@@ -12,4 +12,4 @@ python-greenlet

 python-routes

 libldap2-dev

 libsasl2-dev

-

+python-bcrypt

new file mode 100644

@@ -0,0 +1,30 @@

+# config for TemplatedCatalog, using camelCase because I don't want to do

+# translations for legacy compat

+catalog.RegionOne.identity.publicURL = http://%SERVICE_HOST%:$(public_port)s/v2.0

+catalog.RegionOne.identity.adminURL = http://%SERVICE_HOST%:$(admin_port)s/v2.0

+catalog.RegionOne.identity.internalURL = http://%SERVICE_HOST%:$(public_port)s/v2.0

+catalog.RegionOne.identity.name = 'Identity Service'

+

+

+catalog.RegionOne.compute.publicURL = http://%SERVICE_HOST%:8774/v1.1/$(tenant_id)s

+catalog.RegionOne.compute.adminURL = http://%SERVICE_HOST%:8774/v1.1/$(tenant_id)s

+catalog.RegionOne.compute.internalURL = http://%SERVICE_HOST%:8774/v1.1/$(tenant_id)s

+catalog.RegionOne.compute.name = 'Compute Service'

+

+

+catalog.RegionOne.ec2.publicURL = http://%SERVICE_HOST%:8773/services/Cloud

+catalog.RegionOne.ec2.adminURL = http://%SERVICE_HOST%:8773/services/Admin

+catalog.RegionOne.ec2.internalURL = http://%SERVICE_HOST%:8773/services/Cloud

+catalog.RegionOne.ec2.name = 'EC2 Service'

+

+

+catalog.RegionOne.image.publicURL = http://%SERVICE_HOST%:9292/v1

+catalog.RegionOne.image.adminURL = http://%SERVICE_HOST%:9292/v1

+catalog.RegionOne.image.internalURL = http://%SERVICE_HOST%:9292/v1

+catalog.RegionOne.image.name = 'Image Service'

+

+

+catalog.RegionOne.object_store.publicURL = http://%SERVICE_HOST%:8080/v1/AUTH_$(tenant_id)s

+catalog.RegionOne.object_store.adminURL = http://%SERVICE_HOST%:8080/

+catalog.RegionOne.object_store.internalURL = http://%SERVICE_HOST%:8080/v1/AUTH_$(tenant_id)s

+catalog.RegionOne.object_store.name = 'Swift Service'

@@ -1,112 +1,92 @@

 [DEFAULT]

-# Show more verbose log output (sets INFO log level output)

-verbose = False

-

-# Show debugging output in logs (sets DEBUG log level output)

-debug = False

-

-# Which backend store should Keystone use by default.

-# Default: 'sqlite'

-# Available choices are 'sqlite' [future will include LDAP, PAM, etc]

-default_store = sqlite

-

-# Log to this file. Make sure you do not set the same log

-# file for both the API and registry servers!

-log_file = %DEST%/keystone/keystone.log

-

-# List of backends to be configured

-backends = keystone.backends.sqlalchemy

-#For LDAP support, add: ,keystone.backends.ldap

+public_port = 5000

+admin_port = 35357

+admin_token = %SERVICE_TOKEN%

+compute_port = 3000

+verbose = True

+debug = True

+# commented out so devstack logs to stdout

+# log_file = %DEST%/keystone/keystone.log

-# Dictionary Maps every service to a header.Missing services would get header

-# X_(SERVICE_NAME) Key => Service Name, Value => Header Name

-service_header_mappings = {

-	'nova' : 'X-Server-Management-Url',

-	'swift' : 'X-Storage-Url',

-	'cdn' : 'X-CDN-Management-Url'}

+# ================= Syslog Options ============================

+# Send logs to syslog (/dev/log) instead of to file specified

+# by `log-file`

+use_syslog = False

-#List of extensions currently supported

-extensions= osksadm,oskscatalog

+# Facility to use. If unset defaults to LOG_USER.

+# syslog_log_facility = LOG_LOCAL0

-# Address to bind the API server

-# TODO Properties defined within app not available via pipeline.

-service_host = 0.0.0.0

+[sql]

+connection = %SQL_CONN%

+idle_timeout = 30

+min_pool_size = 5

+max_pool_size = 10

+pool_timeout = 200

-# Port the bind the API server to

-service_port = 5000

+[identity]

+driver = keystone.identity.backends.sql.Identity

-# SSL for API server

-service_ssl = False

+[catalog]

+driver = keystone.catalog.backends.templated.TemplatedCatalog

+template_file = %KEYSTONE_DIR%/etc/default_catalog.templates

-# Address to bind the Admin API server

-admin_host = 0.0.0.0

+[token]

+driver = keystone.token.backends.kvs.Token

-# Port the bind the Admin API server to

-admin_port = 35357

+[policy]

+driver = keystone.policy.backends.simple.SimpleMatch

-# SSL for API Admin server

-admin_ssl = False

+[ec2]

+driver = keystone.contrib.ec2.backends.sql.Ec2

-# Keystone certificate file (modify as needed)

-# Only required if *_ssl is set to True

-certfile = /etc/keystone/ssl/certs/keystone.pem

+[filter:debug]

+paste.filter_factory = keystone.common.wsgi:Debug.factory

-# Keystone private key file (modify as needed)

-# Only required if *_ssl is set to True

-keyfile = /etc/keystone/ssl/private/keystonekey.pem

+[filter:token_auth]

+paste.filter_factory = keystone.middleware:TokenAuthMiddleware.factory

-# Keystone trusted CA certificates  (modify as needed)

-# Only required if *_ssl is set to True

-ca_certs = /etc/keystone/ssl/certs/ca.pem

+[filter:admin_token_auth]

+paste.filter_factory = keystone.middleware:AdminTokenAuthMiddleware.factory

-# Client certificate required

-# Only relevant if *_ssl is set to True

-cert_required = True

+[filter:json_body]

+paste.filter_factory = keystone.middleware:JsonBodyMiddleware.factory

-#Role that allows to perform admin operations.

-keystone_admin_role = admin

+[filter:crud_extension]

+paste.filter_factory = keystone.contrib.admin_crud:CrudExtension.factory

-#Role that allows to perform service admin operations.

-keystone_service_admin_role = KeystoneServiceAdmin

+[filter:ec2_extension]

+paste.filter_factory = keystone.contrib.ec2:Ec2Extension.factory

-#Tells whether password user need to be hashed in the backend

-hash_password = True

+[app:public_service]

+paste.app_factory = keystone.service:public_app_factory

-[keystone.backends.sqlalchemy]

-# SQLAlchemy connection string for the reference implementation registry

-# server. Any valid SQLAlchemy connection string is fine.

-# See: http://bit.ly/ideIpI

-sql_connection = %SQL_CONN%

-backend_entities = ['UserRoleAssociation', 'Endpoints', 'Role', 'Tenant',

-                    'User', 'Credentials', 'EndpointTemplates', 'Token',

-                    'Service']

+[app:admin_service]

+paste.app_factory = keystone.service:admin_app_factory

-# Period in seconds after which SQLAlchemy should reestablish its connection

-# to the database.

-sql_idle_timeout = 30

+[pipeline:public_api]

+pipeline = token_auth admin_token_auth json_body debug ec2_extension public_service

-[pipeline:admin]

-pipeline =

-    urlrewritefilter

-    admin_api

+[pipeline:admin_api]

+pipeline = token_auth admin_token_auth json_body debug ec2_extension crud_extension admin_service

-[pipeline:keystone-legacy-auth]

-pipeline =

-    urlrewritefilter

-    legacy_auth

-    service_api

+[app:public_version_service]

+paste.app_factory = keystone.service:public_version_app_factory

-[app:service_api]

-paste.app_factory = keystone.server:service_app_factory

+[app:admin_version_service]

+paste.app_factory = keystone.service:admin_version_app_factory

-[app:admin_api]

-paste.app_factory = keystone.server:admin_app_factory

+[pipeline:public_version_api]

+pipeline = public_version_service

-[filter:urlrewritefilter]

-paste.filter_factory = keystone.middleware.url:filter_factory

+[pipeline:admin_version_api]

+pipeline = admin_version_service

-[filter:legacy_auth]

-paste.filter_factory = keystone.frontends.legacy_token_auth:filter_factory

+[composite:main]

+use = egg:Paste#urlmap

+/v2.0 = public_api

+/ = public_version_api

-[filter:debug]

-paste.filter_factory = keystone.common.wsgi:debug_filter_factory

+[composite:admin]

+use = egg:Paste#urlmap

+/v2.0 = admin_api

+/ = admin_version_service

@@ -1,54 +1,91 @@

 #!/bin/bash

-BIN_DIR=${BIN_DIR:-.}

 # Tenants

-$BIN_DIR/keystone-manage tenant add admin

-$BIN_DIR/keystone-manage tenant add demo

-$BIN_DIR/keystone-manage tenant add invisible_to_admin

+export SERVICE_TOKEN=$SERVICE_TOKEN

+export SERVICE_ENDPOINT=$SERVICE_ENDPOINT

+

+function get_id () {

+    echo `$@ | grep id | awk '{print $4}'`

+}

+

+ADMIN_TENANT=`get_id keystone tenant-create --name=admin`

+DEMO_TENANT=`get_id keystone tenant-create --name=demo`

+INVIS_TENANT=`get_id keystone tenant-create --name=invisible_to_admin`

+

 # Users

-$BIN_DIR/keystone-manage user add admin %ADMIN_PASSWORD%

-$BIN_DIR/keystone-manage user add demo %ADMIN_PASSWORD%

+ADMIN_USER=`get_id keystone user-create \

+                                 --name=admin \

+                                 --pass="$ADMIN_PASSWORD" \

+                                 --email=admin@example.com`

+DEMO_USER=`get_id keystone user-create \

+                                 --name=demo \

+                                 --pass="$ADMIN_PASSWORD" \

+                                 --email=admin@example.com`

 # Roles

-$BIN_DIR/keystone-manage role add admin

-$BIN_DIR/keystone-manage role add Member

-$BIN_DIR/keystone-manage role add KeystoneAdmin

-$BIN_DIR/keystone-manage role add KeystoneServiceAdmin

-$BIN_DIR/keystone-manage role add sysadmin

-$BIN_DIR/keystone-manage role add netadmin

-$BIN_DIR/keystone-manage role grant admin admin admin

-$BIN_DIR/keystone-manage role grant Member demo demo

-$BIN_DIR/keystone-manage role grant sysadmin demo demo

-$BIN_DIR/keystone-manage role grant netadmin demo demo

-$BIN_DIR/keystone-manage role grant Member demo invisible_to_admin

-$BIN_DIR/keystone-manage role grant admin admin demo

-$BIN_DIR/keystone-manage role grant admin admin

-$BIN_DIR/keystone-manage role grant KeystoneAdmin admin

-$BIN_DIR/keystone-manage role grant KeystoneServiceAdmin admin

+ADMIN_ROLE=`get_id keystone role-create --name=admin`

+MEMBER_ROLE=`get_id keystone role-create --name=Member`

+KEYSTONEADMIN_ROLE=`get_id keystone role-create --name=KeystoneAdmin`

+KEYSTONESERVICE_ROLE=`get_id keystone role-create --name=KeystoneServiceAdmin`

+SYSADMIN_ROLE=`get_id keystone role-create --name=sysadmin`

+NETADMIN_ROLE=`get_id keystone role-create --name=netadmin`

+

+

+# Add Roles to Users in Tenants

+

+keystone add-user-role $ADMIN_USER $ADMIN_ROLE $ADMIN_TENANT

+keystone add-user-role $DEMO_USER $MEMBER_ROLE $DEMO_TENANT

+keystone add-user-role $DEMO_USER $SYSADMIN_ROLE $DEMO_TENANT

+keystone add-user-role $DEMO_USER $NETADMIN_ROLE $DEMO_TENANT

+keystone add-user-role $DEMO_USER $MEMBER_ROLE $INVIS_TENANT

+keystone add-user-role $ADMIN_USER $ADMIN_ROLE $DEMO_TENANT

+

+# TODO(termie): these two might be dubious

+keystone add-user-role $ADMIN_USER $KEYSTONEADMIN_ROLE $ADMIN_TENANT

+keystone add-user-role $ADMIN_USER $KEYSTONESERVICE_ROLE $ADMIN_TENANT

 # Services

-$BIN_DIR/keystone-manage service add nova compute "Nova Compute Service"

-$BIN_DIR/keystone-manage service add ec2 ec2 "EC2 Compatability Layer"

-$BIN_DIR/keystone-manage service add glance image "Glance Image Service"

-$BIN_DIR/keystone-manage service add keystone identity "Keystone Identity Service"

-if [[ "$ENABLED_SERVICES" =~ "swift" ]]; then

-    $BIN_DIR/keystone-manage service add swift object-store "Swift Service"

-fi

+keystone service-create \

+                                 --name=nova \

+                                 --type=compute \

+                                 --description="Nova Compute Service"

+

+keystone service-create \

+                                 --name=ec2 \

+                                 --type=ec2 \

+                                 --description="EC2 Compatibility Layer"

-#endpointTemplates

-$BIN_DIR/keystone-manage $* endpointTemplates add RegionOne nova http://%SERVICE_HOST%:8774/v1.1/%tenant_id% http://%SERVICE_HOST%:8774/v1.1/%tenant_id%  http://%SERVICE_HOST%:8774/v1.1/%tenant_id% 1 1

-$BIN_DIR/keystone-manage $* endpointTemplates add RegionOne ec2 http://%SERVICE_HOST%:8773/services/Cloud http://%SERVICE_HOST%:8773/services/Admin http://%SERVICE_HOST%:8773/services/Cloud 1 1

-$BIN_DIR/keystone-manage $* endpointTemplates add RegionOne glance http://%SERVICE_HOST%:9292/v1 http://%SERVICE_HOST%:9292/v1 http://%SERVICE_HOST%:9292/v1 1 1

-$BIN_DIR/keystone-manage $* endpointTemplates add RegionOne keystone %KEYSTONE_SERVICE_PROTOCOL%://%KEYSTONE_SERVICE_HOST%:%KEYSTONE_SERVICE_PORT%/v2.0 %KEYSTONE_AUTH_PROTOCOL%://%KEYSTONE_AUTH_HOST%:%KEYSTONE_AUTH_PORT%/v2.0 %KEYSTONE_SERVICE_PROTOCOL%://%KEYSTONE_SERVICE_HOST%:%KEYSTONE_SERVICE_PORT%/v2.0 1 1

+keystone service-create \

+                                 --name=glance \

+                                 --type=image \

+                                 --description="Glance Image Service"

+

+keystone service-create \

+                                 --name=keystone \

+                                 --type=identity \

+                                 --description="Keystone Identity Service"

 if [[ "$ENABLED_SERVICES" =~ "swift" ]]; then

-    $BIN_DIR/keystone-manage $* endpointTemplates add RegionOne swift http://%SERVICE_HOST%:8080/v1/AUTH_%tenant_id% http://%SERVICE_HOST%:8080/ http://%SERVICE_HOST%:8080/v1/AUTH_%tenant_id% 1 1

+    keystone service-create \

+                                 --name=swift \

+                                 --type="object-store" \

+                                 --description="Swift Service"

 fi

-# Tokens

-$BIN_DIR/keystone-manage token add %SERVICE_TOKEN% admin admin 2015-02-05T00:00

+# create ec2 creds and parse the secret and access key returned

+RESULT=`keystone ec2-create-credentials --tenant_id=$ADMIN_TENANT --user_id=$ADMIN_USER`

+    echo `$@ | grep id | awk '{print $4}'`

+ADMIN_ACCESS=`echo "$RESULT" | grep access | awk '{print $4}'`

+ADMIN_SECRET=`echo "$RESULT" | grep secret | awk '{print $4}'`

+

+

+RESULT=`keystone ec2-create-credentials --tenant_id=$DEMO_TENANT --user_id=$DEMO_USER`

+DEMO_ACCESS=`echo "$RESULT" | grep access | awk '{print $4}'`

+DEMO_SECRET=`echo "$RESULT" | grep secret | awk '{print $4}'`

-# EC2 related creds - note we are setting the secret key to ADMIN_PASSWORD

-# but keystone doesn't parse them - it is just a blob from keystone's

-# point of view

-$BIN_DIR/keystone-manage credentials add admin EC2 'admin' '%ADMIN_PASSWORD%' admin || echo "no support for adding credentials"

-$BIN_DIR/keystone-manage credentials add demo EC2 'demo' '%ADMIN_PASSWORD%' demo || echo "no support for adding credentials"

+# write the secret and access to ec2rc

+cat > $DEVSTACK_DIR/ec2rc <<EOF

+ADMIN_ACCESS=$ADMIN_ACCESS

+ADMIN_SECRET=$ADMIN_SECRET

+DEMO_ACCESS=$DEMO_ACCESS

+DEMO_SECRET=$DEMO_SECRET

+EOF

@@ -1 +1,2 @@

 PassLib

+pycli

@@ -42,7 +42,7 @@ export OS_PASSWORD=${NOVA_PASSWORD}

 #

 # *NOTE*: Using the 2.0 *auth api* does not mean that compute api is 2.0.  We

 # will use the 1.1 *compute api*

-export NOVA_URL=${NOVA_URL:-http://$SERVICE_HOST:5000/v2.0/}

+export NOVA_URL=${NOVA_URL:-http://$SERVICE_HOST:5000/v2.0}

 export OS_AUTH_URL=${NOVA_URL}

 # Currently novaclient needs you to specify the *compute api* version.  This

@@ -56,10 +56,10 @@ export NOVA_REGION_NAME=${NOVA_REGION_NAME:-RegionOne}

 export EC2_URL=${EC2_URL:-http://$SERVICE_HOST:8773/services/Cloud}

 # Access key is set in the initial keystone data to be the same as username

-export EC2_ACCESS_KEY=${USERNAME:-demo}

+export EC2_ACCESS_KEY=${DEMO_ACCESS}

 # Secret key is set in the initial keystone data to the admin password

-export EC2_SECRET_KEY=${ADMIN_PASSWORD:-secrete}

+export EC2_SECRET_KEY=${DEMO_SECRET}

 # Euca2ools Certificate stuff for uploading bundles

 # You can get your certs using ./tools/get_certs.sh

@@ -533,6 +533,7 @@ pip_install `cat $FILES/pips/* | uniq`

 # compute service

 git_clone $NOVA_REPO $NOVA_DIR $NOVA_BRANCH

 # python client library to nova that horizon (and others) use

+git_clone $KEYSTONECLIENT_REPO $KEYSTONECLIENT_DIR $KEYSTONECLIENT_BRANCH

 git_clone $NOVACLIENT_REPO $NOVACLIENT_DIR $NOVACLIENT_BRANCH

 # glance, swift middleware and nova api needs keystone middleware

@@ -561,7 +562,6 @@ fi

 if [[ "$ENABLED_SERVICES" =~ "horizon" ]]; then

     # django powered web control panel for openstack

     git_clone $HORIZON_REPO $HORIZON_DIR $HORIZON_BRANCH $HORIZON_TAG

-    git_clone $KEYSTONECLIENT_REPO $KEYSTONECLIENT_DIR $KEYSTONECLIENT_BRANCH

 fi

 if [[ "$ENABLED_SERVICES" =~ "q-svc" ]]; then

     # quantum

@@ -584,6 +584,8 @@ fi

 # setup our checkouts so they are installed into python path

 # allowing ``import nova`` or ``import glance.client``

+cd $KEYSTONECLIENT_DIR; sudo python setup.py develop

+cd $NOVACLIENT_DIR; sudo python setup.py develop

 if [[ "$ENABLED_SERVICES" =~ "key" ||

       "$ENABLED_SERVICES" =~ "g-api" ||

       "$ENABLED_SERVICES" =~ "n-api" ||

@@ -598,10 +600,8 @@ if [[ "$ENABLED_SERVICES" =~ "g-api" ||

       "$ENABLED_SERVICES" =~ "n-api" ]]; then

     cd $GLANCE_DIR; sudo python setup.py develop

 fi

-cd $NOVACLIENT_DIR; sudo python setup.py develop

 cd $NOVA_DIR; sudo python setup.py develop

 if [[ "$ENABLED_SERVICES" =~ "horizon" ]]; then

-    cd $KEYSTONECLIENT_DIR; sudo python setup.py develop

     cd $HORIZON_DIR/horizon; sudo python setup.py develop

     cd $HORIZON_DIR/openstack-dashboard; sudo python setup.py develop

 fi

@@ -793,28 +793,20 @@ fi

 # Nova

 # ----

-

-# Put config files in /etc/nova for everyone to find

-NOVA_CONF=/etc/nova

-if [[ ! -d $NOVA_CONF ]]; then

-    sudo mkdir -p $NOVA_CONF

-fi

-sudo chown `whoami` $NOVA_CONF

-

 if [[ "$ENABLED_SERVICES" =~ "n-api" ]]; then

     # We are going to use a sample http middleware configuration based on the

     # one from the keystone project to launch nova.  This paste config adds

     # the configuration required for nova to validate keystone tokens.

     # First we add a some extra data to the default paste config from nova

-    cp $NOVA_DIR/etc/nova/api-paste.ini $NOVA_CONF

+    cp $NOVA_DIR/etc/nova/api-paste.ini $NOVA_DIR/bin/nova-api-paste.ini

     # Then we add our own service token to the configuration

-    sed -e "s,%SERVICE_TOKEN%,$SERVICE_TOKEN,g" -i $NOVA_CONF/api-paste.ini

+    sed -e "s,%SERVICE_TOKEN%,$SERVICE_TOKEN,g" -i $NOVA_DIR/bin/nova-api-paste.ini

     # Finally, we change the pipelines in nova to use keystone

     function replace_pipeline() {

-        sed "/\[pipeline:$1\]/,/\[/s/^pipeline = .*/pipeline = $2/" -i $NOVA_CONF/api-paste.ini

+        sed "/\[pipeline:$1\]/,/\[/s/^pipeline = .*/pipeline = $2/" -i $NOVA_DIR/bin/nova-api-paste.ini

     }

     replace_pipeline "ec2cloud" "ec2faultwrap logrequest totoken authtoken keystonecontext cloudrequest authorizer validator ec2executor"

     replace_pipeline "ec2admin" "ec2faultwrap logrequest totoken authtoken keystonecontext adminrequest authorizer ec2executor"

@@ -1101,11 +1093,11 @@ if [[ "$ENABLED_SERVICES" =~ "n-vol" ]]; then

 fi

 function add_nova_flag {

-    echo "$1" >> $NOVA_CONF/nova.conf

+    echo "$1" >> $NOVA_DIR/bin/nova.conf

 }

 # (re)create nova.conf

-rm -f $NOVA_CONF/nova.conf

+rm -f $NOVA_DIR/bin/nova.conf

 add_nova_flag "--verbose"

 add_nova_flag "--allow_admin_api"

 add_nova_flag "--scheduler_driver=$SCHEDULER"

@@ -1165,7 +1157,7 @@ fi

 VNCSERVER_LISTEN=${VNCSERVER_LISTEN=127.0.0.1}

 add_nova_flag "--vncserver_listen=$VNCSERVER_LISTEN"

 add_nova_flag "--vncserver_proxyclient_address=$VNCSERVER_PROXYCLIENT_ADDRESS"

-add_nova_flag "--api_paste_config=$NOVA_CONF/api-paste.ini"

+add_nova_flag "--api_paste_config=$NOVA_DIR/bin/nova-api-paste.ini"

 add_nova_flag "--image_service=nova.image.glance.GlanceImageService"

 add_nova_flag "--ec2_dmz_host=$EC2_DMZ_HOST"

 add_nova_flag "--rabbit_host=$RABBIT_HOST"

@@ -1231,51 +1223,6 @@ if [[ "$ENABLED_SERVICES" =~ "mysql" ]]; then

 fi

-# Keystone

-# --------

-

-if [[ "$ENABLED_SERVICES" =~ "key" ]]; then

-    # (re)create keystone database

-    mysql -u$MYSQL_USER -p$MYSQL_PASSWORD -e 'DROP DATABASE IF EXISTS keystone;'

-    mysql -u$MYSQL_USER -p$MYSQL_PASSWORD -e 'CREATE DATABASE keystone;'

-

-    # Configure keystone.conf

-    KEYSTONE_CONF=$KEYSTONE_DIR/etc/keystone.conf

-    cp $FILES/keystone.conf $KEYSTONE_CONF

-    sudo sed -e "s,%SQL_CONN%,$BASE_SQL_CONN/keystone,g" -i $KEYSTONE_CONF

-    sudo sed -e "s,%DEST%,$DEST,g" -i $KEYSTONE_CONF

-

-    # keystone_data.sh creates our admin user and our ``SERVICE_TOKEN``.

-    KEYSTONE_DATA=$KEYSTONE_DIR/bin/keystone_data.sh

-    cp $FILES/keystone_data.sh $KEYSTONE_DATA

-    sudo sed -e "

-        s,%KEYSTONE_AUTH_HOST%,$KEYSTONE_AUTH_HOST,g;

-        s,%KEYSTONE_AUTH_PORT%,$KEYSTONE_AUTH_PORT,g;

-        s,%KEYSTONE_AUTH_PROTOCOL%,$KEYSTONE_AUTH_PROTOCOL,g;

-        s,%KEYSTONE_SERVICE_HOST%,$KEYSTONE_SERVICE_HOST,g;

-        s,%KEYSTONE_SERVICE_PORT%,$KEYSTONE_SERVICE_PORT,g;

-        s,%KEYSTONE_SERVICE_PROTOCOL%,$KEYSTONE_SERVICE_PROTOCOL,g;

-        s,%SERVICE_HOST%,$SERVICE_HOST,g;

-        s,%SERVICE_TOKEN%,$SERVICE_TOKEN,g;

-        s,%ADMIN_PASSWORD%,$ADMIN_PASSWORD,g;

-    " -i $KEYSTONE_DATA

-

-    # Prepare up the database

-    $KEYSTONE_DIR/bin/keystone-manage sync_database

-

-    # initialize keystone with default users/endpoints

-    ENABLED_SERVICES=$ENABLED_SERVICES BIN_DIR=$KEYSTONE_DIR/bin bash $KEYSTONE_DATA

-

-    if [ "$SYSLOG" != "False" ]; then

-        sed -i -e '/^handlers=devel$/s/=devel/=production/' \

-            $KEYSTONE_DIR/etc/logging.cnf

-        sed -i -e "/^log_file/s/log_file/\#log_file/" \

-            $KEYSTONE_DIR/etc/keystone.conf

-        KEYSTONE_LOG_CONFIG="--log-config $KEYSTONE_DIR/etc/logging.cnf"

-    fi

-fi

-

-

 # Launch Services

 # ===============

@@ -1317,16 +1264,54 @@ if [[ "$ENABLED_SERVICES" =~ "g-api" ]]; then

     fi

 fi

+if [[ "$ENABLED_SERVICES" =~ "key" ]]; then

+    # (re)create keystone database

+    mysql -u$MYSQL_USER -p$MYSQL_PASSWORD -e 'DROP DATABASE IF EXISTS keystone;'

+    mysql -u$MYSQL_USER -p$MYSQL_PASSWORD -e 'CREATE DATABASE keystone;'

+

+    # Configure keystone.conf

+    KEYSTONE_CONF=$KEYSTONE_DIR/etc/keystone.conf

+    cp $FILES/keystone.conf $KEYSTONE_CONF

+    sudo sed -e "s,%SQL_CONN%,$BASE_SQL_CONN/keystone,g" -i $KEYSTONE_CONF

+    sudo sed -e "s,%DEST%,$DEST,g" -i $KEYSTONE_CONF

+    sudo sed -e "s,%SERVICE_TOKEN%,$SERVICE_TOKEN,g" -i $KEYSTONE_CONF

+    sudo sed -e "s,%KEYSTONE_DIR%,$KEYSTONE_DIR,g" -i $KEYSTONE_CONF

+

+    KEYSTONE_CATALOG=$KEYSTONE_DIR/etc/default_catalog.templates

+    cp $FILES/default_catalog.templates $KEYSTONE_CATALOG

+    sudo sed -e "s,%SERVICE_HOST%,$SERVICE_HOST,g" -i $KEYSTONE_CATALOG

+

+

+    if [ "$SYSLOG" != "False" ]; then

+        cp $KEYSTONE_DIR/etc/logging.conf.sample $KEYSTONE_DIR/etc/logging.conf

+        sed -i -e '/^handlers=devel$/s/=devel/=production/' \

+            $KEYSTONE_DIR/etc/logging.conf

+        sed -i -e "/^log_file/s/log_file/\#log_file/" \

+            $KEYSTONE_DIR/etc/keystone.conf

+        KEYSTONE_LOG_CONFIG="--log-config $KEYSTONE_DIR/etc/logging.conf"

+    fi

+fi

+

 # launch the keystone and wait for it to answer before continuing

 if [[ "$ENABLED_SERVICES" =~ "key" ]]; then

-    screen_it key "cd $KEYSTONE_DIR && $KEYSTONE_DIR/bin/keystone --config-file $KEYSTONE_CONF $KEYSTONE_LOG_CONFIG -d"

+    screen_it key "cd $KEYSTONE_DIR && $KEYSTONE_DIR/bin/keystone-all --config-file $KEYSTONE_CONF $KEYSTONE_LOG_CONFIG -d --debug"

     echo "Waiting for keystone to start..."

-    if ! timeout $SERVICE_TIMEOUT sh -c "while ! http_proxy= wget -q -O- $KEYSTONE_SERVICE_PROTOCOL://$KEYSTONE_SERVICE_HOST:$KEYSTONE_SERVICE_PORT; do sleep 1; done"; then

+    if ! timeout $SERVICE_TIMEOUT sh -c "while ! http_proxy= wget -q -O- $KEYSTONE_SERVICE_PROTOCOL://$KEYSTONE_SERVICE_HOST:$KEYSTONE_SERVICE_PORT/v2.0/; do sleep 1; done"; then

       echo "keystone did not start"

       exit 1

     fi

+

+    # initialize keystone with default users/endpoints

+    pushd $KEYSTONE_DIR

+    $KEYSTONE_DIR/bin/keystone-manage db_sync

+    popd

+

+    # keystone_data.sh creates services, admin and demo users, and roles.

+    SERVICE_ENDPOINT=$KEYSTONE_AUTH_PROTOCOL://$KEYSTONE_AUTH_HOST:$KEYSTONE_AUTH_PORT/v2.0

+    ADMIN_PASSWORD=$ADMIN_PASSWORD SERVICE_TOKEN=$SERVICE_TOKEN SERVICE_ENDPOINT=$SERVICE_ENDPOINT DEVSTACK_DIR=$TOP_DIR ENABLED_SERVICES=$ENABLED_SERVICES bash $FILES/keystone_data.sh

 fi

+

 # launch the nova-api and wait for it to answer before continuing

 if [[ "$ENABLED_SERVICES" =~ "n-api" ]]; then

     screen_it n-api "cd $NOVA_DIR && $NOVA_DIR/bin/nova-api"

@@ -1459,6 +1444,10 @@ if [[ "$ENABLED_SERVICES" =~ "g-reg" ]]; then

     # Create a directory for the downloaded image tarballs.

     mkdir -p $FILES/images

+    ADMIN_USER=admin

+    ADMIN_TENANT=admin

+    TOKEN=`curl -s -d  "{\"auth\":{\"passwordCredentials\": {\"username\": \"$ADMIN_USER\", \"password\": \"$ADMIN_PASSWORD\"}, \"tenantName\": \"$ADMIN_TENANT\"}}" -H "Content-type: application/json" http://$HOST_IP:5000/v2.0/tokens | python -c "import sys; import json; tok = json.loads(sys.stdin.read()); print tok['access']['token']['id'];"`

+

     # Option to upload legacy ami-tty, which works with xenserver

     if [ $UPLOAD_LEGACY_TTY ]; then

         if [ ! -f $FILES/tty.tgz ]; then

@@ -1466,11 +1455,11 @@ if [[ "$ENABLED_SERVICES" =~ "g-reg" ]]; then

         fi

         tar -zxf $FILES/tty.tgz -C $FILES/images

-        RVAL=`glance add -A $SERVICE_TOKEN name="tty-kernel" is_public=true container_format=aki disk_format=aki < $FILES/images/aki-tty/image`

+        RVAL=`glance add -A $TOKEN name="tty-kernel" is_public=true container_format=aki disk_format=aki < $FILES/images/aki-tty/image`

         KERNEL_ID=`echo $RVAL | cut -d":" -f2 | tr -d " "`

-        RVAL=`glance add -A $SERVICE_TOKEN name="tty-ramdisk" is_public=true container_format=ari disk_format=ari < $FILES/images/ari-tty/image`

+        RVAL=`glance add -A $TOKEN name="tty-ramdisk" is_public=true container_format=ari disk_format=ari < $FILES/images/ari-tty/image`

         RAMDISK_ID=`echo $RVAL | cut -d":" -f2 | tr -d " "`

-        glance add -A $SERVICE_TOKEN name="tty" is_public=true container_format=ami disk_format=ami kernel_id=$KERNEL_ID ramdisk_id=$RAMDISK_ID < $FILES/images/ami-tty/image

+        glance add -A $TOKEN name="tty" is_public=true container_format=ami disk_format=ami kernel_id=$KERNEL_ID ramdisk_id=$RAMDISK_ID < $FILES/images/ami-tty/image

     fi

     for image_url in ${IMAGE_URLS//,/ }; do

@@ -1517,14 +1506,14 @@ if [[ "$ENABLED_SERVICES" =~ "g-reg" ]]; then

         # kernel for use when uploading the root filesystem.

         KERNEL_ID=""; RAMDISK_ID="";

         if [ -n "$KERNEL" ]; then

-            RVAL=`glance add -A $SERVICE_TOKEN name="$IMAGE_NAME-kernel" is_public=true container_format=aki disk_format=aki < "$KERNEL"`

+            RVAL=`glance add -A $TOKEN name="$IMAGE_NAME-kernel" is_public=true container_format=aki disk_format=aki < "$KERNEL"`

             KERNEL_ID=`echo $RVAL | cut -d":" -f2 | tr -d " "`

         fi

         if [ -n "$RAMDISK" ]; then

-            RVAL=`glance add -A $SERVICE_TOKEN name="$IMAGE_NAME-ramdisk" is_public=true container_format=ari disk_format=ari < "$RAMDISK"`

+            RVAL=`glance add -A $TOKEN name="$IMAGE_NAME-ramdisk" is_public=true container_format=ari disk_format=ari < "$RAMDISK"`

             RAMDISK_ID=`echo $RVAL | cut -d":" -f2 | tr -d " "`

         fi

-        glance add -A $SERVICE_TOKEN name="${IMAGE_NAME%.img}" is_public=true container_format=ami disk_format=ami ${KERNEL_ID:+kernel_id=$KERNEL_ID} ${RAMDISK_ID:+ramdisk_id=$RAMDISK_ID} < <(zcat --force "${IMAGE}")

+        glance add -A $TOKEN name="${IMAGE_NAME%.img}" is_public=true container_format=ami disk_format=ami ${KERNEL_ID:+kernel_id=$KERNEL_ID} ${RAMDISK_ID:+ramdisk_id=$RAMDISK_ID} < <(zcat --force "${IMAGE}")

     done

 fi

@@ -16,7 +16,7 @@ GLANCE_BRANCH=master

 # unified auth system (manages accounts/tokens)

 KEYSTONE_REPO=https://github.com/openstack/keystone.git

-KEYSTONE_BRANCH=master

+KEYSTONE_BRANCH=redux

 # a websockets/html5 or flash powered VNC console for vm instances

 NOVNC_REPO=https://github.com/cloudbuilders/noVNC.git

@@ -76,6 +76,11 @@ case "$LIBVIRT_TYPE" in

         IMAGE_URLS="http://launchpad.net/cirros/trunk/0.3.0/+download/cirros-0.3.0-x86_64-uec.tar.gz";;

 esac

+# use stored ec2 env variables

+if [ -f ./ec2rc ]; then

+    source ./ec2rc

+fi

+

 # allow local overrides of env variables

 if [ -f ./localrc ]; then

     source ./localrc