@@ -12,7 +12,6 @@

 # - ``IDENTITY_API_VERSION``

 # - ``BASE_SQL_CONN``

 # - ``SERVICE_HOST``, ``SERVICE_PROTOCOL``

-# - ``SERVICE_TOKEN``

 # - ``S3_SERVICE_PORT`` (template backend only)

 # ``stack.sh`` calls the entry points in this order:

@@ -22,6 +21,7 @@

 # - _config_keystone_apache_wsgi

 # - init_keystone

 # - start_keystone

+# - bootstrap_keystone

 # - create_keystone_accounts

 # - stop_keystone

 # - cleanup_keystone

@@ -230,8 +230,6 @@ function configure_keystone {

         iniset $KEYSTONE_CONF DEFAULT admin_endpoint $KEYSTONE_AUTH_URI

     fi

-    iniset $KEYSTONE_CONF DEFAULT admin_token "$SERVICE_TOKEN"

-

     if [[ "$KEYSTONE_TOKEN_FORMAT" != "" ]]; then

         iniset $KEYSTONE_CONF token provider $KEYSTONE_TOKEN_FORMAT

     fi

@@ -324,14 +322,16 @@ function configure_keystone {

 # Migrated from keystone_data.sh

 function create_keystone_accounts {

-    # admin

+    # The keystone bootstrapping process (performed via keystone-manage bootstrap)

+    # creates an admin user, admin role and admin project. As a sanity check

+    # we exercise the CLI to retrieve the IDs for these values.

     local admin_tenant

-    admin_tenant=$(get_or_create_project "admin" default)

+    admin_tenant=$(openstack project show "admin" -f value -c id)

     local admin_user

-    admin_user=$(get_or_create_user "admin" "$ADMIN_PASSWORD" default)

+    admin_user=$(openstack user show "admin" -f value -c id)

     local admin_role

-    admin_role=$(get_or_create_role "admin")

-    get_or_add_user_project_role $admin_role $admin_user $admin_tenant

+    admin_role=$(openstack role show "admin" -f value -c id)

+

     get_or_add_user_domain_role $admin_role $admin_user default

     # Create service project/role

@@ -381,17 +381,6 @@ function create_keystone_accounts {

     get_or_add_group_project_role $member_role $non_admin_group $demo_tenant

     get_or_add_group_project_role $another_role $non_admin_group $demo_tenant

     get_or_add_group_project_role $admin_role $admin_group $admin_tenant

-

-    # Keystone

-    if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then

-

-        get_or_create_service "keystone" "identity" "Keystone Identity Service"

-        get_or_create_endpoint "identity" \

-            "$REGION_NAME" \

-            "$KEYSTONE_SERVICE_PROTOCOL://$KEYSTONE_SERVICE_HOST:$KEYSTONE_SERVICE_PORT/v$IDENTITY_API_VERSION" \

-            "$KEYSTONE_AUTH_PROTOCOL://$KEYSTONE_AUTH_HOST:$KEYSTONE_AUTH_PORT/v$IDENTITY_API_VERSION" \

-            "$KEYSTONE_SERVICE_PROTOCOL://$KEYSTONE_SERVICE_HOST:$KEYSTONE_SERVICE_PORT/v$IDENTITY_API_VERSION"

-    fi

 }

 # Create a user that is capable of verifying keystone tokens for use with auth_token middleware.

@@ -565,6 +554,55 @@ function stop_keystone {

     stop_process key

 }

+# bootstrap_keystone() - Initialize user, role and project

+# This function uses the following GLOBAL variables:

+# - ``KEYSTONE_BIN_DIR``

+# - ``ADMIN_PASSWORD``

+# - ``IDENTITY_API_VERSION``

+# - ``KEYSTONE_CATALOG_BACKEND``

+# - ``KEYSTONE_AUTH_URI``

+# - ``REGION_NAME``

+# - ``KEYSTONE_SERVICE_PROTOCOL``

+# - ``KEYSTONE_SERVICE_HOST``

+# - ``KEYSTONE_SERVICE_PORT``

+function bootstrap_keystone {

+

+    # Initialize keystone, this will create an 'admin' user, 'admin' project,

+    # 'admin' role, and assign the user the role on the project. These resources

+    # are created only if they do not already exist.

+    $KEYSTONE_BIN_DIR/keystone-manage bootstrap --bootstrap-password $ADMIN_PASSWORD

+

+    # Create the keystone service and endpoints. To do this with the new

+    # bootstrapping process, we need to get a token and use that token to

+    # interact with the new APIs. The token will only be used to create services

+    # and endpoints, thus creating a minimal service catalog.

+    # They are unset immediately after.

+    # TODO(stevemar): OpenStackClient and KeystoneClient do not have support to

+    # handle interactions that not return service catalogs. Eventually remove

+    # this section when the support is in place. Use token based auth for now.

+    local token_id

+    token_id=$(openstack token issue -c id -f value \

+        --os-username admin --os-project-name admin \

+        --os-user-domain-id default --os-project-domain-id default \

+        --os-identity-api-version 3 --os-auth-url $KEYSTONE_AUTH_URI \

+        --os-password $ADMIN_PASSWORD)

+

+    if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then

+

+        export OS_TOKEN=$token_id

+        export OS_URL=$KEYSTONE_AUTH_URI/v3

+        export OS_IDENTITY_API_VERSION=3

+

+        get_or_create_service "keystone" "identity" "Keystone Identity Service"

+        get_or_create_endpoint "identity" \

+            "$REGION_NAME" \

+            "$KEYSTONE_SERVICE_PROTOCOL://$KEYSTONE_SERVICE_HOST:$KEYSTONE_SERVICE_PORT/v$IDENTITY_API_VERSION" \

+            "$KEYSTONE_AUTH_URI/v$IDENTITY_API_VERSION" \

+            "$KEYSTONE_SERVICE_PROTOCOL://$KEYSTONE_SERVICE_HOST:$KEYSTONE_SERVICE_PORT/v$IDENTITY_API_VERSION"

+    fi

+

+    unset OS_TOKEN OS_URL OS_IDENTITY_API_VERSION

+}

 # Restore xtrace

 $_XTRACE_KEYSTONE

@@ -23,10 +23,8 @@

 # While ``stack.sh`` is happy to run without ``localrc``, devlife is better when

 # there are a few minimal variables set:

-# If the ``SERVICE_TOKEN`` and ``*_PASSWORD`` variables are not set

-# here you will be prompted to enter values for them by ``stack.sh``

-# and they will be added to ``local.conf``.

-SERVICE_TOKEN=azertytoken

+# If the ``*_PASSWORD`` variables are not set here you will be prompted to enter

+# values for them by ``stack.sh``and they will be added to ``local.conf``.

 ADMIN_PASSWORD=nomoresecrete

 DATABASE_PASSWORD=stackdb

 RABBIT_PASSWORD=stackqueue

@@ -652,9 +652,6 @@ fi

 # --------

 if is_service_enabled keystone; then

-    # The ``SERVICE_TOKEN`` is used to bootstrap the Keystone database.  It is

-    # just a string and is not a 'real' Keystone token.

-    read_password SERVICE_TOKEN "ENTER A SERVICE_TOKEN TO USE FOR THE SERVICE ADMIN TOKEN."

     # Services authenticate to Identity with servicename/``SERVICE_PASSWORD``

     read_password SERVICE_PASSWORD "ENTER A SERVICE_PASSWORD TO USE FOR THE SERVICE AUTHENTICATION."

     # Horizon currently truncates usernames and passwords at 20 characters

@@ -994,40 +991,13 @@ if is_service_enabled keystone; then

     if [ "$KEYSTONE_AUTH_HOST" == "$SERVICE_HOST" ]; then

         init_keystone

         start_keystone

+        bootstrap_keystone

     fi

-    export OS_IDENTITY_API_VERSION=3

-

-    # Set up a temporary admin URI for Keystone

-    SERVICE_ENDPOINT=$KEYSTONE_AUTH_URI/v3

-

     if is_service_enabled tls-proxy; then

         export OS_CACERT=$INT_CA_DIR/ca-chain.pem

-        # Until the client support is fixed, just use the internal endpoint

-        SERVICE_ENDPOINT=http://$KEYSTONE_AUTH_HOST:$KEYSTONE_AUTH_PORT_INT/v3

-    fi

-

-    # Setup OpenStackClient token-endpoint auth

-    export OS_TOKEN=$SERVICE_TOKEN

-    export OS_URL=$SERVICE_ENDPOINT

-

-    create_keystone_accounts

-    create_nova_accounts

-    create_glance_accounts

-    create_cinder_accounts

-    create_neutron_accounts

-

-    if is_service_enabled swift; then

-        create_swift_accounts

-    fi

-

-    if is_service_enabled heat; then

-        create_heat_accounts

     fi

-    # Begone token auth

-    unset OS_TOKEN OS_URL

-

     # Rather than just export these, we write them out to a

     # intermediate userrc file that can also be used to debug if

     # something goes wrong between here and running

@@ -1037,6 +1007,7 @@ if is_service_enabled keystone; then

 # Use this for debugging issues before files in accrc are created

 # Set up password auth credentials now that Keystone is bootstrapped

+export OS_IDENTITY_API_VERSION=3

 export OS_AUTH_URL=$KEYSTONE_AUTH_URI

 export OS_USERNAME=admin

 export OS_USER_DOMAIN_ID=default

@@ -1049,6 +1020,20 @@ EOF

     source $TOP_DIR/userrc_early

+    create_keystone_accounts

+    create_nova_accounts

+    create_glance_accounts

+    create_cinder_accounts

+    create_neutron_accounts

+

+    if is_service_enabled swift; then

+        create_swift_accounts

+    fi

+

+    if is_service_enabled heat; then

+        create_heat_accounts

+    fi

+

 fi

 # Write a clouds.yaml file