new file mode 100644

@@ -0,0 +1,30 @@

+# config for TemplatedCatalog, using camelCase because I don't want to do

+# translations for legacy compat

+catalog.RegionOne.identity.publicURL = http://%SERVICE_HOST%:$(public_port)s/v2.0

+catalog.RegionOne.identity.adminURL = http://%SERVICE_HOST%:$(admin_port)s/v2.0

+catalog.RegionOne.identity.internalURL = http://%SERVICE_HOST%:$(public_port)s/v2.0

+catalog.RegionOne.identity.name = 'Identity Service'

+

+

+catalog.RegionOne.compute.publicURL = http://%SERVICE_HOST%:8774/v1.1/$(tenant_id)s

+catalog.RegionOne.compute.adminURL = http://%SERVICE_HOST%:8774/v1.1/$(tenant_id)s

+catalog.RegionOne.compute.internalURL = http://%SERVICE_HOST%:8774/v1.1/$(tenant_id)s

+catalog.RegionOne.compute.name = 'Compute Service'

+

+

+catalog.RegionOne.ec2.publicURL = http://%SERVICE_HOST%:8773/services/Cloud

+catalog.RegionOne.ec2.adminURL = http://%SERVICE_HOST%:8773/services/Admin

+catalog.RegionOne.ec2.internalURL = http://%SERVICE_HOST%:8773/services/Cloud

+catalog.RegionOne.ec2.name = 'EC2 Service'

+

+

+catalog.RegionOne.image.publicURL = http://%SERVICE_HOST%:9292/v1

+catalog.RegionOne.image.adminURL = http://%SERVICE_HOST%:9292/v1

+catalog.RegionOne.image.internalURL = http://%SERVICE_HOST%:9292/v1

+catalog.RegionOne.image.name = 'Image Service'

+

+

+catalog.RegionOne.object_store.publicURL = http://%SERVICE_HOST%:8080/v1/AUTH_$(tenant_id)s

+catalog.RegionOne.object_store.adminURL = http://%SERVICE_HOST%:8080/

+catalog.RegionOne.object_store.internalURL = http://%SERVICE_HOST%:8080/v1/AUTH_$(tenant_id)s

+catalog.RegionOne.object_store.name = 'Swift Service'

@@ -1,112 +1,61 @@

 [DEFAULT]

-# Show more verbose log output (sets INFO log level output)

-verbose = False

-

-# Show debugging output in logs (sets DEBUG log level output)

-debug = False

-

-# Which backend store should Keystone use by default.

-# Default: 'sqlite'

-# Available choices are 'sqlite' [future will include LDAP, PAM, etc]

-default_store = sqlite

-

-# Log to this file. Make sure you do not set the same log

-# file for both the API and registry servers!

-log_file = %DEST%/keystone/keystone.log

-

-# List of backends to be configured

-backends = keystone.backends.sqlalchemy

-#For LDAP support, add: ,keystone.backends.ldap

-

-# Dictionary Maps every service to a header.Missing services would get header

-# X_(SERVICE_NAME) Key => Service Name, Value => Header Name

-service-header-mappings = {

-	'nova' : 'X-Server-Management-Url',

-	'swift' : 'X-Storage-Url',

-	'cdn' : 'X-CDN-Management-Url'}

-

-#List of extensions currently supported

-extensions= osksadm,oskscatalog

-

-# Address to bind the API server

-# TODO Properties defined within app not available via pipeline.

-service_host = 0.0.0.0

-

-# Port the bind the API server to

-service_port = 5000

-

-# SSL for API server

-service_ssl = False

-

-# Address to bind the Admin API server

-admin_host = 0.0.0.0

-

-# Port the bind the Admin API server to

+public_port = 5000

 admin_port = 35357

+admin_token = %SERVICE_TOKEN%

+log_file = %DEST%/keystone/keystone.log

-# SSL for API Admin server

-admin_ssl = False

+[sql]

+connection = %SQL_CONN%

+idle_timeout = 30

+min_pool_size = 5

+max_pool_size = 10

+pool_timeout = 200

-# Keystone certificate file (modify as needed)

-# Only required if *_ssl is set to True

-certfile = /etc/keystone/ssl/certs/keystone.pem

+[identity]

+driver = keystone.backends.sql.SqlIdentity

-# Keystone private key file (modify as needed)

-# Only required if *_ssl is set to True

-keyfile = /etc/keystone/ssl/private/keystonekey.pem

+[catalog]

+driver = keystone.backends.templated.TemplatedCatalog

+template_file = ./etc/default_catalog.templates

-# Keystone trusted CA certificates  (modify as needed)

-# Only required if *_ssl is set to True

-ca_certs = /etc/keystone/ssl/certs/ca.pem

+[token]

+driver = keystone.backends.kvs.KvsToken

-# Client certificate required

-# Only relevant if *_ssl is set to True

-cert_required = True

+[policy]

+driver = keystone.backends.policy.SimpleMatch

-#Role that allows to perform admin operations.

-keystone-admin-role = admin

+[filter:debug]

+paste.filter_factory = keystone.wsgi:Debug.factory

-#Role that allows to perform service admin operations.

-keystone-service-admin-role = KeystoneServiceAdmin

+[filter:token_auth]

+paste.filter_factory = keystone.middleware:TokenAuthMiddleware.factory

-#Tells whether password user need to be hashed in the backend

-hash-password = True

+[filter:admin_token_auth]

+paste.filter_factory = keystone.middleware:AdminTokenAuthMiddleware.factory

-[keystone.backends.sqlalchemy]

-# SQLAlchemy connection string for the reference implementation registry

-# server. Any valid SQLAlchemy connection string is fine.

-# See: http://bit.ly/ideIpI

-sql_connection = %SQL_CONN%

-backend_entities = ['UserRoleAssociation', 'Endpoints', 'Role', 'Tenant',

-                    'User', 'Credentials', 'EndpointTemplates', 'Token',

-                    'Service']

+[filter:json_body]

+paste.filter_factory = keystone.middleware:JsonBodyMiddleware.factory

-# Period in seconds after which SQLAlchemy should reestablish its connection

-# to the database.

-sql_idle_timeout = 30

+[filter:crud_extension]

+paste.filter_factory = keystone.service:AdminCrudExtension.factory

-[pipeline:admin]

-pipeline =

-    urlrewritefilter

-    admin_api

-[pipeline:keystone-legacy-auth]

-pipeline =

-    urlrewritefilter

-    legacy_auth

-    service_api

+[app:public_service]

+paste.app_factory = keystone.service:public_app_factory

-[app:service_api]

-paste.app_factory = keystone.server:service_app_factory

+[app:admin_service]

+paste.app_factory = keystone.service:admin_app_factory

-[app:admin_api]

-paste.app_factory = keystone.server:admin_app_factory

+[pipeline:public_api]

+pipeline = token_auth admin_token_auth json_body debug public_service

-[filter:urlrewritefilter]

-paste.filter_factory = keystone.middleware.url:filter_factory

+[pipeline:admin_api]

+pipeline = token_auth admin_token_auth json_body debug crud_extension admin_service

-[filter:legacy_auth]

-paste.filter_factory = keystone.frontends.legacy_token_auth:filter_factory

+[composite:main]

+use = egg:Paste#urlmap

+/v2.0 = public_api

-[filter:debug]

-paste.filter_factory = keystone.common.wsgi:debug_filter_factory

+[composite:admin]

+use = egg:Paste#urlmap

+/v2.0 = admin_api

@@ -1,54 +1,138 @@

 #!/bin/bash

 BIN_DIR=${BIN_DIR:-.}

 # Tenants

-$BIN_DIR/keystone-manage tenant add admin

-$BIN_DIR/keystone-manage tenant add demo

-$BIN_DIR/keystone-manage tenant add invisible_to_admin

+ADMIN_TENANT=`$BIN_DIR/keystone-manage tenant --ks-id-only

+                                       create \

+                                       tenant_name=admin`

+DEMO_TENANT=`$BIN_DIR/keystone-manage tenant --ks-id-only create \

+                                      tenant_name=demo`

+INVIS_TENANT=`$BIN_DIR/keystone-manage tenant --ks-id-only create \

+                                       tenant_name=invisible_to_admin`

+

 # Users

-$BIN_DIR/keystone-manage user add admin %ADMIN_PASSWORD%

-$BIN_DIR/keystone-manage user add demo %ADMIN_PASSWORD%

+ADMIN_USER=`$BIN_DIR/keystone-manage user --ks-id-only create \

+                                          name=admin \

+                                          "password=%ADMIN_PASSWORD%" \

+                                          email=admin@example.com`

+DEMO_USER=`$BIN_DIR/keystone-manage user --ks-id-only create \

+                                         name=demo \

+                                         "password=%ADMIN_PASSWORD%" \

+                                         email=demo@example.com`

 # Roles

-$BIN_DIR/keystone-manage role add admin

-$BIN_DIR/keystone-manage role add Member

-$BIN_DIR/keystone-manage role add KeystoneAdmin

-$BIN_DIR/keystone-manage role add KeystoneServiceAdmin

-$BIN_DIR/keystone-manage role add sysadmin

-$BIN_DIR/keystone-manage role add netadmin

-$BIN_DIR/keystone-manage role grant admin admin admin

-$BIN_DIR/keystone-manage role grant Member demo demo

-$BIN_DIR/keystone-manage role grant sysadmin demo demo

-$BIN_DIR/keystone-manage role grant netadmin demo demo

-$BIN_DIR/keystone-manage role grant Member demo invisible_to_admin

-$BIN_DIR/keystone-manage role grant admin admin demo

-$BIN_DIR/keystone-manage role grant admin admin

-$BIN_DIR/keystone-manage role grant KeystoneAdmin admin

-$BIN_DIR/keystone-manage role grant KeystoneServiceAdmin admin

+ADMIN_ROLE=`$BIN_DIR/keystone-manage role --ks-id-only create \

+                                          name=Admin`

+MEMBER_ROLE=`$BIN_DIR/keystone-manage role --ks-id-only create \

+                                           name=Member`

+KEYSTONEADMIN_ROLE=`$BIN_DIR/keystone-manage role --ks-id-only create \

+                                                  name=KeystoneAdmin`

+KEYSTONESERVICE_ROLE=`$BIN_DIR/keystone-manage role --ks-id-only create \

+                                                         name=KeystoneServiceAdmin`

+SYSADMIN_ROLE=`$BIN_DIR/keystone-manage role --ks-id-only create \

+                                             name=sysadmin`

+NETADMIN_ROLE=`$BIN_DIR/keystone-manage role --ks-id-only create \

+                                             name=netadmin`

+

+

+# Add Roles to Users in Tenants

+

+$BIN_DIR/keystone-manage role add_user_to_tenant \

+                              role_id=$ADMIN_ROLE \

+                              user_id=$ADMIN_USER \

+                              tenant_id=$ADMIN_TENANT

+$BIN_DIR/keystone-manage role add_user_to_tenant \

+                              role_id=$MEMBER_ROLE \

+                              user_id=$DEMO_USER \

+                              tenant_id=$DEMO_TENANT

+$BIN_DIR/keystone-manage role add_user_to_tenant \

+                              role_id=$SYSADMIN_ROLE \

+                              user_id=$DEMO_USER \

+                              tenant_id=$DEMO_TENANT

+$BIN_DIR/keystone-manage role add_user_to_tenant \

+                              role_id=$NETADMIN_ROLE \

+                              user_id=$DEMO_USER \

+                              tenant_id=$DEMO_TENANT

+$BIN_DIR/keystone-manage role add_user_to_tenant \

+                              role_id=$MEMBER_ROLE \

+                              user_id=$DEMO_USER \

+                              tenant_id=$INVIS_TENANT

+$BIN_DIR/keystone-manage role add_user_to_tenant \

+                              role_id=$ADMIN_ROLE \

+                              user_id=$ADMIN_USER \

+                              tenant_id=$DEMO_TENANT

+

+# TODO(termie): these two might be dubious

+$BIN_DIR/keystone-manage role add_user_to_tenant \

+                              role_id=$KEYSTONEADMIN_ROLE \

+                              user_id=$ADMIN_USER \

+                              tenant_id=$ADMIN_TENANT

+$BIN_DIR/keystone-manage role add_user_to_tenant \

+                              role_id=$KEYSTONESERVICE_ROLE \

+                              user_id=$ADMIN_USER \

+                              tenant_id=$ADMIN_TENANT

 # Services

-$BIN_DIR/keystone-manage service add nova compute "Nova Compute Service"

-$BIN_DIR/keystone-manage service add ec2 ec2 "EC2 Compatability Layer"

-$BIN_DIR/keystone-manage service add glance image "Glance Image Service"

-$BIN_DIR/keystone-manage service add keystone identity "Keystone Identity Service"

+$BIN_DIR/keystone-manage service create \

+                                 name=nova \

+                                 service_type=compute \

+                                 "description=Nova Compute Service"

+

+$BIN_DIR/keystone-manage service create \

+                                 name=ec2 \

+                                 service_type=ec2 \

+                                 "description=EC2 Compatibility Layer"

+

+$BIN_DIR/keystone-manage service create \

+                                 name=glance \

+                                 service_type=image \

+                                 "description=Glance Image Service"

+

+$BIN_DIR/keystone-manage service create \

+                                 name=keystone \

+                                 service_type=identity \

+                                 "description=Keystone Identity Service"

 if [[ "$ENABLED_SERVICES" =~ "swift" ]]; then

-    $BIN_DIR/keystone-manage service add swift object-store "Swift Service"

+    $BIN_DIR/keystone-manage service create \

+                                     name=swift \

+                                     service_type=object-store \

+                                     "description=Swift Service"

 fi

 #endpointTemplates

-$BIN_DIR/keystone-manage $* endpointTemplates add RegionOne nova http://%SERVICE_HOST%:8774/v1.1/%tenant_id% http://%SERVICE_HOST%:8774/v1.1/%tenant_id%  http://%SERVICE_HOST%:8774/v1.1/%tenant_id% 1 1

-$BIN_DIR/keystone-manage $* endpointTemplates add RegionOne ec2 http://%SERVICE_HOST%:8773/services/Cloud http://%SERVICE_HOST%:8773/services/Admin http://%SERVICE_HOST%:8773/services/Cloud 1 1

-$BIN_DIR/keystone-manage $* endpointTemplates add RegionOne glance http://%SERVICE_HOST%:9292/v1 http://%SERVICE_HOST%:9292/v1 http://%SERVICE_HOST%:9292/v1 1 1

-$BIN_DIR/keystone-manage $* endpointTemplates add RegionOne keystone %KEYSTONE_SERVICE_PROTOCOL%://%KEYSTONE_SERVICE_HOST%:%KEYSTONE_SERVICE_PORT%/v2.0 %KEYSTONE_AUTH_PROTOCOL%://%KEYSTONE_AUTH_HOST%:%KEYSTONE_AUTH_PORT%/v2.0 %KEYSTONE_SERVICE_PROTOCOL%://%KEYSTONE_SERVICE_HOST%:%KEYSTONE_SERVICE_PORT%/v2.0 1 1

+$BIN_DIR/keystone-manage $* endpointTemplates add \

+      RegionOne nova

+      http://%SERVICE_HOST%:8774/v1.1/%tenant_id%

+      http://%SERVICE_HOST%:8774/v1.1/%tenant_id%

+      http://%SERVICE_HOST%:8774/v1.1/%tenant_id% 1 1

+$BIN_DIR/keystone-manage $* endpointTemplates add

+      RegionOne ec2

+      http://%SERVICE_HOST%:8773/services/Cloud

+      http://%SERVICE_HOST%:8773/services/Admin

+      http://%SERVICE_HOST%:8773/services/Cloud 1 1

+$BIN_DIR/keystone-manage $* endpointTemplates add

+      RegionOne glance

+      http://%SERVICE_HOST%:9292/v1

+      http://%SERVICE_HOST%:9292/v1

+      http://%SERVICE_HOST%:9292/v1 1 1

+$BIN_DIR/keystone-manage $* endpointTemplates add

+      RegionOne keystone

+      http://%SERVICE_HOST%:5000/v2.0

+      http://%SERVICE_HOST%:35357/v2.0

+      http://%SERVICE_HOST%:5000/v2.0 1 1

 if [[ "$ENABLED_SERVICES" =~ "swift" ]]; then

-    $BIN_DIR/keystone-manage $* endpointTemplates add RegionOne swift http://%SERVICE_HOST%:8080/v1/AUTH_%tenant_id% http://%SERVICE_HOST%:8080/ http://%SERVICE_HOST%:8080/v1/AUTH_%tenant_id% 1 1

+    $BIN_DIR/keystone-manage $* endpointTemplates add

+        RegionOne swift

+        http://%SERVICE_HOST%:8080/v1/AUTH_%tenant_id%

+        http://%SERVICE_HOST%:8080/

+        http://%SERVICE_HOST%:8080/v1/AUTH_%tenant_id% 1 1

 fi

 # Tokens

-$BIN_DIR/keystone-manage token add %SERVICE_TOKEN% admin admin 2015-02-05T00:00

+#$BIN_DIR/keystone-manage token add %SERVICE_TOKEN% admin admin 2015-02-05T00:00

 # EC2 related creds - note we are setting the secret key to ADMIN_PASSWORD

 # but keystone doesn't parse them - it is just a blob from keystone's

 # point of view

-$BIN_DIR/keystone-manage credentials add admin EC2 'admin' '%ADMIN_PASSWORD%' admin || echo "no support for adding credentials"

-$BIN_DIR/keystone-manage credentials add demo EC2 'demo' '%ADMIN_PASSWORD%' demo || echo "no support for adding credentials"

+#$BIN_DIR/keystone-manage credentials add admin EC2 'admin' '%ADMIN_PASSWORD%' admin || echo "no support for adding credentials"

+#$BIN_DIR/keystone-manage credentials add demo EC2 'demo' '%ADMIN_PASSWORD%' demo || echo "no support for adding credentials"

@@ -1310,6 +1310,11 @@ if [[ "$ENABLED_SERVICES" =~ "key" ]]; then

     cp $FILES/keystone.conf $KEYSTONE_CONF

     sudo sed -e "s,%SQL_CONN%,$BASE_SQL_CONN/keystone,g" -i $KEYSTONE_CONF

     sudo sed -e "s,%DEST%,$DEST,g" -i $KEYSTONE_CONF

+    sudo sed -e "s,%SERVICE_TOKEN%,$SERVICE_TOKEN,g" -i $KEYSTONE_CONF

+

+    KEYSTONE_CATALOG=$KEYSTONE_DIR/etc/default_catalog.template

+    cp $FILES/default_catalog.template $KEYSTONE_CATALOG

+    sudo sed -e "s,%SERVICE_HOST%,$SERVICE_HOST,g" -i $KEYSTONE_CATALOG

     # keystone_data.sh creates our admin user and our ``SERVICE_TOKEN``.

     KEYSTONE_DATA=$KEYSTONE_DIR/bin/keystone_data.sh

@@ -15,7 +15,7 @@ GLANCE_REPO=https://github.com/openstack/glance.git

 GLANCE_BRANCH=master

 # unified auth system (manages accounts/tokens)

-KEYSTONE_REPO=https://github.com/openstack/keystone.git

+KEYSTONE_REPO=https://github.com/termie/keystonelight.git

 KEYSTONE_BRANCH=master

 # a websockets/html5 or flash powered VNC console for vm instances