Be gone ADMIN_TOKEN, long live keystone-manage bootstrap.
This patch reworks the initial setup for keystone by using
the new bootstrap command. After a minimal service catalog
has been created, using this process, we simply authenticate
as usual.
implements bp: bootstrap
Depends-On: I113c6934b6b83ceff23a94101967a6df1126873f
Change-Id: Ia1475d461eab60b68c6a0356714b21c7f92e0194
... | ... |
@@ -12,7 +12,6 @@ |
12 | 12 |
# - ``IDENTITY_API_VERSION`` |
13 | 13 |
# - ``BASE_SQL_CONN`` |
14 | 14 |
# - ``SERVICE_HOST``, ``SERVICE_PROTOCOL`` |
15 |
-# - ``SERVICE_TOKEN`` |
|
16 | 15 |
# - ``S3_SERVICE_PORT`` (template backend only) |
17 | 16 |
|
18 | 17 |
# ``stack.sh`` calls the entry points in this order: |
... | ... |
@@ -22,6 +21,7 @@ |
22 | 22 |
# - _config_keystone_apache_wsgi |
23 | 23 |
# - init_keystone |
24 | 24 |
# - start_keystone |
25 |
+# - bootstrap_keystone |
|
25 | 26 |
# - create_keystone_accounts |
26 | 27 |
# - stop_keystone |
27 | 28 |
# - cleanup_keystone |
... | ... |
@@ -230,8 +230,6 @@ function configure_keystone { |
230 | 230 |
iniset $KEYSTONE_CONF DEFAULT admin_endpoint $KEYSTONE_AUTH_URI |
231 | 231 |
fi |
232 | 232 |
|
233 |
- iniset $KEYSTONE_CONF DEFAULT admin_token "$SERVICE_TOKEN" |
|
234 |
- |
|
235 | 233 |
if [[ "$KEYSTONE_TOKEN_FORMAT" != "" ]]; then |
236 | 234 |
iniset $KEYSTONE_CONF token provider $KEYSTONE_TOKEN_FORMAT |
237 | 235 |
fi |
... | ... |
@@ -324,14 +322,16 @@ function configure_keystone { |
324 | 324 |
# Migrated from keystone_data.sh |
325 | 325 |
function create_keystone_accounts { |
326 | 326 |
|
327 |
- # admin |
|
327 |
+ # The keystone bootstrapping process (performed via keystone-manage bootstrap) |
|
328 |
+ # creates an admin user, admin role and admin project. As a sanity check |
|
329 |
+ # we exercise the CLI to retrieve the IDs for these values. |
|
328 | 330 |
local admin_tenant |
329 |
- admin_tenant=$(get_or_create_project "admin" default) |
|
331 |
+ admin_tenant=$(openstack project show "admin" -f value -c id) |
|
330 | 332 |
local admin_user |
331 |
- admin_user=$(get_or_create_user "admin" "$ADMIN_PASSWORD" default) |
|
333 |
+ admin_user=$(openstack user show "admin" -f value -c id) |
|
332 | 334 |
local admin_role |
333 |
- admin_role=$(get_or_create_role "admin") |
|
334 |
- get_or_add_user_project_role $admin_role $admin_user $admin_tenant |
|
335 |
+ admin_role=$(openstack role show "admin" -f value -c id) |
|
336 |
+ |
|
335 | 337 |
get_or_add_user_domain_role $admin_role $admin_user default |
336 | 338 |
|
337 | 339 |
# Create service project/role |
... | ... |
@@ -381,17 +381,6 @@ function create_keystone_accounts { |
381 | 381 |
get_or_add_group_project_role $member_role $non_admin_group $demo_tenant |
382 | 382 |
get_or_add_group_project_role $another_role $non_admin_group $demo_tenant |
383 | 383 |
get_or_add_group_project_role $admin_role $admin_group $admin_tenant |
384 |
- |
|
385 |
- # Keystone |
|
386 |
- if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then |
|
387 |
- |
|
388 |
- get_or_create_service "keystone" "identity" "Keystone Identity Service" |
|
389 |
- get_or_create_endpoint "identity" \ |
|
390 |
- "$REGION_NAME" \ |
|
391 |
- "$KEYSTONE_SERVICE_PROTOCOL://$KEYSTONE_SERVICE_HOST:$KEYSTONE_SERVICE_PORT/v$IDENTITY_API_VERSION" \ |
|
392 |
- "$KEYSTONE_AUTH_PROTOCOL://$KEYSTONE_AUTH_HOST:$KEYSTONE_AUTH_PORT/v$IDENTITY_API_VERSION" \ |
|
393 |
- "$KEYSTONE_SERVICE_PROTOCOL://$KEYSTONE_SERVICE_HOST:$KEYSTONE_SERVICE_PORT/v$IDENTITY_API_VERSION" |
|
394 |
- fi |
|
395 | 384 |
} |
396 | 385 |
|
397 | 386 |
# Create a user that is capable of verifying keystone tokens for use with auth_token middleware. |
... | ... |
@@ -565,6 +554,55 @@ function stop_keystone { |
565 | 565 |
stop_process key |
566 | 566 |
} |
567 | 567 |
|
568 |
+# bootstrap_keystone() - Initialize user, role and project |
|
569 |
+# This function uses the following GLOBAL variables: |
|
570 |
+# - ``KEYSTONE_BIN_DIR`` |
|
571 |
+# - ``ADMIN_PASSWORD`` |
|
572 |
+# - ``IDENTITY_API_VERSION`` |
|
573 |
+# - ``KEYSTONE_CATALOG_BACKEND`` |
|
574 |
+# - ``KEYSTONE_AUTH_URI`` |
|
575 |
+# - ``REGION_NAME`` |
|
576 |
+# - ``KEYSTONE_SERVICE_PROTOCOL`` |
|
577 |
+# - ``KEYSTONE_SERVICE_HOST`` |
|
578 |
+# - ``KEYSTONE_SERVICE_PORT`` |
|
579 |
+function bootstrap_keystone { |
|
580 |
+ |
|
581 |
+ # Initialize keystone, this will create an 'admin' user, 'admin' project, |
|
582 |
+ # 'admin' role, and assign the user the role on the project. These resources |
|
583 |
+ # are created only if they do not already exist. |
|
584 |
+ $KEYSTONE_BIN_DIR/keystone-manage bootstrap --bootstrap-password $ADMIN_PASSWORD |
|
585 |
+ |
|
586 |
+ # Create the keystone service and endpoints. To do this with the new |
|
587 |
+ # bootstrapping process, we need to get a token and use that token to |
|
588 |
+ # interact with the new APIs. The token will only be used to create services |
|
589 |
+ # and endpoints, thus creating a minimal service catalog. |
|
590 |
+ # They are unset immediately after. |
|
591 |
+ # TODO(stevemar): OpenStackClient and KeystoneClient do not have support to |
|
592 |
+ # handle interactions that not return service catalogs. Eventually remove |
|
593 |
+ # this section when the support is in place. Use token based auth for now. |
|
594 |
+ local token_id |
|
595 |
+ token_id=$(openstack token issue -c id -f value \ |
|
596 |
+ --os-username admin --os-project-name admin \ |
|
597 |
+ --os-user-domain-id default --os-project-domain-id default \ |
|
598 |
+ --os-identity-api-version 3 --os-auth-url $KEYSTONE_AUTH_URI \ |
|
599 |
+ --os-password $ADMIN_PASSWORD) |
|
600 |
+ |
|
601 |
+ if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then |
|
602 |
+ |
|
603 |
+ export OS_TOKEN=$token_id |
|
604 |
+ export OS_URL=$KEYSTONE_AUTH_URI/v3 |
|
605 |
+ export OS_IDENTITY_API_VERSION=3 |
|
606 |
+ |
|
607 |
+ get_or_create_service "keystone" "identity" "Keystone Identity Service" |
|
608 |
+ get_or_create_endpoint "identity" \ |
|
609 |
+ "$REGION_NAME" \ |
|
610 |
+ "$KEYSTONE_SERVICE_PROTOCOL://$KEYSTONE_SERVICE_HOST:$KEYSTONE_SERVICE_PORT/v$IDENTITY_API_VERSION" \ |
|
611 |
+ "$KEYSTONE_AUTH_URI/v$IDENTITY_API_VERSION" \ |
|
612 |
+ "$KEYSTONE_SERVICE_PROTOCOL://$KEYSTONE_SERVICE_HOST:$KEYSTONE_SERVICE_PORT/v$IDENTITY_API_VERSION" |
|
613 |
+ fi |
|
614 |
+ |
|
615 |
+ unset OS_TOKEN OS_URL OS_IDENTITY_API_VERSION |
|
616 |
+} |
|
568 | 617 |
|
569 | 618 |
# Restore xtrace |
570 | 619 |
$_XTRACE_KEYSTONE |
... | ... |
@@ -23,10 +23,8 @@ |
23 | 23 |
# While ``stack.sh`` is happy to run without ``localrc``, devlife is better when |
24 | 24 |
# there are a few minimal variables set: |
25 | 25 |
|
26 |
-# If the ``SERVICE_TOKEN`` and ``*_PASSWORD`` variables are not set |
|
27 |
-# here you will be prompted to enter values for them by ``stack.sh`` |
|
28 |
-# and they will be added to ``local.conf``. |
|
29 |
-SERVICE_TOKEN=azertytoken |
|
26 |
+# If the ``*_PASSWORD`` variables are not set here you will be prompted to enter |
|
27 |
+# values for them by ``stack.sh``and they will be added to ``local.conf``. |
|
30 | 28 |
ADMIN_PASSWORD=nomoresecrete |
31 | 29 |
DATABASE_PASSWORD=stackdb |
32 | 30 |
RABBIT_PASSWORD=stackqueue |
... | ... |
@@ -652,9 +652,6 @@ fi |
652 | 652 |
# -------- |
653 | 653 |
|
654 | 654 |
if is_service_enabled keystone; then |
655 |
- # The ``SERVICE_TOKEN`` is used to bootstrap the Keystone database. It is |
|
656 |
- # just a string and is not a 'real' Keystone token. |
|
657 |
- read_password SERVICE_TOKEN "ENTER A SERVICE_TOKEN TO USE FOR THE SERVICE ADMIN TOKEN." |
|
658 | 655 |
# Services authenticate to Identity with servicename/``SERVICE_PASSWORD`` |
659 | 656 |
read_password SERVICE_PASSWORD "ENTER A SERVICE_PASSWORD TO USE FOR THE SERVICE AUTHENTICATION." |
660 | 657 |
# Horizon currently truncates usernames and passwords at 20 characters |
... | ... |
@@ -994,40 +991,13 @@ if is_service_enabled keystone; then |
994 | 994 |
if [ "$KEYSTONE_AUTH_HOST" == "$SERVICE_HOST" ]; then |
995 | 995 |
init_keystone |
996 | 996 |
start_keystone |
997 |
+ bootstrap_keystone |
|
997 | 998 |
fi |
998 | 999 |
|
999 |
- export OS_IDENTITY_API_VERSION=3 |
|
1000 |
- |
|
1001 |
- # Set up a temporary admin URI for Keystone |
|
1002 |
- SERVICE_ENDPOINT=$KEYSTONE_AUTH_URI/v3 |
|
1003 |
- |
|
1004 | 1000 |
if is_service_enabled tls-proxy; then |
1005 | 1001 |
export OS_CACERT=$INT_CA_DIR/ca-chain.pem |
1006 |
- # Until the client support is fixed, just use the internal endpoint |
|
1007 |
- SERVICE_ENDPOINT=http://$KEYSTONE_AUTH_HOST:$KEYSTONE_AUTH_PORT_INT/v3 |
|
1008 |
- fi |
|
1009 |
- |
|
1010 |
- # Setup OpenStackClient token-endpoint auth |
|
1011 |
- export OS_TOKEN=$SERVICE_TOKEN |
|
1012 |
- export OS_URL=$SERVICE_ENDPOINT |
|
1013 |
- |
|
1014 |
- create_keystone_accounts |
|
1015 |
- create_nova_accounts |
|
1016 |
- create_glance_accounts |
|
1017 |
- create_cinder_accounts |
|
1018 |
- create_neutron_accounts |
|
1019 |
- |
|
1020 |
- if is_service_enabled swift; then |
|
1021 |
- create_swift_accounts |
|
1022 |
- fi |
|
1023 |
- |
|
1024 |
- if is_service_enabled heat; then |
|
1025 |
- create_heat_accounts |
|
1026 | 1002 |
fi |
1027 | 1003 |
|
1028 |
- # Begone token auth |
|
1029 |
- unset OS_TOKEN OS_URL |
|
1030 |
- |
|
1031 | 1004 |
# Rather than just export these, we write them out to a |
1032 | 1005 |
# intermediate userrc file that can also be used to debug if |
1033 | 1006 |
# something goes wrong between here and running |
... | ... |
@@ -1037,6 +1007,7 @@ if is_service_enabled keystone; then |
1037 | 1037 |
# Use this for debugging issues before files in accrc are created |
1038 | 1038 |
|
1039 | 1039 |
# Set up password auth credentials now that Keystone is bootstrapped |
1040 |
+export OS_IDENTITY_API_VERSION=3 |
|
1040 | 1041 |
export OS_AUTH_URL=$KEYSTONE_AUTH_URI |
1041 | 1042 |
export OS_USERNAME=admin |
1042 | 1043 |
export OS_USER_DOMAIN_ID=default |
... | ... |
@@ -1049,6 +1020,20 @@ EOF |
1049 | 1049 |
|
1050 | 1050 |
source $TOP_DIR/userrc_early |
1051 | 1051 |
|
1052 |
+ create_keystone_accounts |
|
1053 |
+ create_nova_accounts |
|
1054 |
+ create_glance_accounts |
|
1055 |
+ create_cinder_accounts |
|
1056 |
+ create_neutron_accounts |
|
1057 |
+ |
|
1058 |
+ if is_service_enabled swift; then |
|
1059 |
+ create_swift_accounts |
|
1060 |
+ fi |
|
1061 |
+ |
|
1062 |
+ if is_service_enabled heat; then |
|
1063 |
+ create_heat_accounts |
|
1064 |
+ fi |
|
1065 |
+ |
|
1052 | 1066 |
fi |
1053 | 1067 |
|
1054 | 1068 |
# Write a clouds.yaml file |