec2.backends.sql.Ec2"
if [[ "$KEYSTONE_TOKEN_BACKEND" = "sql" ]]; then
iniset $KEYSTONE_CONF token driver keystone.token.backends.sql.Token
else
iniset $KEYSTONE_CONF token driver keystone.token.backends.kvs.Token
fi
if [[ "$KEYSTONE_CATALOG_BACKEND" = "sql" ]]; then
# Configure ``keystone.conf`` to use sql
iniset $KEYSTONE_CONF catalog driver keystone.catalog.backends.sql.Catalog
inicomment $KEYSTONE_CONF catalog template_file
else
cp -p $FILES/default_catalog.templates $KEYSTONE_CATALOG
# Add swift endpoints to service catalog if swift is enabled
if is_service_enabled s-proxy; then
echo "catalog.RegionOne.object_store.publicURL = http://%SERVICE_HOST%:8080/v1/AUTH_\$(tenant_id)s" >> $KEYSTONE_CATALOG
echo "catalog.RegionOne.object_store.adminURL = http://%SERVICE_HOST%:8080/" >> $KEYSTONE_CATALOG
echo "catalog.RegionOne.object_store.internalURL = http://%SERVICE_HOST%:8080/v1/AUTH_\$(tenant_id)s" >> $KEYSTONE_CATALOG
echo "catalog.RegionOne.object_store.name = Swift Service" >> $KEYSTONE_CATALOG
fi
# Add quantum endpoints to service catalog if quantum is enabled
if is_service_enabled quantum; then
echo "catalog.RegionOne.network.publicURL = http://%SERVICE_HOST%:$Q_PORT/" >> $KEYSTONE_CATALOG
echo "catalog.RegionOne.network.adminURL = http://%SERVICE_HOST%:$Q_PORT/" >> $KEYSTONE_CATALOG
echo "catalog.RegionOne.network.internalURL = http://%SERVICE_HOST%:$Q_PORT/" >> $KEYSTONE_CATALOG
echo "catalog.RegionOne.network.name = Quantum Service" >> $KEYSTONE_CATALOG
fi
sed -e "
s,%SERVICE_HOST%,$SERVICE_HOST,g;
s,%S3_SERVICE_PORT%,$S3_SERVICE_PORT,g;
" -i $KEYSTONE_CATALOG
# Configure ``keystone.conf`` to use templates
iniset $KEYSTONE_CONF catalog driver "keystone.catalog.backends.templated.TemplatedCatalog"
iniset $KEYSTONE_CONF catalog template_file "$KEYSTONE_CATALOG"
fi
# Set up logging
LOGGING_ROOT="devel"
if [ "$SYSLOG" != "False" ]; then
LOGGING_ROOT="$LOGGING_ROOT,production"
fi
KEYSTONE_LOG_CONFIG="--log-config $KEYSTONE_CONF_DIR/logging.conf"
cp $KEYSTONE_DIR/etc/logging.conf.sample $KEYSTONE_CONF_DIR/logging.conf
iniset $KEYSTONE_CONF_DIR/logging.conf logger_root level "DEBUG"
iniset $KEYSTONE_CONF_DIR/logging.conf logger_root handlers "devel,production"
}
# create_keystone_accounts() - Sets up common required keystone accounts
# Tenant User Roles
# ------------------------------------------------------------------
# service -- --
# -- -- Member
# admin admin admin
# demo admin admin
# demo demo Member, anotherrole
# invisible_to_admin demo Member
# Migrated from keystone_data.sh
create_keystone_accounts() {
# admin
ADMIN_TENANT=$(keystone tenant-create \
--name admin \
| grep " id " | get_field 2)
ADMIN_USER=$(keystone user-create \
--name admin \
--pass "$ADMIN_PASSWORD" \
--email admin@example.com \
| grep " id " | get_field 2)
ADMIN_ROLE=$(keystone role-create \
--name admin \
| grep " id " | get_field 2)
keystone user-role-add \
--user_id $ADMIN_USER \
--role_id $ADMIN_ROLE \
--tenant_id $ADMIN_TENANT
# service
SERVICE_TENANT=$(keystone tenant-create \
--name $SERVICE_TENANT_NAME \
| grep " id " | get_field 2)
# The Member role is used by Horizon and Swift so we need to keep it:
MEMBER_ROLE=$(keystone role-create --name=Member | grep " id " | get_field 2)
# ANOTHER_ROLE demonstrates that an arbitrary role may be created and used
# TODO(sleepsonthefloor): show how this can be used for rbac in the future!
ANOTHER_ROLE=$(keystone role-create --name=anotherrole | grep " id " | get_field 2)
# invisible tenant - admin can't see this one
INVIS_TENANT=$(keystone tenant-create --name=invisible_to_admin | grep " id " | get_field 2)
# demo
DEMO_TENANT=$(keystone tenant-create \
--name=demo \
| grep " id " | get_field 2)
DEMO_USER=$(keystone user-create \
--name demo \
--pass "$ADMIN_PASSWORD" \
--email demo@example.com \
| grep " id " | get_field 2)
keystone user-role-add --user_id $DEMO_USER --role_id $MEMBER_ROLE --tenant_id $DEMO_TENANT
keystone user-role-add --user_id $ADMIN_USER --role_id $ADMIN_ROLE --tenant_id $DEMO_TENANT
keystone user-role-add --user_id $DEMO_USER --role_id $ANOTHER_ROLE --tenant_id $DEMO_TENANT
keystone user-role-add --user_id $DEMO_USER --role_id $MEMBER_ROLE --tenant_id $INVIS_TENANT
# Keystone
if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
KEYSTONE_SERVICE=$(keystone service-create \
--name keystone \
--type identity \
--description "Keystone Identity Service" \
| grep " id " | get_field 2)
keystone endpoint-create \
--region RegionOne \
--service_id $KEYSTONE_SERVICE \
--publicurl "$KEYSTONE_SERVICE_PROTOCOL://$KEYSTONE_SERVICE_HOST:$KEYSTONE_SERVICE_PORT/v2.0" \
--adminurl "$KEYSTONE_AUTH_PROTOCOL://$KEYSTONE_AUTH_HOST:$KEYSTONE_AUTH_PORT/v2.0" \
--internalurl "$KEYSTONE_SERVICE_PROTOCOL://$KEYSTONE_SERVICE_HOST:$KEYSTONE_SERVICE_PORT/v2.0"
fi
# TODO(dtroyer): This is part of a series of changes...remove these when
# complete if they are really unused
# KEYSTONEADMIN_ROLE=$(keystone role-create \
# --name KeystoneAdmin \
# | grep " id " | get_field 2)
# KEYSTONESERVICE_ROLE=$(keystone role-create \
# --name KeystoneServiceAdmin \
# | grep " id " | get_field 2)
# TODO(termie): these two might be dubious
# keystone user-role-add \
# --user_id $ADMIN_USER \
# --role_id $KEYSTONEADMIN_ROLE \
# --tenant_id $ADMIN_TENANT
# keystone user-role-add \
# --user_id $ADMIN_USER \
# --role_id $KEYSTONESERVICE_ROLE \
# --tenant_id $ADMIN_TENANT
}
# init_keystone() - Initialize databases, etc.
function init_keystone() {
# (Re)create keystone database
recreate_database keystone utf8
# Initialize keystone database
$KEYSTONE_DIR/bin/keystone-manage db_sync
if [[ "$KEYSTONE_TOKEN_FORMAT" == "PKI" ]]; then
# Set up certificates
rm -rf $KEYSTONE_CONF_DIR/ssl
$KEYSTONE_DIR/bin/keystone-manage pki_setup
# Create cache dir
sudo mkdir -p $KEYSTONE_AUTH_CACHE_DIR
sudo chown $STACK_USER $KEYSTONE_AUTH_CACHE_DIR
rm -f $KEYSTONE_AUTH_CACHE_DIR/*
fi
}
# install_keystoneclient() - Collect source and prepare
function install_keystoneclient() {
git_clone $KEYSTONECLIENT_REPO $KEYSTONECLIENT_DIR $KEYSTONECLIENT_BRANCH
setup_develop $KEYSTONECLIENT_DIR
}
# install_keystone() - Collect source and prepare
function install_keystone() {
# only install ldap if the service has been enabled
if is_service_enabled ldap; then
install_ldap
fi
git_clone $KEYSTONE_REPO $KEYSTONE_DIR $KEYSTONE_BRANCH
setup_develop $KEYSTONE_DIR
}
# start_keystone() - Start running processes, including screen
function start_keystone() {
# Get right service port for testing
local service_port=$KEYSTONE_SERVICE_PORT
if is_service_enabled tls-proxy; then
service_port=$KEYSTONE_SERVICE_PORT_INT
fi
# Start Keystone in a screen window
screen_it key "cd $KEYSTONE_DIR && $KEYSTONE_DIR/bin/keystone-all --config-file $KEYSTONE_CONF $KEYSTONE_LOG_CONFIG -d --debug"
echo "Waiting for keystone to start..."
if ! timeout $SERVICE_TIMEOUT sh -c "while ! http_proxy= curl -s http://$SERVICE_HOST:$service_port/v2.0/ >/dev/null; do sleep 1; done"; then
die $LINENO "keystone did not start"
fi
# Start proxies if enabled
if is_service_enabled tls-proxy; then
start_tls_proxy '*' $KEYSTONE_SERVICE_PORT $KEYSTONE_SERVICE_HOST $KEYSTONE_SERVICE_PORT_INT &
start_tls_proxy '*' $KEYSTONE_AUTH_PORT $KEYSTONE_AUTH_HOST $KEYSTONE_AUTH_PORT_INT &
fi
}
# stop_keystone() - Stop running processes
function stop_keystone() {
# Kill the Keystone screen window
screen -S $SCREEN_NAME -p key -X kill
}
# Restore xtrace
$XTRACE
# Local variables:
# mode: shell-script
# End: