* Use username/password instead of service token for service auth to Keystone
* Updates files/glance-*-paste.ini and files/swift/proxy-server.conf
* keystone_data.sh creates 'service' tenant, 'nova' and 'glance' users
('swift' and 'quantum' if those services are enabled)
* Uses $SERVICE_PASSWORD for the service auth password. There is no default;
to default to $ADMIN_PASSWORD, place the assignment in localrc.
Fixes bug 942983
Change-Id: If78eed1b509a9c1e8441bb4cfa095da9052f9395
... | ... |
@@ -30,6 +30,7 @@ glance.filter_factory = glance.common.context:ContextMiddleware |
30 | 30 |
|
31 | 31 |
[filter:authtoken] |
32 | 32 |
paste.filter_factory = keystone.middleware.auth_token:filter_factory |
33 |
+# FIXME(dtroyer): remove these service_* entries after auth_token is updated |
|
33 | 34 |
service_host = %KEYSTONE_SERVICE_HOST% |
34 | 35 |
service_port = %KEYSTONE_SERVICE_PORT% |
35 | 36 |
service_protocol = %KEYSTONE_SERVICE_PROTOCOL% |
... | ... |
@@ -37,7 +38,11 @@ auth_host = %KEYSTONE_AUTH_HOST% |
37 | 37 |
auth_port = %KEYSTONE_AUTH_PORT% |
38 | 38 |
auth_protocol = %KEYSTONE_AUTH_PROTOCOL% |
39 | 39 |
auth_uri = %KEYSTONE_SERVICE_PROTOCOL%://%KEYSTONE_SERVICE_HOST%:%KEYSTONE_SERVICE_PORT%/ |
40 |
+# FIXME(dtroyer): remove admin_token after auth_token is updated |
|
40 | 41 |
admin_token = %SERVICE_TOKEN% |
42 |
+admin_tenant_name = %SERVICE_TENANT_NAME% |
|
43 |
+admin_user = %SERVICE_USERNAME% |
|
44 |
+admin_password = %SERVICE_PASSWORD% |
|
41 | 45 |
|
42 | 46 |
[filter:auth-context] |
43 | 47 |
paste.filter_factory = glance.common.wsgi:filter_factory |
... | ... |
@@ -14,6 +14,7 @@ glance.filter_factory = glance.common.context:ContextMiddleware |
14 | 14 |
|
15 | 15 |
[filter:authtoken] |
16 | 16 |
paste.filter_factory = keystone.middleware.auth_token:filter_factory |
17 |
+# FIXME(dtroyer): remove these service_* entries after auth_token is updated |
|
17 | 18 |
service_host = %KEYSTONE_SERVICE_HOST% |
18 | 19 |
service_port = %KEYSTONE_SERVICE_PORT% |
19 | 20 |
service_protocol = %KEYSTONE_SERVICE_PROTOCOL% |
... | ... |
@@ -21,7 +22,11 @@ auth_host = %KEYSTONE_AUTH_HOST% |
21 | 21 |
auth_port = %KEYSTONE_AUTH_PORT% |
22 | 22 |
auth_protocol = %KEYSTONE_AUTH_PROTOCOL% |
23 | 23 |
auth_uri = %KEYSTONE_SERVICE_PROTOCOL%://%KEYSTONE_SERVICE_HOST%:%KEYSTONE_SERVICE_PORT%/ |
24 |
+# FIXME(dtroyer): remove admin_token after auth_token is updated |
|
24 | 25 |
admin_token = %SERVICE_TOKEN% |
26 |
+admin_tenant_name = %SERVICE_TENANT_NAME% |
|
27 |
+admin_user = %SERVICE_USERNAME% |
|
28 |
+admin_password = %SERVICE_PASSWORD% |
|
25 | 29 |
|
26 | 30 |
[filter:auth-context] |
27 | 31 |
context_class = glance.registry.context.RequestContext |
... | ... |
@@ -17,6 +17,7 @@ if keystone help | grep -q user-role-add; then |
17 | 17 |
fi |
18 | 18 |
|
19 | 19 |
ADMIN_TENANT=`get_id keystone tenant-create --name=admin` |
20 |
+SERVICE_TENANT=`get_id keystone tenant-create --name=$SERVICE_TENANT_NAME` |
|
20 | 21 |
DEMO_TENANT=`get_id keystone tenant-create --name=demo` |
21 | 22 |
INVIS_TENANT=`get_id keystone tenant-create --name=invisible_to_admin` |
22 | 23 |
|
... | ... |
@@ -73,6 +74,14 @@ keystone service-create \ |
73 | 73 |
--name=nova \ |
74 | 74 |
--type=compute \ |
75 | 75 |
--description="Nova Compute Service" |
76 |
+NOVA_USER=`get_id keystone user-create \ |
|
77 |
+ --name=nova \ |
|
78 |
+ --pass="$SERVICE_PASSWORD" \ |
|
79 |
+ --tenant_id $SERVICE_TENANT \ |
|
80 |
+ --email=nova@example.com` |
|
81 |
+keystone user-role-add --tenant_id $SERVICE_TENANT \ |
|
82 |
+ --user $NOVA_USER \ |
|
83 |
+ --role $ADMIN_ROLE |
|
76 | 84 |
|
77 | 85 |
keystone service-create \ |
78 | 86 |
--name=ec2 \ |
... | ... |
@@ -83,6 +92,14 @@ keystone service-create \ |
83 | 83 |
--name=glance \ |
84 | 84 |
--type=image \ |
85 | 85 |
--description="Glance Image Service" |
86 |
+GLANCE_USER=`get_id keystone user-create \ |
|
87 |
+ --name=glance \ |
|
88 |
+ --pass="$SERVICE_PASSWORD" \ |
|
89 |
+ --tenant_id $SERVICE_TENANT \ |
|
90 |
+ --email=glance@example.com` |
|
91 |
+keystone user-role-add --tenant_id $SERVICE_TENANT \ |
|
92 |
+ --user $GLANCE_USER \ |
|
93 |
+ --role $ADMIN_ROLE |
|
86 | 94 |
|
87 | 95 |
keystone service-create \ |
88 | 96 |
--name=keystone \ |
... | ... |
@@ -101,12 +118,28 @@ if [[ "$ENABLED_SERVICES" =~ "swift" ]]; then |
101 | 101 |
--name=swift \ |
102 | 102 |
--type="object-store" \ |
103 | 103 |
--description="Swift Service" |
104 |
+ SWIFT_USER=`get_id keystone user-create \ |
|
105 |
+ --name=swift \ |
|
106 |
+ --pass="$SERVICE_PASSWORD" \ |
|
107 |
+ --tenant_id $SERVICE_TENANT \ |
|
108 |
+ --email=swift@example.com` |
|
109 |
+ keystone user-role-add --tenant_id $SERVICE_TENANT \ |
|
110 |
+ --user $SWIFT_USER \ |
|
111 |
+ --role $ADMIN_ROLE |
|
104 | 112 |
fi |
105 | 113 |
if [[ "$ENABLED_SERVICES" =~ "quantum" ]]; then |
106 | 114 |
keystone service-create \ |
107 | 115 |
--name=quantum \ |
108 | 116 |
--type=network \ |
109 | 117 |
--description="Quantum Service" |
118 |
+ QUANTUM_USER=`get_id keystone user-create \ |
|
119 |
+ --name=quantum \ |
|
120 |
+ --pass="$SERVICE_PASSWORD" \ |
|
121 |
+ --tenant_id $SERVICE_TENANT \ |
|
122 |
+ --email=quantum@example.com` |
|
123 |
+ keystone user-role-add --tenant_id $SERVICE_TENANT \ |
|
124 |
+ --user $QUANTUM_USER \ |
|
125 |
+ --role $ADMIN_ROLE |
|
110 | 126 |
fi |
111 | 127 |
|
112 | 128 |
# create ec2 creds and parse the secret and access key returned |
... | ... |
@@ -31,13 +31,18 @@ admin_token = %SERVICE_TOKEN% |
31 | 31 |
|
32 | 32 |
[filter:tokenauth] |
33 | 33 |
paste.filter_factory = keystone.middleware.auth_token:filter_factory |
34 |
+# FIXME(dtroyer): remove these service_* entries after auth_token is updated |
|
34 | 35 |
service_port = %KEYSTONE_SERVICE_PORT% |
35 | 36 |
service_host = %KEYSTONE_SERVICE_HOST% |
36 | 37 |
auth_port = %KEYSTONE_AUTH_PORT% |
37 | 38 |
auth_host = %KEYSTONE_AUTH_HOST% |
38 | 39 |
auth_protocol = %KEYSTONE_AUTH_PROTOCOL% |
39 | 40 |
auth_token = %SERVICE_TOKEN% |
41 |
+# FIXME(dtroyer): remove admin_token after auth_token is updated |
|
40 | 42 |
admin_token = %SERVICE_TOKEN% |
43 |
+admin_tenant_name = %SERVICE_TENANT_NAME% |
|
44 |
+admin_user = %SERVICE_USERNAME% |
|
45 |
+admin_password = %SERVICE_PASSWORD% |
|
41 | 46 |
cache = swift.cache |
42 | 47 |
|
43 | 48 |
[filter:swift3] |
... | ... |
@@ -421,10 +421,16 @@ fi |
421 | 421 |
# Service Token - Openstack components need to have an admin token |
422 | 422 |
# to validate user tokens. |
423 | 423 |
read_password SERVICE_TOKEN "ENTER A SERVICE_TOKEN TO USE FOR THE SERVICE ADMIN TOKEN." |
424 |
+# Services authenticate to Identity with servicename/SERVICE_PASSWORD |
|
425 |
+read_password SERVICE_PASSWORD "ENTER A SERVICE_PASSWORD TO USE FOR THE SERVICE AUTHENTICATION." |
|
424 | 426 |
# Horizon currently truncates usernames and passwords at 20 characters |
425 | 427 |
read_password ADMIN_PASSWORD "ENTER A PASSWORD TO USE FOR HORIZON AND KEYSTONE (20 CHARS OR LESS)." |
426 | 428 |
|
429 |
+# Set the tenant for service accounts in Keystone |
|
430 |
+SERVICE_TENANT_NAME=${SERVICE_TENANT_NAME:-service} |
|
431 |
+ |
|
427 | 432 |
# Set Keystone interface configuration |
433 |
+KEYSTONE_API_PORT=${KEYSTONE_API_PORT:-5000} |
|
428 | 434 |
KEYSTONE_AUTH_HOST=${KEYSTONE_AUTH_HOST:-$SERVICE_HOST} |
429 | 435 |
KEYSTONE_AUTH_PORT=${KEYSTONE_AUTH_PORT:-35357} |
430 | 436 |
KEYSTONE_AUTH_PROTOCOL=${KEYSTONE_AUTH_PROTOCOL:-http} |
... | ... |
@@ -768,6 +774,7 @@ if is_service_enabled g-reg; then |
768 | 768 |
|
769 | 769 |
function glance_config { |
770 | 770 |
sudo sed -e " |
771 |
+ s,%KEYSTONE_API_PORT%,$KEYSTONE_API_PORT,g; |
|
771 | 772 |
s,%KEYSTONE_AUTH_HOST%,$KEYSTONE_AUTH_HOST,g; |
772 | 773 |
s,%KEYSTONE_AUTH_PORT%,$KEYSTONE_AUTH_PORT,g; |
773 | 774 |
s,%KEYSTONE_AUTH_PROTOCOL%,$KEYSTONE_AUTH_PROTOCOL,g; |
... | ... |
@@ -775,6 +782,9 @@ if is_service_enabled g-reg; then |
775 | 775 |
s,%KEYSTONE_SERVICE_PORT%,$KEYSTONE_SERVICE_PORT,g; |
776 | 776 |
s,%KEYSTONE_SERVICE_PROTOCOL%,$KEYSTONE_SERVICE_PROTOCOL,g; |
777 | 777 |
s,%SQL_CONN%,$BASE_SQL_CONN/glance,g; |
778 |
+ s,%SERVICE_TENANT_NAME%,$SERVICE_TENANT_NAME,g; |
|
779 |
+ s,%SERVICE_USERNAME%,glance,g; |
|
780 |
+ s,%SERVICE_PASSWORD%,$SERVICE_PASSWORD,g; |
|
778 | 781 |
s,%SERVICE_TOKEN%,$SERVICE_TOKEN,g; |
779 | 782 |
s,%DEST%,$DEST,g; |
780 | 783 |
s,%SYSLOG%,$SYSLOG,g; |
... | ... |
@@ -825,7 +835,14 @@ if is_service_enabled n-api; then |
825 | 825 |
cp $NOVA_DIR/etc/nova/api-paste.ini $NOVA_CONF |
826 | 826 |
|
827 | 827 |
# Then we add our own service token to the configuration |
828 |
- sed -e "s,%SERVICE_TOKEN%,$SERVICE_TOKEN,g" -i $NOVA_CONF/api-paste.ini |
|
828 |
+ sed -e " |
|
829 |
+ /^admin_token/i admin_tenant_name = $SERVICE_TENANT_NAME |
|
830 |
+ /admin_tenant_name/s/^.*$/admin_tenant_name = $SERVICE_TENANT_NAME/; |
|
831 |
+ /admin_user/s/^.*$/admin_user = nova/; |
|
832 |
+ /admin_password/s/^.*$/admin_password = $SERVICE_PASSWORD/; |
|
833 |
+ s,%SERVICE_TENANT_NAME%,$SERVICE_TENANT_NAME,g; |
|
834 |
+ s,%SERVICE_TOKEN%,$SERVICE_TOKEN,g; |
|
835 |
+ " -i $NOVA_CONF/api-paste.ini |
|
829 | 836 |
|
830 | 837 |
# Finally, we change the pipelines in nova to use keystone |
831 | 838 |
function replace_pipeline() { |
... | ... |
@@ -1011,16 +1028,21 @@ if is_service_enabled swift; then |
1011 | 1011 |
|
1012 | 1012 |
# We do the install of the proxy-server and swift configuration |
1013 | 1013 |
# replacing a few directives to match our configuration. |
1014 |
- sed -e "s,%SWIFT_CONFIG_LOCATION%,${SWIFT_CONFIG_LOCATION},g; |
|
1015 |
- s,%USER%,$USER,g; |
|
1016 |
- s,%SERVICE_TOKEN%,${SERVICE_TOKEN},g; |
|
1017 |
- s,%KEYSTONE_SERVICE_PORT%,${KEYSTONE_SERVICE_PORT},g; |
|
1018 |
- s,%KEYSTONE_SERVICE_HOST%,${KEYSTONE_SERVICE_HOST},g; |
|
1019 |
- s,%KEYSTONE_AUTH_PORT%,${KEYSTONE_AUTH_PORT},g; |
|
1020 |
- s,%KEYSTONE_AUTH_HOST%,${KEYSTONE_AUTH_HOST},g; |
|
1021 |
- s,%KEYSTONE_AUTH_PROTOCOL%,${KEYSTONE_AUTH_PROTOCOL},g; |
|
1022 |
- s/%AUTH_SERVER%/${swift_auth_server}/g;" \ |
|
1023 |
- $FILES/swift/proxy-server.conf | \ |
|
1014 |
+ sed -e " |
|
1015 |
+ s,%SWIFT_CONFIG_LOCATION%,${SWIFT_CONFIG_LOCATION},g; |
|
1016 |
+ s,%USER%,$USER,g; |
|
1017 |
+ s,%SERVICE_TENANT_NAME%,$SERVICE_TENANT_NAME,g; |
|
1018 |
+ s,%SERVICE_USERNAME%,swift,g; |
|
1019 |
+ s,%SERVICE_PASSWORD%,$SERVICE_PASSWORD,g; |
|
1020 |
+ s,%SERVICE_TOKEN%,${SERVICE_TOKEN},g; |
|
1021 |
+ s,%KEYSTONE_SERVICE_PORT%,${KEYSTONE_SERVICE_PORT},g; |
|
1022 |
+ s,%KEYSTONE_SERVICE_HOST%,${KEYSTONE_SERVICE_HOST},g; |
|
1023 |
+ s,%KEYSTONE_API_PORT%,${KEYSTONE_API_PORT},g; |
|
1024 |
+ s,%KEYSTONE_AUTH_HOST%,${KEYSTONE_AUTH_HOST},g; |
|
1025 |
+ s,%KEYSTONE_AUTH_PORT%,${KEYSTONE_AUTH_PORT},g; |
|
1026 |
+ s,%KEYSTONE_AUTH_PROTOCOL%,${KEYSTONE_AUTH_PROTOCOL},g; |
|
1027 |
+ s/%AUTH_SERVER%/${swift_auth_server}/g; |
|
1028 |
+ " $FILES/swift/proxy-server.conf | \ |
|
1024 | 1029 |
sudo tee ${SWIFT_CONFIG_LOCATION}/proxy-server.conf |
1025 | 1030 |
|
1026 | 1031 |
sed -e "s/%SWIFT_HASH%/$SWIFT_HASH/" $FILES/swift/swift.conf > ${SWIFT_CONFIG_LOCATION}/swift.conf |
... | ... |
@@ -1389,7 +1411,7 @@ fi |
1389 | 1389 |
if is_service_enabled key; then |
1390 | 1390 |
screen_it key "cd $KEYSTONE_DIR && $KEYSTONE_DIR/bin/keystone-all --config-file $KEYSTONE_CONF $KEYSTONE_LOG_CONFIG -d --debug" |
1391 | 1391 |
echo "Waiting for keystone to start..." |
1392 |
- if ! timeout $SERVICE_TIMEOUT sh -c "while ! http_proxy= wget -q -O- $KEYSTONE_SERVICE_PROTOCOL://$KEYSTONE_SERVICE_HOST:$KEYSTONE_SERVICE_PORT/v2.0/; do sleep 1; done"; then |
|
1392 |
+ if ! timeout $SERVICE_TIMEOUT sh -c "while ! http_proxy= wget -q -O- $KEYSTONE_AUTH_PROTOCOL://$SERVICE_HOST:$KEYSTONE_API_PORT/v2.0/; do sleep 1; done"; then |
|
1393 | 1393 |
echo "keystone did not start" |
1394 | 1394 |
exit 1 |
1395 | 1395 |
fi |
... | ... |
@@ -1401,7 +1423,8 @@ if is_service_enabled key; then |
1401 | 1401 |
|
1402 | 1402 |
# keystone_data.sh creates services, admin and demo users, and roles. |
1403 | 1403 |
SERVICE_ENDPOINT=$KEYSTONE_AUTH_PROTOCOL://$KEYSTONE_AUTH_HOST:$KEYSTONE_AUTH_PORT/v2.0 |
1404 |
- ADMIN_PASSWORD=$ADMIN_PASSWORD SERVICE_TOKEN=$SERVICE_TOKEN SERVICE_ENDPOINT=$SERVICE_ENDPOINT DEVSTACK_DIR=$TOP_DIR ENABLED_SERVICES=$ENABLED_SERVICES bash $FILES/keystone_data.sh |
|
1404 |
+ ADMIN_PASSWORD=$ADMIN_PASSWORD SERVICE_TENANT_NAME=$SERVICE_TENANT_NAME SERVICE_PASSWORD=$SERVICE_PASSWORD SERVICE_TOKEN=$SERVICE_TOKEN SERVICE_ENDPOINT=$SERVICE_ENDPOINT DEVSTACK_DIR=$TOP_DIR ENABLED_SERVICES=$ENABLED_SERVICES \ |
|
1405 |
+ bash $FILES/keystone_data.sh |
|
1405 | 1406 |
fi |
1406 | 1407 |
|
1407 | 1408 |
|
... | ... |
@@ -1630,7 +1653,7 @@ fi |
1630 | 1630 |
|
1631 | 1631 |
# If keystone is present, you can point nova cli to this server |
1632 | 1632 |
if is_service_enabled key; then |
1633 |
- echo "keystone is serving at $KEYSTONE_SERVICE_PROTOCOL://$KEYSTONE_SERVICE_HOST:$KEYSTONE_SERVICE_PORT/v2.0/" |
|
1633 |
+ echo "keystone is serving at $KEYSTONE_AUTH_PROTOCOL://$SERVICE_HOST:$KEYSTONE_API_PORT/v2.0/" |
|
1634 | 1634 |
echo "examples on using novaclient command line is in exercise.sh" |
1635 | 1635 |
echo "the default users are: admin and demo" |
1636 | 1636 |
echo "the password: $ADMIN_PASSWORD" |