Browse code
Configure auth_token middleware by auth plugin
As of release 1.3 auth_token middleware can be configured to use any
authentication plugin. This allows us to move to the more generic
password mechanism which will default to using keystone v3 if available.
This will allow in future revisions to move the devstack service users
out of the default domain.
Work will need to be done in heat to remove it's dependency on the
(supposed to be private) keystone_authtoken CONF values.
Change-Id: Ieac26806bd420aa08fc79bbc6a11eb6a1c15c7df
Jamie Lennox authored on 2014/12/19 11:56:01Showing 2 changed files
| ... | ... |
@@ -114,7 +114,18 @@ function configure_heat {
|
| 114 | 114 |
setup_colorized_logging $HEAT_CONF DEFAULT tenant user |
| 115 | 115 |
fi |
| 116 | 116 |
|
| 117 |
- configure_auth_token_middleware $HEAT_CONF heat $HEAT_AUTH_CACHE_DIR |
|
| 117 |
+ # NOTE(jamielennox): heat re-uses specific values from the |
|
| 118 |
+ # keystone_authtoken middleware group and so currently fails when using the |
|
| 119 |
+ # auth plugin setup. This should be fixed in heat. Heat is also the only |
|
| 120 |
+ # service that requires the auth_uri to include a /v2.0. Remove this custom |
|
| 121 |
+ # setup when bug #1300246 is resolved. |
|
| 122 |
+ iniset $HEAT_CONF keystone_authtoken identity_uri $KEYSTONE_AUTH_URI |
|
| 123 |
+ iniset $HEAT_CONF keystone_authtoken auth_uri $KEYSTONE_SERVICE_URI/v2.0 |
|
| 124 |
+ iniset $HEAT_CONF keystone_authtoken admin_user heat |
|
| 125 |
+ iniset $HEAT_CONF keystone_authtoken admin_password $SERVICE_PASSWORD |
|
| 126 |
+ iniset $HEAT_CONF keystone_authtoken admin_tenant_name $SERVICE_TENANT_NAME |
|
| 127 |
+ iniset $HEAT_CONF keystone_authtoken cafile $SSL_BUNDLE_FILE |
|
| 128 |
+ iniset $HEAT_CONF keystone_authtoken signing_dir $HEAT_AUTH_CACHE_DIR |
|
| 118 | 129 |
|
| 119 | 130 |
if is_ssl_enabled_service "key"; then |
| 120 | 131 |
iniset $HEAT_CONF clients_keystone ca_file $SSL_BUNDLE_FILE |
| ... | ... |
@@ -407,15 +407,6 @@ function create_keystone_accounts {
|
| 407 | 407 |
fi |
| 408 | 408 |
} |
| 409 | 409 |
|
| 410 |
-# Configure the API version for the OpenStack projects. |
|
| 411 |
-# configure_API_version conf_file version [section] |
|
| 412 |
-function configure_API_version {
|
|
| 413 |
- local conf_file=$1 |
|
| 414 |
- local api_version=$2 |
|
| 415 |
- local section=${3:-keystone_authtoken}
|
|
| 416 |
- iniset $conf_file $section auth_uri $KEYSTONE_SERVICE_PROTOCOL://$KEYSTONE_SERVICE_HOST:$KEYSTONE_SERVICE_PORT/v$api_version |
|
| 417 |
-} |
|
| 418 |
- |
|
| 419 | 410 |
# Configure the service to use the auth token middleware. |
| 420 | 411 |
# |
| 421 | 412 |
# configure_auth_token_middleware conf_file admin_user signing_dir [section] |
| ... | ... |
@@ -429,15 +420,16 @@ function configure_auth_token_middleware {
|
| 429 | 429 |
local signing_dir=$3 |
| 430 | 430 |
local section=${4:-keystone_authtoken}
|
| 431 | 431 |
|
| 432 |
- iniset $conf_file $section auth_host $KEYSTONE_AUTH_HOST |
|
| 433 |
- iniset $conf_file $section auth_port $KEYSTONE_AUTH_PORT |
|
| 434 |
- iniset $conf_file $section auth_protocol $KEYSTONE_AUTH_PROTOCOL |
|
| 435 |
- iniset $conf_file $section identity_uri $KEYSTONE_AUTH_URI |
|
| 432 |
+ iniset $conf_file $section auth_plugin password |
|
| 433 |
+ iniset $conf_file $section auth_url $KEYSTONE_AUTH_URI |
|
| 434 |
+ iniset $conf_file $section username $admin_user |
|
| 435 |
+ iniset $conf_file $section password $SERVICE_PASSWORD |
|
| 436 |
+ iniset $conf_file $section user_domain_id default |
|
| 437 |
+ iniset $conf_file $section project_name $SERVICE_TENANT_NAME |
|
| 438 |
+ iniset $conf_file $section project_domain_id default |
|
| 439 |
+ |
|
| 440 |
+ iniset $conf_file $section auth_uri $KEYSTONE_SERVICE_URI |
|
| 436 | 441 |
iniset $conf_file $section cafile $SSL_BUNDLE_FILE |
| 437 |
- configure_API_version $conf_file $IDENTITY_API_VERSION $section |
|
| 438 |
- iniset $conf_file $section admin_tenant_name $SERVICE_TENANT_NAME |
|
| 439 |
- iniset $conf_file $section admin_user $admin_user |
|
| 440 |
- iniset $conf_file $section admin_password $SERVICE_PASSWORD |
|
| 441 | 442 |
iniset $conf_file $section signing_dir $signing_dir |
| 442 | 443 |
} |
| 443 | 444 |
|