Browse code
Use identity_uri instead of auth fragments
auth_token middleware now accepts a standard URL string as the parameter
identity_uri instead of specifying protocol etc individually. Change the
services over to use this.
Also changes over some other places in which the auth fragments are used
individually to the new variables and fixes up some misconfigurations of
auth_token.
identity_uri option was release in keystoneclient 0.8.0
Change-Id: Iac13bc3d08c524a6a0f39cdfbc1009e2f5c45c2a
Jamie Lennox authored on 2014/05/21 16:18:43Showing 11 changed files
- lib/ceilometer
- lib/cinder
- lib/glance
- lib/heat
- lib/ironic
- lib/keystone
- lib/neutron
- lib/nova
- lib/nova_plugins/hypervisor-ironic
- lib/trove
- stack.sh
| ... | ... |
@@ -164,9 +164,7 @@ function configure_ceilometer {
|
| 164 | 164 |
iniset $CEILOMETER_CONF service_credentials os_password $SERVICE_PASSWORD |
| 165 | 165 |
iniset $CEILOMETER_CONF service_credentials os_tenant_name $SERVICE_TENANT_NAME |
| 166 | 166 |
|
| 167 |
- iniset $CEILOMETER_CONF keystone_authtoken auth_host $KEYSTONE_AUTH_HOST |
|
| 168 |
- iniset $CEILOMETER_CONF keystone_authtoken auth_port $KEYSTONE_AUTH_PORT |
|
| 169 |
- iniset $CEILOMETER_CONF keystone_authtoken auth_protocol $KEYSTONE_AUTH_PROTOCOL |
|
| 167 |
+ iniset $CEILOMETER_CONF keystone_authtoken identity_uri $KEYSTONE_AUTH_URI |
|
| 170 | 168 |
iniset $CEILOMETER_CONF keystone_authtoken admin_user ceilometer |
| 171 | 169 |
iniset $CEILOMETER_CONF keystone_authtoken admin_password $SERVICE_PASSWORD |
| 172 | 170 |
iniset $CEILOMETER_CONF keystone_authtoken admin_tenant_name $SERVICE_TENANT_NAME |
| ... | ... |
@@ -233,9 +233,7 @@ function configure_cinder {
|
| 233 | 233 |
inicomment $CINDER_API_PASTE_INI filter:authtoken admin_password |
| 234 | 234 |
inicomment $CINDER_API_PASTE_INI filter:authtoken signing_dir |
| 235 | 235 |
|
| 236 |
- iniset $CINDER_CONF keystone_authtoken auth_host $KEYSTONE_AUTH_HOST |
|
| 237 |
- iniset $CINDER_CONF keystone_authtoken auth_port $KEYSTONE_AUTH_PORT |
|
| 238 |
- iniset $CINDER_CONF keystone_authtoken auth_protocol $KEYSTONE_AUTH_PROTOCOL |
|
| 236 |
+ iniset $CINDER_CONF keystone_authtoken identity_uri $KEYSTONE_AUTH_URI |
|
| 239 | 237 |
iniset $CINDER_CONF keystone_authtoken cafile $KEYSTONE_SSL_CA |
| 240 | 238 |
iniset $CINDER_CONF keystone_authtoken admin_tenant_name $SERVICE_TENANT_NAME |
| 241 | 239 |
iniset $CINDER_CONF keystone_authtoken admin_user cinder |
| ... | ... |
@@ -89,9 +89,7 @@ function configure_glance {
|
| 89 | 89 |
iniset $GLANCE_REGISTRY_CONF DEFAULT sql_connection $dburl |
| 90 | 90 |
iniset $GLANCE_REGISTRY_CONF DEFAULT use_syslog $SYSLOG |
| 91 | 91 |
iniset $GLANCE_REGISTRY_CONF paste_deploy flavor keystone |
| 92 |
- iniset $GLANCE_REGISTRY_CONF keystone_authtoken auth_host $KEYSTONE_AUTH_HOST |
|
| 93 |
- iniset $GLANCE_REGISTRY_CONF keystone_authtoken auth_port $KEYSTONE_AUTH_PORT |
|
| 94 |
- iniset $GLANCE_REGISTRY_CONF keystone_authtoken auth_protocol $KEYSTONE_AUTH_PROTOCOL |
|
| 92 |
+ iniset $GLANCE_REGISTRY_CONF keystone_authtoken identity_uri $KEYSTONE_AUTH_URI |
|
| 95 | 93 |
iniset $GLANCE_REGISTRY_CONF keystone_authtoken cafile $KEYSTONE_SSL_CA |
| 96 | 94 |
configure_API_version $GLANCE_REGISTRY_CONF $IDENTITY_API_VERSION |
| 97 | 95 |
iniset $GLANCE_REGISTRY_CONF keystone_authtoken admin_tenant_name $SERVICE_TENANT_NAME |
| ... | ... |
@@ -107,9 +105,7 @@ function configure_glance {
|
| 107 | 107 |
iniset $GLANCE_API_CONF DEFAULT filesystem_store_datadir $GLANCE_IMAGE_DIR/ |
| 108 | 108 |
iniset $GLANCE_API_CONF DEFAULT image_cache_dir $GLANCE_CACHE_DIR/ |
| 109 | 109 |
iniset $GLANCE_API_CONF paste_deploy flavor keystone+cachemanagement |
| 110 |
- iniset $GLANCE_API_CONF keystone_authtoken auth_host $KEYSTONE_AUTH_HOST |
|
| 111 |
- iniset $GLANCE_API_CONF keystone_authtoken auth_port $KEYSTONE_AUTH_PORT |
|
| 112 |
- iniset $GLANCE_API_CONF keystone_authtoken auth_protocol $KEYSTONE_AUTH_PROTOCOL |
|
| 110 |
+ iniset $GLANCE_API_CONF keystone_authtoken identity_uri $KEYSTONE_AUTH_URI |
|
| 113 | 111 |
iniset $GLANCE_API_CONF keystone_authtoken cafile $KEYSTONE_SSL_CA |
| 114 | 112 |
configure_API_version $GLANCE_API_CONF $IDENTITY_API_VERSION |
| 115 | 113 |
iniset $GLANCE_API_CONF keystone_authtoken admin_tenant_name $SERVICE_TENANT_NAME |
| ... | ... |
@@ -128,7 +124,7 @@ function configure_glance {
|
| 128 | 128 |
# Store the images in swift if enabled. |
| 129 | 129 |
if is_service_enabled s-proxy; then |
| 130 | 130 |
iniset $GLANCE_API_CONF DEFAULT default_store swift |
| 131 |
- iniset $GLANCE_API_CONF DEFAULT swift_store_auth_address $KEYSTONE_SERVICE_PROTOCOL://$KEYSTONE_SERVICE_HOST:$KEYSTONE_SERVICE_PORT/v2.0/ |
|
| 131 |
+ iniset $GLANCE_API_CONF DEFAULT swift_store_auth_address $KEYSTONE_SERVICE_URI/v2.0/ |
|
| 132 | 132 |
iniset $GLANCE_API_CONF DEFAULT swift_store_user $SERVICE_TENANT_NAME:glance-swift |
| 133 | 133 |
iniset $GLANCE_API_CONF DEFAULT swift_store_key $SERVICE_PASSWORD |
| 134 | 134 |
iniset $GLANCE_API_CONF DEFAULT swift_store_create_container_on_put True |
| ... | ... |
@@ -147,7 +143,7 @@ function configure_glance {
|
| 147 | 147 |
iniset $GLANCE_CACHE_CONF DEFAULT filesystem_store_datadir $GLANCE_IMAGE_DIR/ |
| 148 | 148 |
iniset $GLANCE_CACHE_CONF DEFAULT image_cache_dir $GLANCE_CACHE_DIR/ |
| 149 | 149 |
iniuncomment $GLANCE_CACHE_CONF DEFAULT auth_url |
| 150 |
- iniset $GLANCE_CACHE_CONF DEFAULT auth_url $KEYSTONE_AUTH_PROTOCOL://$KEYSTONE_AUTH_HOST:$KEYSTONE_AUTH_PORT/v2.0 |
|
| 150 |
+ iniset $GLANCE_CACHE_CONF DEFAULT auth_url $KEYSTONE_AUTH_URI/v2.0 |
|
| 151 | 151 |
iniuncomment $GLANCE_CACHE_CONF DEFAULT auth_tenant_name |
| 152 | 152 |
iniset $GLANCE_CACHE_CONF DEFAULT admin_tenant_name $SERVICE_TENANT_NAME |
| 153 | 153 |
iniuncomment $GLANCE_CACHE_CONF DEFAULT auth_user |
| ... | ... |
@@ -107,9 +107,7 @@ function configure_heat {
|
| 107 | 107 |
fi |
| 108 | 108 |
|
| 109 | 109 |
# keystone authtoken |
| 110 |
- iniset $HEAT_CONF keystone_authtoken auth_host $KEYSTONE_AUTH_HOST |
|
| 111 |
- iniset $HEAT_CONF keystone_authtoken auth_port $KEYSTONE_AUTH_PORT |
|
| 112 |
- iniset $HEAT_CONF keystone_authtoken auth_protocol $KEYSTONE_AUTH_PROTOCOL |
|
| 110 |
+ iniset $HEAT_CONF keystone_authtoken identity_uri $KEYSTONE_AUTH_URI |
|
| 113 | 111 |
configure_API_version $HEAT_CONF $IDENTITY_API_VERSION |
| 114 | 112 |
iniset $HEAT_CONF keystone_authtoken cafile $KEYSTONE_SSL_CA |
| 115 | 113 |
iniset $HEAT_CONF keystone_authtoken admin_tenant_name $SERVICE_TENANT_NAME |
| ... | ... |
@@ -118,7 +116,7 @@ function configure_heat {
|
| 118 | 118 |
iniset $HEAT_CONF keystone_authtoken signing_dir $HEAT_AUTH_CACHE_DIR |
| 119 | 119 |
|
| 120 | 120 |
# ec2authtoken |
| 121 |
- iniset $HEAT_CONF ec2authtoken auth_uri $KEYSTONE_SERVICE_PROTOCOL://$KEYSTONE_SERVICE_HOST:$KEYSTONE_SERVICE_PORT/v2.0 |
|
| 121 |
+ iniset $HEAT_CONF ec2authtoken auth_uri $KEYSTONE_SERVICE_URI/v2.0 |
|
| 122 | 122 |
|
| 123 | 123 |
# paste_deploy |
| 124 | 124 |
[[ "$HEAT_STANDALONE" = "True" ]] && iniset $HEAT_CONF paste_deploy flavor standalone |
| ... | ... |
@@ -269,7 +267,7 @@ function create_heat_accounts {
|
| 269 | 269 |
if [[ "$HEAT_STACK_DOMAIN" == "True" ]]; then |
| 270 | 270 |
# Note we have to pass token/endpoint here because the current endpoint and |
| 271 | 271 |
# version negotiation in OSC means just --os-identity-api-version=3 won't work |
| 272 |
- KS_ENDPOINT_V3="$KEYSTONE_SERVICE_PROTOCOL://$KEYSTONE_SERVICE_HOST:$KEYSTONE_SERVICE_PORT/v3" |
|
| 272 |
+ KS_ENDPOINT_V3="$KEYSTONE_SERVICE_URI/v3" |
|
| 273 | 273 |
D_ID=$(openstack --os-token $OS_TOKEN --os-url=$KS_ENDPOINT_V3 \ |
| 274 | 274 |
--os-identity-api-version=3 domain create heat \ |
| 275 | 275 |
--description "Owns users and projects created by heat" \ |
| ... | ... |
@@ -162,11 +162,9 @@ function configure_ironic {
|
| 162 | 162 |
function configure_ironic_api {
|
| 163 | 163 |
iniset $IRONIC_CONF_FILE DEFAULT auth_strategy keystone |
| 164 | 164 |
iniset $IRONIC_CONF_FILE DEFAULT policy_file $IRONIC_POLICY_JSON |
| 165 |
- iniset $IRONIC_CONF_FILE keystone_authtoken auth_host $KEYSTONE_AUTH_HOST |
|
| 166 |
- iniset $IRONIC_CONF_FILE keystone_authtoken auth_port $KEYSTONE_AUTH_PORT |
|
| 167 |
- iniset $IRONIC_CONF_FILE keystone_authtoken auth_protocol $KEYSTONE_AUTH_PROTOCOL |
|
| 165 |
+ iniset $IRONIC_CONF_FILE keystone_authtoken identity_uri $KEYSTONE_AUTH_URI |
|
| 168 | 166 |
iniset $IRONIC_CONF_FILE keystone_authtoken cafile $KEYSTONE_SSL_CA |
| 169 |
- iniset $IRONIC_CONF_FILE keystone_authtoken auth_uri $KEYSTONE_SERVICE_PROTOCOL://$KEYSTONE_SERVICE_HOST:$KEYSTONE_SERVICE_PORT/ |
|
| 167 |
+ iniset $IRONIC_CONF_FILE keystone_authtoken auth_uri $KEYSTONE_SERVICE_URI |
|
| 170 | 168 |
iniset $IRONIC_CONF_FILE keystone_authtoken admin_tenant_name $SERVICE_TENANT_NAME |
| 171 | 169 |
iniset $IRONIC_CONF_FILE keystone_authtoken admin_user ironic |
| 172 | 170 |
iniset $IRONIC_CONF_FILE keystone_authtoken admin_password $SERVICE_PASSWORD |
| ... | ... |
@@ -87,6 +87,10 @@ if is_ssl_enabled_service "key"; then |
| 87 | 87 |
KEYSTONE_SERVICE_PROTOCOL="https" |
| 88 | 88 |
fi |
| 89 | 89 |
|
| 90 |
+# complete URIs |
|
| 91 |
+KEYSTONE_AUTH_URI=${KEYSTONE_AUTH_PROTOCOL}://${KEYSTONE_AUTH_HOST}:${KEYSTONE_AUTH_PORT}
|
|
| 92 |
+KEYSTONE_SERVICE_URI=${KEYSTONE_SERVICE_PROTOCOL}://${KEYSTONE_SERVICE_HOST}:${KEYSTONE_SERVICE_PORT}
|
|
| 93 |
+ |
|
| 90 | 94 |
# Functions |
| 91 | 95 |
# --------- |
| 92 | 96 |
# cleanup_keystone() - Remove residual data files, anything left over from previous |
| ... | ... |
@@ -726,7 +726,7 @@ function _configure_neutron_metadata_agent {
|
| 726 | 726 |
iniset $Q_META_CONF_FILE DEFAULT nova_metadata_ip $Q_META_DATA_IP |
| 727 | 727 |
iniset $Q_META_CONF_FILE DEFAULT root_helper "$Q_RR_COMMAND" |
| 728 | 728 |
|
| 729 |
- _neutron_setup_keystone $Q_META_CONF_FILE DEFAULT True True True |
|
| 729 |
+ _neutron_setup_keystone $Q_META_CONF_FILE DEFAULT True True |
|
| 730 | 730 |
|
| 731 | 731 |
} |
| 732 | 732 |
|
| ... | ... |
@@ -868,18 +868,9 @@ function _neutron_setup_keystone {
|
| 868 | 868 |
local section=$2 |
| 869 | 869 |
local use_auth_url=$3 |
| 870 | 870 |
local skip_auth_cache=$4 |
| 871 |
- local use_service_port=$5 |
|
| 872 |
- local keystone_port=$KEYSTONE_AUTH_PORT |
|
| 873 |
- if [[ -n $use_service_port ]]; then |
|
| 874 |
- keystone_port=$KEYSTONE_SERVICE_PORT |
|
| 875 |
- fi |
|
| 876 |
- if [[ -n $use_auth_url ]]; then |
|
| 877 |
- iniset $conf_file $section auth_url "$KEYSTONE_SERVICE_PROTOCOL://$KEYSTONE_AUTH_HOST:$keystone_port/v2.0" |
|
| 878 |
- else |
|
| 879 |
- iniset $conf_file $section auth_host $KEYSTONE_SERVICE_HOST |
|
| 880 |
- iniset $conf_file $section auth_port $keystone_port |
|
| 881 |
- iniset $conf_file $section auth_protocol $KEYSTONE_SERVICE_PROTOCOL |
|
| 882 |
- fi |
|
| 871 |
+ |
|
| 872 |
+ iniset $conf_file $section auth_uri $KEYSTONE_SERVICE_URI |
|
| 873 |
+ iniset $conf_file $section identity_uri $KEYSTONE_AUTH_URI |
|
| 883 | 874 |
iniset $conf_file $section admin_tenant_name $SERVICE_TENANT_NAME |
| 884 | 875 |
iniset $conf_file $section admin_user $Q_ADMIN_USERNAME |
| 885 | 876 |
iniset $conf_file $section admin_password $SERVICE_PASSWORD |
| ... | ... |
@@ -456,9 +456,7 @@ function create_nova_conf {
|
| 456 | 456 |
|
| 457 | 457 |
# Add keystone authtoken configuration |
| 458 | 458 |
|
| 459 |
- iniset $NOVA_CONF keystone_authtoken auth_host $KEYSTONE_AUTH_HOST |
|
| 460 |
- iniset $NOVA_CONF keystone_authtoken auth_port $KEYSTONE_AUTH_PORT |
|
| 461 |
- iniset $NOVA_CONF keystone_authtoken auth_protocol $KEYSTONE_AUTH_PROTOCOL |
|
| 459 |
+ iniset $NOVA_CONF keystone_authtoken identity_uri $KEYSTONE_AUTH_URI |
|
| 462 | 460 |
iniset $NOVA_CONF keystone_authtoken admin_tenant_name $SERVICE_TENANT_NAME |
| 463 | 461 |
iniset $NOVA_CONF keystone_authtoken cafile $KEYSTONE_SSL_CA |
| 464 | 462 |
iniset $NOVA_CONF keystone_authtoken admin_user nova |
| ... | ... |
@@ -48,7 +48,7 @@ function configure_nova_hypervisor {
|
| 48 | 48 |
# ironic section |
| 49 | 49 |
iniset $NOVA_CONF ironic admin_username admin |
| 50 | 50 |
iniset $NOVA_CONF ironic admin_password $ADMIN_PASSWORD |
| 51 |
- iniset $NOVA_CONF ironic admin_url $KEYSTONE_AUTH_PROTOCOL://$KEYSTONE_AUTH_HOST:$KEYSTONE_AUTH_PORT/v2.0 |
|
| 51 |
+ iniset $NOVA_CONF ironic admin_url $KEYSTONE_AUTH_URI/v2.0 |
|
| 52 | 52 |
iniset $NOVA_CONF ironic admin_tenant_name demo |
| 53 | 53 |
iniset $NOVA_CONF ironic api_endpoint http://$SERVICE_HOST:6385/v1 |
| 54 | 54 |
iniset $NOVA_CONF ironic sql_connection `database_connection_url nova_bm` |
| ... | ... |
@@ -133,9 +133,8 @@ function configure_trove {
|
| 133 | 133 |
# Copy api-paste file over to the trove conf dir and configure it |
| 134 | 134 |
cp $TROVE_LOCAL_CONF_DIR/api-paste.ini $TROVE_CONF_DIR/api-paste.ini |
| 135 | 135 |
TROVE_API_PASTE_INI=$TROVE_CONF_DIR/api-paste.ini |
| 136 |
- iniset $TROVE_API_PASTE_INI filter:authtoken auth_host $KEYSTONE_AUTH_HOST |
|
| 137 |
- iniset $TROVE_API_PASTE_INI filter:authtoken auth_port $KEYSTONE_AUTH_PORT |
|
| 138 |
- iniset $TROVE_API_PASTE_INI filter:authtoken auth_protocol $KEYSTONE_AUTH_PROTOCOL |
|
| 136 |
+ |
|
| 137 |
+ iniset $TROVE_API_PASTE_INI filter:authtoken identity_uri $KEYSTONE_AUTH_URI |
|
| 139 | 138 |
iniset $TROVE_API_PASTE_INI filter:authtoken cafile $KEYSTONE_SSL_CA |
| 140 | 139 |
iniset $TROVE_API_PASTE_INI filter:authtoken admin_tenant_name $SERVICE_TENANT_NAME |
| 141 | 140 |
iniset $TROVE_API_PASTE_INI filter:authtoken admin_user trove |
| ... | ... |
@@ -158,7 +157,7 @@ function configure_trove {
|
| 158 | 158 |
|
| 159 | 159 |
# (Re)create trove taskmanager conf file if needed |
| 160 | 160 |
if is_service_enabled tr-tmgr; then |
| 161 |
- TROVE_AUTH_ENDPOINT=$KEYSTONE_AUTH_PROTOCOL://$KEYSTONE_AUTH_HOST:$KEYSTONE_AUTH_PORT//v$IDENTITY_API_VERSION |
|
| 161 |
+ TROVE_AUTH_ENDPOINT=$KEYSTONE_AUTH_URI/v$IDENTITY_API_VERSION |
|
| 162 | 162 |
|
| 163 | 163 |
iniset $TROVE_CONF_DIR/trove-taskmanager.conf DEFAULT rabbit_password $RABBIT_PASSWORD |
| 164 | 164 |
iniset $TROVE_CONF_DIR/trove-taskmanager.conf DEFAULT sql_connection `database_connection_url trove` |
| ... | ... |
@@ -924,7 +924,7 @@ if is_service_enabled key; then |
| 924 | 924 |
start_keystone |
| 925 | 925 |
|
| 926 | 926 |
# Set up a temporary admin URI for Keystone |
| 927 |
- SERVICE_ENDPOINT=$KEYSTONE_SERVICE_PROTOCOL://$KEYSTONE_AUTH_HOST:$KEYSTONE_AUTH_PORT/v2.0 |
|
| 927 |
+ SERVICE_ENDPOINT=$KEYSTONE_AUTH_URI/v2.0 |
|
| 928 | 928 |
|
| 929 | 929 |
if is_service_enabled tls-proxy; then |
| 930 | 930 |
export OS_CACERT=$INT_CA_DIR/ca-chain.pem |
| ... | ... |
@@ -1357,7 +1357,7 @@ fi |
| 1357 | 1357 |
|
| 1358 | 1358 |
# If Keystone is present you can point ``nova`` cli to this server |
| 1359 | 1359 |
if is_service_enabled key; then |
| 1360 |
- echo "Keystone is serving at $KEYSTONE_AUTH_PROTOCOL://$SERVICE_HOST:$KEYSTONE_SERVICE_PORT/v2.0/" |
|
| 1360 |
+ echo "Keystone is serving at $KEYSTONE_SERVICE_URI/v2.0/" |
|
| 1361 | 1361 |
echo "Examples on using novaclient command line is in exercise.sh" |
| 1362 | 1362 |
echo "The default users are: admin and demo" |
| 1363 | 1363 |
echo "The password: $ADMIN_PASSWORD" |