Browse code
Add service account configuration
* Use username/password instead of service token for service auth to Keystone
* Updates files/glance-*-paste.ini and files/swift/proxy-server.conf
* keystone_data.sh creates 'service' tenant, 'nova' and 'glance' users
('swift' and 'quantum' if those services are enabled)
* Uses $SERVICE_PASSWORD for the service auth password. There is no default;
to default to $ADMIN_PASSWORD, place the assignment in localrc.
Fixes bug 942983
Change-Id: If78eed1b509a9c1e8441bb4cfa095da9052f9395
Dean Troyer authored on 2012/02/29 07:41:10Showing 5 changed files
- files/glance-api-paste.ini
- files/glance-registry-paste.ini
- files/keystone_data.sh
- files/swift/proxy-server.conf
- stack.sh
| ... | ... |
@@ -30,6 +30,7 @@ glance.filter_factory = glance.common.context:ContextMiddleware |
| 30 | 30 |
|
| 31 | 31 |
[filter:authtoken] |
| 32 | 32 |
paste.filter_factory = keystone.middleware.auth_token:filter_factory |
| 33 |
+# FIXME(dtroyer): remove these service_* entries after auth_token is updated |
|
| 33 | 34 |
service_host = %KEYSTONE_SERVICE_HOST% |
| 34 | 35 |
service_port = %KEYSTONE_SERVICE_PORT% |
| 35 | 36 |
service_protocol = %KEYSTONE_SERVICE_PROTOCOL% |
| ... | ... |
@@ -37,7 +38,11 @@ auth_host = %KEYSTONE_AUTH_HOST% |
| 37 | 37 |
auth_port = %KEYSTONE_AUTH_PORT% |
| 38 | 38 |
auth_protocol = %KEYSTONE_AUTH_PROTOCOL% |
| 39 | 39 |
auth_uri = %KEYSTONE_SERVICE_PROTOCOL%://%KEYSTONE_SERVICE_HOST%:%KEYSTONE_SERVICE_PORT%/ |
| 40 |
+# FIXME(dtroyer): remove admin_token after auth_token is updated |
|
| 40 | 41 |
admin_token = %SERVICE_TOKEN% |
| 42 |
+admin_tenant_name = %SERVICE_TENANT_NAME% |
|
| 43 |
+admin_user = %SERVICE_USERNAME% |
|
| 44 |
+admin_password = %SERVICE_PASSWORD% |
|
| 41 | 45 |
|
| 42 | 46 |
[filter:auth-context] |
| 43 | 47 |
paste.filter_factory = glance.common.wsgi:filter_factory |
| ... | ... |
@@ -14,6 +14,7 @@ glance.filter_factory = glance.common.context:ContextMiddleware |
| 14 | 14 |
|
| 15 | 15 |
[filter:authtoken] |
| 16 | 16 |
paste.filter_factory = keystone.middleware.auth_token:filter_factory |
| 17 |
+# FIXME(dtroyer): remove these service_* entries after auth_token is updated |
|
| 17 | 18 |
service_host = %KEYSTONE_SERVICE_HOST% |
| 18 | 19 |
service_port = %KEYSTONE_SERVICE_PORT% |
| 19 | 20 |
service_protocol = %KEYSTONE_SERVICE_PROTOCOL% |
| ... | ... |
@@ -21,7 +22,11 @@ auth_host = %KEYSTONE_AUTH_HOST% |
| 21 | 21 |
auth_port = %KEYSTONE_AUTH_PORT% |
| 22 | 22 |
auth_protocol = %KEYSTONE_AUTH_PROTOCOL% |
| 23 | 23 |
auth_uri = %KEYSTONE_SERVICE_PROTOCOL%://%KEYSTONE_SERVICE_HOST%:%KEYSTONE_SERVICE_PORT%/ |
| 24 |
+# FIXME(dtroyer): remove admin_token after auth_token is updated |
|
| 24 | 25 |
admin_token = %SERVICE_TOKEN% |
| 26 |
+admin_tenant_name = %SERVICE_TENANT_NAME% |
|
| 27 |
+admin_user = %SERVICE_USERNAME% |
|
| 28 |
+admin_password = %SERVICE_PASSWORD% |
|
| 25 | 29 |
|
| 26 | 30 |
[filter:auth-context] |
| 27 | 31 |
context_class = glance.registry.context.RequestContext |
| ... | ... |
@@ -17,6 +17,7 @@ if keystone help | grep -q user-role-add; then |
| 17 | 17 |
fi |
| 18 | 18 |
|
| 19 | 19 |
ADMIN_TENANT=`get_id keystone tenant-create --name=admin` |
| 20 |
+SERVICE_TENANT=`get_id keystone tenant-create --name=$SERVICE_TENANT_NAME` |
|
| 20 | 21 |
DEMO_TENANT=`get_id keystone tenant-create --name=demo` |
| 21 | 22 |
INVIS_TENANT=`get_id keystone tenant-create --name=invisible_to_admin` |
| 22 | 23 |
|
| ... | ... |
@@ -73,6 +74,14 @@ keystone service-create \ |
| 73 | 73 |
--name=nova \ |
| 74 | 74 |
--type=compute \ |
| 75 | 75 |
--description="Nova Compute Service" |
| 76 |
+NOVA_USER=`get_id keystone user-create \ |
|
| 77 |
+ --name=nova \ |
|
| 78 |
+ --pass="$SERVICE_PASSWORD" \ |
|
| 79 |
+ --tenant_id $SERVICE_TENANT \ |
|
| 80 |
+ --email=nova@example.com` |
|
| 81 |
+keystone user-role-add --tenant_id $SERVICE_TENANT \ |
|
| 82 |
+ --user $NOVA_USER \ |
|
| 83 |
+ --role $ADMIN_ROLE |
|
| 76 | 84 |
|
| 77 | 85 |
keystone service-create \ |
| 78 | 86 |
--name=ec2 \ |
| ... | ... |
@@ -83,6 +92,14 @@ keystone service-create \ |
| 83 | 83 |
--name=glance \ |
| 84 | 84 |
--type=image \ |
| 85 | 85 |
--description="Glance Image Service" |
| 86 |
+GLANCE_USER=`get_id keystone user-create \ |
|
| 87 |
+ --name=glance \ |
|
| 88 |
+ --pass="$SERVICE_PASSWORD" \ |
|
| 89 |
+ --tenant_id $SERVICE_TENANT \ |
|
| 90 |
+ --email=glance@example.com` |
|
| 91 |
+keystone user-role-add --tenant_id $SERVICE_TENANT \ |
|
| 92 |
+ --user $GLANCE_USER \ |
|
| 93 |
+ --role $ADMIN_ROLE |
|
| 86 | 94 |
|
| 87 | 95 |
keystone service-create \ |
| 88 | 96 |
--name=keystone \ |
| ... | ... |
@@ -101,12 +118,28 @@ if [[ "$ENABLED_SERVICES" =~ "swift" ]]; then |
| 101 | 101 |
--name=swift \ |
| 102 | 102 |
--type="object-store" \ |
| 103 | 103 |
--description="Swift Service" |
| 104 |
+ SWIFT_USER=`get_id keystone user-create \ |
|
| 105 |
+ --name=swift \ |
|
| 106 |
+ --pass="$SERVICE_PASSWORD" \ |
|
| 107 |
+ --tenant_id $SERVICE_TENANT \ |
|
| 108 |
+ --email=swift@example.com` |
|
| 109 |
+ keystone user-role-add --tenant_id $SERVICE_TENANT \ |
|
| 110 |
+ --user $SWIFT_USER \ |
|
| 111 |
+ --role $ADMIN_ROLE |
|
| 104 | 112 |
fi |
| 105 | 113 |
if [[ "$ENABLED_SERVICES" =~ "quantum" ]]; then |
| 106 | 114 |
keystone service-create \ |
| 107 | 115 |
--name=quantum \ |
| 108 | 116 |
--type=network \ |
| 109 | 117 |
--description="Quantum Service" |
| 118 |
+ QUANTUM_USER=`get_id keystone user-create \ |
|
| 119 |
+ --name=quantum \ |
|
| 120 |
+ --pass="$SERVICE_PASSWORD" \ |
|
| 121 |
+ --tenant_id $SERVICE_TENANT \ |
|
| 122 |
+ --email=quantum@example.com` |
|
| 123 |
+ keystone user-role-add --tenant_id $SERVICE_TENANT \ |
|
| 124 |
+ --user $QUANTUM_USER \ |
|
| 125 |
+ --role $ADMIN_ROLE |
|
| 110 | 126 |
fi |
| 111 | 127 |
|
| 112 | 128 |
# create ec2 creds and parse the secret and access key returned |
| ... | ... |
@@ -31,13 +31,18 @@ admin_token = %SERVICE_TOKEN% |
| 31 | 31 |
|
| 32 | 32 |
[filter:tokenauth] |
| 33 | 33 |
paste.filter_factory = keystone.middleware.auth_token:filter_factory |
| 34 |
+# FIXME(dtroyer): remove these service_* entries after auth_token is updated |
|
| 34 | 35 |
service_port = %KEYSTONE_SERVICE_PORT% |
| 35 | 36 |
service_host = %KEYSTONE_SERVICE_HOST% |
| 36 | 37 |
auth_port = %KEYSTONE_AUTH_PORT% |
| 37 | 38 |
auth_host = %KEYSTONE_AUTH_HOST% |
| 38 | 39 |
auth_protocol = %KEYSTONE_AUTH_PROTOCOL% |
| 39 | 40 |
auth_token = %SERVICE_TOKEN% |
| 41 |
+# FIXME(dtroyer): remove admin_token after auth_token is updated |
|
| 40 | 42 |
admin_token = %SERVICE_TOKEN% |
| 43 |
+admin_tenant_name = %SERVICE_TENANT_NAME% |
|
| 44 |
+admin_user = %SERVICE_USERNAME% |
|
| 45 |
+admin_password = %SERVICE_PASSWORD% |
|
| 41 | 46 |
cache = swift.cache |
| 42 | 47 |
|
| 43 | 48 |
[filter:swift3] |
| ... | ... |
@@ -421,10 +421,16 @@ fi |
| 421 | 421 |
# Service Token - Openstack components need to have an admin token |
| 422 | 422 |
# to validate user tokens. |
| 423 | 423 |
read_password SERVICE_TOKEN "ENTER A SERVICE_TOKEN TO USE FOR THE SERVICE ADMIN TOKEN." |
| 424 |
+# Services authenticate to Identity with servicename/SERVICE_PASSWORD |
|
| 425 |
+read_password SERVICE_PASSWORD "ENTER A SERVICE_PASSWORD TO USE FOR THE SERVICE AUTHENTICATION." |
|
| 424 | 426 |
# Horizon currently truncates usernames and passwords at 20 characters |
| 425 | 427 |
read_password ADMIN_PASSWORD "ENTER A PASSWORD TO USE FOR HORIZON AND KEYSTONE (20 CHARS OR LESS)." |
| 426 | 428 |
|
| 429 |
+# Set the tenant for service accounts in Keystone |
|
| 430 |
+SERVICE_TENANT_NAME=${SERVICE_TENANT_NAME:-service}
|
|
| 431 |
+ |
|
| 427 | 432 |
# Set Keystone interface configuration |
| 433 |
+KEYSTONE_API_PORT=${KEYSTONE_API_PORT:-5000}
|
|
| 428 | 434 |
KEYSTONE_AUTH_HOST=${KEYSTONE_AUTH_HOST:-$SERVICE_HOST}
|
| 429 | 435 |
KEYSTONE_AUTH_PORT=${KEYSTONE_AUTH_PORT:-35357}
|
| 430 | 436 |
KEYSTONE_AUTH_PROTOCOL=${KEYSTONE_AUTH_PROTOCOL:-http}
|
| ... | ... |
@@ -768,6 +774,7 @@ if is_service_enabled g-reg; then |
| 768 | 768 |
|
| 769 | 769 |
function glance_config {
|
| 770 | 770 |
sudo sed -e " |
| 771 |
+ s,%KEYSTONE_API_PORT%,$KEYSTONE_API_PORT,g; |
|
| 771 | 772 |
s,%KEYSTONE_AUTH_HOST%,$KEYSTONE_AUTH_HOST,g; |
| 772 | 773 |
s,%KEYSTONE_AUTH_PORT%,$KEYSTONE_AUTH_PORT,g; |
| 773 | 774 |
s,%KEYSTONE_AUTH_PROTOCOL%,$KEYSTONE_AUTH_PROTOCOL,g; |
| ... | ... |
@@ -775,6 +782,9 @@ if is_service_enabled g-reg; then |
| 775 | 775 |
s,%KEYSTONE_SERVICE_PORT%,$KEYSTONE_SERVICE_PORT,g; |
| 776 | 776 |
s,%KEYSTONE_SERVICE_PROTOCOL%,$KEYSTONE_SERVICE_PROTOCOL,g; |
| 777 | 777 |
s,%SQL_CONN%,$BASE_SQL_CONN/glance,g; |
| 778 |
+ s,%SERVICE_TENANT_NAME%,$SERVICE_TENANT_NAME,g; |
|
| 779 |
+ s,%SERVICE_USERNAME%,glance,g; |
|
| 780 |
+ s,%SERVICE_PASSWORD%,$SERVICE_PASSWORD,g; |
|
| 778 | 781 |
s,%SERVICE_TOKEN%,$SERVICE_TOKEN,g; |
| 779 | 782 |
s,%DEST%,$DEST,g; |
| 780 | 783 |
s,%SYSLOG%,$SYSLOG,g; |
| ... | ... |
@@ -825,7 +835,14 @@ if is_service_enabled n-api; then |
| 825 | 825 |
cp $NOVA_DIR/etc/nova/api-paste.ini $NOVA_CONF |
| 826 | 826 |
|
| 827 | 827 |
# Then we add our own service token to the configuration |
| 828 |
- sed -e "s,%SERVICE_TOKEN%,$SERVICE_TOKEN,g" -i $NOVA_CONF/api-paste.ini |
|
| 828 |
+ sed -e " |
|
| 829 |
+ /^admin_token/i admin_tenant_name = $SERVICE_TENANT_NAME |
|
| 830 |
+ /admin_tenant_name/s/^.*$/admin_tenant_name = $SERVICE_TENANT_NAME/; |
|
| 831 |
+ /admin_user/s/^.*$/admin_user = nova/; |
|
| 832 |
+ /admin_password/s/^.*$/admin_password = $SERVICE_PASSWORD/; |
|
| 833 |
+ s,%SERVICE_TENANT_NAME%,$SERVICE_TENANT_NAME,g; |
|
| 834 |
+ s,%SERVICE_TOKEN%,$SERVICE_TOKEN,g; |
|
| 835 |
+ " -i $NOVA_CONF/api-paste.ini |
|
| 829 | 836 |
|
| 830 | 837 |
# Finally, we change the pipelines in nova to use keystone |
| 831 | 838 |
function replace_pipeline() {
|
| ... | ... |
@@ -1011,16 +1028,21 @@ if is_service_enabled swift; then |
| 1011 | 1011 |
|
| 1012 | 1012 |
# We do the install of the proxy-server and swift configuration |
| 1013 | 1013 |
# replacing a few directives to match our configuration. |
| 1014 |
- sed -e "s,%SWIFT_CONFIG_LOCATION%,${SWIFT_CONFIG_LOCATION},g;
|
|
| 1015 |
- s,%USER%,$USER,g; |
|
| 1016 |
- s,%SERVICE_TOKEN%,${SERVICE_TOKEN},g;
|
|
| 1017 |
- s,%KEYSTONE_SERVICE_PORT%,${KEYSTONE_SERVICE_PORT},g;
|
|
| 1018 |
- s,%KEYSTONE_SERVICE_HOST%,${KEYSTONE_SERVICE_HOST},g;
|
|
| 1019 |
- s,%KEYSTONE_AUTH_PORT%,${KEYSTONE_AUTH_PORT},g;
|
|
| 1020 |
- s,%KEYSTONE_AUTH_HOST%,${KEYSTONE_AUTH_HOST},g;
|
|
| 1021 |
- s,%KEYSTONE_AUTH_PROTOCOL%,${KEYSTONE_AUTH_PROTOCOL},g;
|
|
| 1022 |
- s/%AUTH_SERVER%/${swift_auth_server}/g;" \
|
|
| 1023 |
- $FILES/swift/proxy-server.conf | \ |
|
| 1014 |
+ sed -e " |
|
| 1015 |
+ s,%SWIFT_CONFIG_LOCATION%,${SWIFT_CONFIG_LOCATION},g;
|
|
| 1016 |
+ s,%USER%,$USER,g; |
|
| 1017 |
+ s,%SERVICE_TENANT_NAME%,$SERVICE_TENANT_NAME,g; |
|
| 1018 |
+ s,%SERVICE_USERNAME%,swift,g; |
|
| 1019 |
+ s,%SERVICE_PASSWORD%,$SERVICE_PASSWORD,g; |
|
| 1020 |
+ s,%SERVICE_TOKEN%,${SERVICE_TOKEN},g;
|
|
| 1021 |
+ s,%KEYSTONE_SERVICE_PORT%,${KEYSTONE_SERVICE_PORT},g;
|
|
| 1022 |
+ s,%KEYSTONE_SERVICE_HOST%,${KEYSTONE_SERVICE_HOST},g;
|
|
| 1023 |
+ s,%KEYSTONE_API_PORT%,${KEYSTONE_API_PORT},g;
|
|
| 1024 |
+ s,%KEYSTONE_AUTH_HOST%,${KEYSTONE_AUTH_HOST},g;
|
|
| 1025 |
+ s,%KEYSTONE_AUTH_PORT%,${KEYSTONE_AUTH_PORT},g;
|
|
| 1026 |
+ s,%KEYSTONE_AUTH_PROTOCOL%,${KEYSTONE_AUTH_PROTOCOL},g;
|
|
| 1027 |
+ s/%AUTH_SERVER%/${swift_auth_server}/g;
|
|
| 1028 |
+ " $FILES/swift/proxy-server.conf | \ |
|
| 1024 | 1029 |
sudo tee ${SWIFT_CONFIG_LOCATION}/proxy-server.conf
|
| 1025 | 1030 |
|
| 1026 | 1031 |
sed -e "s/%SWIFT_HASH%/$SWIFT_HASH/" $FILES/swift/swift.conf > ${SWIFT_CONFIG_LOCATION}/swift.conf
|
| ... | ... |
@@ -1389,7 +1411,7 @@ fi |
| 1389 | 1389 |
if is_service_enabled key; then |
| 1390 | 1390 |
screen_it key "cd $KEYSTONE_DIR && $KEYSTONE_DIR/bin/keystone-all --config-file $KEYSTONE_CONF $KEYSTONE_LOG_CONFIG -d --debug" |
| 1391 | 1391 |
echo "Waiting for keystone to start..." |
| 1392 |
- if ! timeout $SERVICE_TIMEOUT sh -c "while ! http_proxy= wget -q -O- $KEYSTONE_SERVICE_PROTOCOL://$KEYSTONE_SERVICE_HOST:$KEYSTONE_SERVICE_PORT/v2.0/; do sleep 1; done"; then |
|
| 1392 |
+ if ! timeout $SERVICE_TIMEOUT sh -c "while ! http_proxy= wget -q -O- $KEYSTONE_AUTH_PROTOCOL://$SERVICE_HOST:$KEYSTONE_API_PORT/v2.0/; do sleep 1; done"; then |
|
| 1393 | 1393 |
echo "keystone did not start" |
| 1394 | 1394 |
exit 1 |
| 1395 | 1395 |
fi |
| ... | ... |
@@ -1401,7 +1423,8 @@ if is_service_enabled key; then |
| 1401 | 1401 |
|
| 1402 | 1402 |
# keystone_data.sh creates services, admin and demo users, and roles. |
| 1403 | 1403 |
SERVICE_ENDPOINT=$KEYSTONE_AUTH_PROTOCOL://$KEYSTONE_AUTH_HOST:$KEYSTONE_AUTH_PORT/v2.0 |
| 1404 |
- ADMIN_PASSWORD=$ADMIN_PASSWORD SERVICE_TOKEN=$SERVICE_TOKEN SERVICE_ENDPOINT=$SERVICE_ENDPOINT DEVSTACK_DIR=$TOP_DIR ENABLED_SERVICES=$ENABLED_SERVICES bash $FILES/keystone_data.sh |
|
| 1404 |
+ ADMIN_PASSWORD=$ADMIN_PASSWORD SERVICE_TENANT_NAME=$SERVICE_TENANT_NAME SERVICE_PASSWORD=$SERVICE_PASSWORD SERVICE_TOKEN=$SERVICE_TOKEN SERVICE_ENDPOINT=$SERVICE_ENDPOINT DEVSTACK_DIR=$TOP_DIR ENABLED_SERVICES=$ENABLED_SERVICES \ |
|
| 1405 |
+ bash $FILES/keystone_data.sh |
|
| 1405 | 1406 |
fi |
| 1406 | 1407 |
|
| 1407 | 1408 |
|
| ... | ... |
@@ -1630,7 +1653,7 @@ fi |
| 1630 | 1630 |
|
| 1631 | 1631 |
# If keystone is present, you can point nova cli to this server |
| 1632 | 1632 |
if is_service_enabled key; then |
| 1633 |
- echo "keystone is serving at $KEYSTONE_SERVICE_PROTOCOL://$KEYSTONE_SERVICE_HOST:$KEYSTONE_SERVICE_PORT/v2.0/" |
|
| 1633 |
+ echo "keystone is serving at $KEYSTONE_AUTH_PROTOCOL://$SERVICE_HOST:$KEYSTONE_API_PORT/v2.0/" |
|
| 1634 | 1634 |
echo "examples on using novaclient command line is in exercise.sh" |
| 1635 | 1635 |
echo "the default users are: admin and demo" |
| 1636 | 1636 |
echo "the password: $ADMIN_PASSWORD" |