#!/bin/bash # # lib/keystone # Functions to control the configuration and operation of **Keystone** # Dependencies: # # - ``functions`` file # - ``tls`` file # - ``DEST``, ``STACK_USER`` # - ``FILES`` # - ``IDENTITY_API_VERSION`` # - ``BASE_SQL_CONN`` # - ``SERVICE_HOST``, ``SERVICE_PROTOCOL`` # - ``S3_SERVICE_PORT`` (template backend only) # ``stack.sh`` calls the entry points in this order: # # - install_keystone # - configure_keystone # - _config_keystone_apache_wsgi # - init_keystone # - start_keystone # - bootstrap_keystone # - create_keystone_accounts # - stop_keystone # - cleanup_keystone # Save trace setting _XTRACE_KEYSTONE=$(set +o | grep xtrace) set +o xtrace # Defaults # -------- # Set up default directories GITDIR["keystoneauth"]=$DEST/keystoneauth GITDIR["python-keystoneclient"]=$DEST/python-keystoneclient GITDIR["keystonemiddleware"]=$DEST/keystonemiddleware KEYSTONE_DIR=$DEST/keystone # Keystone virtual environment if [[ ${USE_VENV} = True ]]; then PROJECT_VENV["keystone"]=${KEYSTONE_DIR}.venv KEYSTONE_BIN_DIR=${PROJECT_VENV["keystone"]}/bin else KEYSTONE_BIN_DIR=$(get_python_exec_prefix) fi KEYSTONE_CONF_DIR=${KEYSTONE_CONF_DIR:-/etc/keystone} KEYSTONE_CONF=$KEYSTONE_CONF_DIR/keystone.conf KEYSTONE_PASTE_INI=${KEYSTONE_PASTE_INI:-$KEYSTONE_CONF_DIR/keystone-paste.ini} # Toggle for deploying Keystone under HTTPD + mod_wsgi # Deprecated in Mitaka, use KEYSTONE_DEPLOY instead. KEYSTONE_USE_MOD_WSGI=${KEYSTONE_USE_MOD_WSGI:-${ENABLE_HTTPD_MOD_WSGI_SERVICES}} # KEYSTONE_DEPLOY defines how keystone is deployed, allowed values: # - mod_wsgi : Run keystone under Apache HTTPd mod_wsgi # - uwsgi : Run keystone under uwsgi if [ -z "$KEYSTONE_DEPLOY" ]; then if [ -z "$KEYSTONE_USE_MOD_WSGI" ]; then KEYSTONE_DEPLOY=mod_wsgi elif [ "$KEYSTONE_USE_MOD_WSGI" == True ]; then KEYSTONE_DEPLOY=mod_wsgi else KEYSTONE_DEPLOY=uwsgi fi fi # Select the token persistence backend driver KEYSTONE_TOKEN_BACKEND=${KEYSTONE_TOKEN_BACKEND:-sql} # Select the Identity backend driver KEYSTONE_IDENTITY_BACKEND=${KEYSTONE_IDENTITY_BACKEND:-sql} # Select the Assignment backend driver KEYSTONE_ASSIGNMENT_BACKEND=${KEYSTONE_ASSIGNMENT_BACKEND:-sql} # Select the Role backend driver KEYSTONE_ROLE_BACKEND=${KEYSTONE_ROLE_BACKEND:-sql} # Select the Resource backend driver KEYSTONE_RESOURCE_BACKEND=${KEYSTONE_RESOURCE_BACKEND:-sql} # Select Keystone's token provider (and format) # Choose from 'uuid', 'pki', 'pkiz', or 'fernet' KEYSTONE_TOKEN_FORMAT=${KEYSTONE_TOKEN_FORMAT:-fernet} KEYSTONE_TOKEN_FORMAT=$(echo ${KEYSTONE_TOKEN_FORMAT} | tr '[:upper:]' '[:lower:]') # Set Keystone interface configuration KEYSTONE_AUTH_HOST=${KEYSTONE_AUTH_HOST:-$SERVICE_HOST} KEYSTONE_AUTH_PORT=${KEYSTONE_AUTH_PORT:-35357} KEYSTONE_AUTH_PORT_INT=${KEYSTONE_AUTH_PORT_INT:-35358} KEYSTONE_AUTH_PROTOCOL=${KEYSTONE_AUTH_PROTOCOL:-$SERVICE_PROTOCOL} # Public facing bits KEYSTONE_SERVICE_HOST=${KEYSTONE_SERVICE_HOST:-$SERVICE_HOST} KEYSTONE_SERVICE_PORT=${KEYSTONE_SERVICE_PORT:-5000} KEYSTONE_SERVICE_PORT_INT=${KEYSTONE_SERVICE_PORT_INT:-5001} KEYSTONE_SERVICE_PROTOCOL=${KEYSTONE_SERVICE_PROTOCOL:-$SERVICE_PROTOCOL} # Bind hosts KEYSTONE_ADMIN_BIND_HOST=${KEYSTONE_ADMIN_BIND_HOST:-$KEYSTONE_SERVICE_HOST} # Set the project for service accounts in Keystone SERVICE_DOMAIN_NAME=${SERVICE_DOMAIN_NAME:-Default} SERVICE_PROJECT_NAME=${SERVICE_PROJECT_NAME:-service} # Note 2016-03 : SERVICE_TENANT_NAME is kept for backwards # compatibility; we should be using SERVICE_PROJECT_NAME now SERVICE_TENANT_NAME=${SERVICE_PROJECT_NAME:-service} # if we are running with SSL use https protocols if is_ssl_enabled_service "key" || is_service_enabled tls-proxy; then KEYSTONE_AUTH_PROTOCOL="https" KEYSTONE_SERVICE_PROTOCOL="https" fi # complete URIs if [ "$KEYSTONE_DEPLOY" == "mod_wsgi" ]; then # If running in Apache, use path access rather than port. KEYSTONE_AUTH_URI=${KEYSTONE_AUTH_PROTOCOL}://${KEYSTONE_AUTH_HOST}/identity_admin KEYSTONE_SERVICE_URI=${KEYSTONE_SERVICE_PROTOCOL}://${KEYSTONE_SERVICE_HOST}/identity else KEYSTONE_AUTH_URI=${KEYSTONE_AUTH_PROTOCOL}://${KEYSTONE_AUTH_HOST}:${KEYSTONE_AUTH_PORT} KEYSTONE_SERVICE_URI=${KEYSTONE_SERVICE_PROTOCOL}://${KEYSTONE_SERVICE_HOST}:${KEYSTONE_SERVICE_PORT} fi # V3 URIs KEYSTONE_AUTH_URI_V3=$KEYSTONE_AUTH_URI/v3 KEYSTONE_SERVICE_URI_V3=$KEYSTONE_SERVICE_URI/v3 # Security compliance KEYSTONE_SECURITY_COMPLIANCE_ENABLED=${KEYSTONE_SECURITY_COMPLIANCE_ENABLED:-True} KEYSTONE_LOCKOUT_FAILURE_ATTEMPTS=${KEYSTONE_LOCKOUT_FAILURE_ATTEMPTS:-2} KEYSTONE_LOCKOUT_DURATION=${KEYSTONE_LOCKOUT_DURATION:-5} KEYSTONE_UNIQUE_LAST_PASSWORD_COUNT=${KEYSTONE_UNIQUE_LAST_PASSWORD_COUNT:-2} # Functions # --------- # Test if Keystone is enabled # is_keystone_enabled function is_keystone_enabled { [[ ,${ENABLED_SERVICES}, =~ ,"key", ]] && return 0 return 1 } # cleanup_keystone() - Remove residual data files, anything left over from previous # runs that a clean run would need to clean up function cleanup_keystone { disable_apache_site keystone sudo rm -f $(apache_site_config_for keystone) } # _config_keystone_apache_wsgi() - Set WSGI config files of Keystone function _config_keystone_apache_wsgi { local keystone_apache_conf keystone_apache_conf=$(apache_site_config_for keystone) keystone_ssl_listen="#" local keystone_ssl="" local keystone_certfile="" local keystone_keyfile="" local keystone_service_port=$KEYSTONE_SERVICE_PORT local keystone_auth_port=$KEYSTONE_AUTH_PORT local venv_path="" if is_ssl_enabled_service key; then keystone_ssl_listen="" keystone_ssl="SSLEngine On" keystone_certfile="SSLCertificateFile $KEYSTONE_SSL_CERT" keystone_keyfile="SSLCertificateKeyFile $KEYSTONE_SSL_KEY" fi if is_service_enabled tls-proxy; then keystone_service_port=$KEYSTONE_SERVICE_PORT_INT keystone_auth_port=$KEYSTONE_AUTH_PORT_INT fi if [[ ${USE_VENV} = True ]]; then venv_path="python-path=${PROJECT_VENV["keystone"]}/lib/$(python_version)/site-packages" fi sudo cp $FILES/apache-keystone.template $keystone_apache_conf sudo sed -e " s|%PUBLICPORT%|$keystone_service_port|g; s|%ADMINPORT%|$keystone_auth_port|g; s|%APACHE_NAME%|$APACHE_NAME|g; s|%SSLLISTEN%|$keystone_ssl_listen|g; s|%SSLENGINE%|$keystone_ssl|g; s|%SSLCERTFILE%|$keystone_certfile|g; s|%SSLKEYFILE%|$keystone_keyfile|g; s|%USER%|$STACK_USER|g; s|%VIRTUALENV%|$venv_path|g s|%KEYSTONE_BIN%|$KEYSTONE_BIN_DIR|g " -i $keystone_apache_conf } # configure_keystone() - Set config files, create data dirs, etc function configure_keystone { sudo install -d -o $STACK_USER $KEYSTONE_CONF_DIR if [[ "$KEYSTONE_CONF_DIR" != "$KEYSTONE_DIR/etc" ]]; then install -m 600 $KEYSTONE_DIR/etc/keystone.conf.sample $KEYSTONE_CONF cp -p $KEYSTONE_DIR/etc/policy.json $KEYSTONE_CONF_DIR if [[ -f "$KEYSTONE_DIR/etc/keystone-paste.ini" ]]; then cp -p "$KEYSTONE_DIR/etc/keystone-paste.ini" "$KEYSTONE_PASTE_INI" fi fi if [[ -f "$KEYSTONE_PASTE_INI" ]]; then iniset "$KEYSTONE_CONF" paste_deploy config_file "$KEYSTONE_PASTE_INI" else # compatibility with mixed cfg and paste.deploy configuration KEYSTONE_PASTE_INI="$KEYSTONE_CONF" fi if [ "$ENABLE_IDENTITY_V2" == "False" ]; then # Only Identity v3 API should be available; then disable v2 pipelines inidelete $KEYSTONE_PASTE_INI composite:main \\/v2.0 inidelete $KEYSTONE_PASTE_INI composite:admin \\/v2.0 fi # Rewrite stock ``keystone.conf`` if is_service_enabled ldap; then #Set all needed ldap values iniset $KEYSTONE_CONF ldap password $LDAP_PASSWORD iniset $KEYSTONE_CONF ldap user $LDAP_MANAGER_DN iniset $KEYSTONE_CONF ldap suffix $LDAP_BASE_DN iniset $KEYSTONE_CONF ldap user_tree_dn "ou=Users,$LDAP_BASE_DN" iniset $KEYSTONE_CONF DEFAULT member_role_id "9fe2ff9ee4384b1894a90878d3e92bab" iniset $KEYSTONE_CONF DEFAULT member_role_name "_member_" fi iniset $KEYSTONE_CONF identity driver "$KEYSTONE_IDENTITY_BACKEND" iniset $KEYSTONE_CONF assignment driver "$KEYSTONE_ASSIGNMENT_BACKEND" iniset $KEYSTONE_CONF role driver "$KEYSTONE_ROLE_BACKEND" iniset $KEYSTONE_CONF resource driver "$KEYSTONE_RESOURCE_BACKEND" # Enable caching iniset $KEYSTONE_CONF cache enabled "True" iniset $KEYSTONE_CONF cache backend "dogpile.cache.memcached" iniset $KEYSTONE_CONF cache memcache_servers localhost:11211 iniset_rpc_backend keystone $KEYSTONE_CONF # Register SSL certificates if provided if is_ssl_enabled_service key; then ensure_certificates KEYSTONE fi local service_port=$KEYSTONE_SERVICE_PORT local auth_port=$KEYSTONE_AUTH_PORT if is_service_enabled tls-proxy; then # Set the service ports for a proxy to take the originals service_port=$KEYSTONE_SERVICE_PORT_INT auth_port=$KEYSTONE_AUTH_PORT_INT fi # Override the endpoints advertised by keystone (the public_endpoint and # admin_endpoint) so that clients use the correct endpoint. By default, the # keystone server uses the public_port and admin_port which isn't going to # work when you want to use a different port (in the case of proxy), or you # don't want the port (in the case of putting keystone on a path in # apache). if is_service_enabled tls-proxy || [ "$KEYSTONE_DEPLOY" == "mod_wsgi" ]; then iniset $KEYSTONE_CONF DEFAULT public_endpoint $KEYSTONE_SERVICE_URI iniset $KEYSTONE_CONF DEFAULT admin_endpoint $KEYSTONE_AUTH_URI fi if [[ "$KEYSTONE_TOKEN_FORMAT" != "" ]]; then iniset $KEYSTONE_CONF token provider $KEYSTONE_TOKEN_FORMAT fi iniset $KEYSTONE_CONF database connection `database_connection_url keystone` iniset $KEYSTONE_CONF token driver "$KEYSTONE_TOKEN_BACKEND" # Set up logging if [ "$SYSLOG" != "False" ]; then iniset $KEYSTONE_CONF DEFAULT use_syslog "True" fi # Format logging if [ "$LOG_COLOR" == "True" ] && [ "$SYSLOG" == "False" ] && [ "$KEYSTONE_DEPLOY" != "mod_wsgi" ] ; then setup_colorized_logging $KEYSTONE_CONF fi iniset $KEYSTONE_CONF DEFAULT debug $ENABLE_DEBUG_LOG_LEVEL if [ "$KEYSTONE_DEPLOY" == "mod_wsgi" ]; then iniset $KEYSTONE_CONF DEFAULT logging_exception_prefix "%(asctime)s.%(msecs)03d %(process)d TRACE %(name)s %(instance)s" _config_keystone_apache_wsgi else # uwsgi # iniset creates these files when it's called if they don't exist. KEYSTONE_PUBLIC_UWSGI_FILE=$KEYSTONE_CONF_DIR/keystone-uwsgi-public.ini KEYSTONE_ADMIN_UWSGI_FILE=$KEYSTONE_CONF_DIR/keystone-uwsgi-admin.ini rm -f "$KEYSTONE_PUBLIC_UWSGI_FILE" rm -f "$KEYSTONE_ADMIN_UWSGI_FILE" if is_ssl_enabled_service key; then iniset "$KEYSTONE_PUBLIC_UWSGI_FILE" uwsgi https $KEYSTONE_SERVICE_HOST:$service_port,$KEYSTONE_SSL_CERT,$KEYSTONE_SSL_KEY iniset "$KEYSTONE_ADMIN_UWSGI_FILE" uwsgi https $KEYSTONE_ADMIN_BIND_HOST:$auth_port,$KEYSTONE_SSL_CERT,$KEYSTONE_SSL_KEY else iniset "$KEYSTONE_PUBLIC_UWSGI_FILE" uwsgi http $KEYSTONE_SERVICE_HOST:$service_port iniset "$KEYSTONE_ADMIN_UWSGI_FILE" uwsgi http $KEYSTONE_ADMIN_BIND_HOST:$auth_port fi iniset "$KEYSTONE_PUBLIC_UWSGI_FILE" uwsgi wsgi-file "$KEYSTONE_BIN_DIR/keystone-wsgi-public" iniset "$KEYSTONE_PUBLIC_UWSGI_FILE" uwsgi processes $(nproc) iniset "$KEYSTONE_ADMIN_UWSGI_FILE" uwsgi wsgi-file "$KEYSTONE_BIN_DIR/keystone-wsgi-admin" iniset "$KEYSTONE_ADMIN_UWSGI_FILE" uwsgi processes $API_WORKERS # Common settings for file in "$KEYSTONE_PUBLIC_UWSGI_FILE" "$KEYSTONE_ADMIN_UWSGI_FILE"; do # This is running standalone iniset "$file" uwsgi master true # Set die-on-term & exit-on-reload so that uwsgi shuts down iniset "$file" uwsgi die-on-term true iniset "$file" uwsgi exit-on-reload true iniset "$file" uwsgi enable-threads true iniset "$file" uwsgi plugins python # uwsgi recommends this to prevent thundering herd on accept. iniset "$file" uwsgi thunder-lock true # Override the default size for headers from the 4k default. iniset "$file" uwsgi buffer-size 65535 # Make sure the client doesn't try to re-use the connection. iniset "$file" uwsgi add-header "Connection: close" # This ensures that file descriptors aren't shared between processes. iniset "$file" uwsgi lazy-apps true done fi iniset $KEYSTONE_CONF DEFAULT max_token_size 16384 iniset $KEYSTONE_CONF fernet_tokens key_repository "$KEYSTONE_CONF_DIR/fernet-keys/" iniset $KEYSTONE_CONF credential key_repository "$KEYSTONE_CONF_DIR/credential-keys/" # Configure the project created by the 'keystone-manage bootstrap' as the cloud-admin project. # The users from this project are globally admin as before, but it also # allows policy changes in order to clarify the adminess scope. #iniset $KEYSTONE_CONF resource admin_project_domain_name Default #iniset $KEYSTONE_CONF resource admin_project_name admin if [[ "$KEYSTONE_SECURITY_COMPLIANCE_ENABLED" = True ]]; then iniset $KEYSTONE_CONF security_compliance lockout_failure_attempts $KEYSTONE_LOCKOUT_FAILURE_ATTEMPTS iniset $KEYSTONE_CONF security_compliance lockout_duration $KEYSTONE_LOCKOUT_DURATION iniset $KEYSTONE_CONF security_compliance unique_last_password_count $KEYSTONE_UNIQUE_LAST_PASSWORD_COUNT fi } # create_keystone_accounts() - Sets up common required keystone accounts # Project User Roles # ------------------------------------------------------------------ # admin admin admin # service -- -- # -- -- service # -- -- ResellerAdmin # -- -- Member # demo admin admin # demo demo Member, anotherrole # alt_demo admin admin # alt_demo alt_demo Member, anotherrole # invisible_to_admin demo Member # Group Users Roles Project # ------------------------------------------------------------------ # admins admin admin admin # nonadmins demo, alt_demo Member, anotherrole demo, alt_demo # Migrated from keystone_data.sh function create_keystone_accounts { # The keystone bootstrapping process (performed via keystone-manage bootstrap) # creates an admin user, admin role and admin project. As a sanity check # we exercise the CLI to retrieve the IDs for these values. local admin_project admin_project=$(openstack project show "admin" -f value -c id) local admin_user admin_user=$(openstack user show "admin" -f value -c id) local admin_role="admin" get_or_add_user_domain_role $admin_role $admin_user default # Create service project/role get_or_create_domain "$SERVICE_DOMAIN_NAME" get_or_create_project "$SERVICE_PROJECT_NAME" "$SERVICE_DOMAIN_NAME" # Service role, so service users do not have to be admins get_or_create_role service # The ResellerAdmin role is used by Nova and Ceilometer so we need to keep it. # The admin role in swift allows a user to act as an admin for their project, # but ResellerAdmin is needed for a user to act as any project. The name of this # role is also configurable in swift-proxy.conf get_or_create_role ResellerAdmin # The Member role is used by Horizon and Swift so we need to keep it: local member_role="member" # Captial Member role is legacy hard coded in Horizon / Swift # configs. Keep it around. get_or_create_role "Member" # The reality is that the rest of the roles listed below honestly # should work by symbolic names. get_or_create_role $member_role # another_role demonstrates that an arbitrary role may be created and used # TODO(sleepsonthefloor): show how this can be used for rbac in the future! local another_role="anotherrole" get_or_create_role $another_role # invisible project - admin can't see this one local invis_project invis_project=$(get_or_create_project "invisible_to_admin" default) # demo local demo_project demo_project=$(get_or_create_project "demo" default) local demo_user demo_user=$(get_or_create_user "demo" \ "$ADMIN_PASSWORD" "default" "demo@example.com") get_or_add_user_project_role $member_role $demo_user $demo_project get_or_add_user_project_role $admin_role $admin_user $demo_project get_or_add_user_project_role $another_role $demo_user $demo_project get_or_add_user_project_role $member_role $demo_user $invis_project # alt_demo local alt_demo_project alt_demo_project=$(get_or_create_project "alt_demo" default) local alt_demo_user alt_demo_user=$(get_or_create_user "alt_demo" \ "$ADMIN_PASSWORD" "default" "alt_demo@example.com") get_or_add_user_project_role $member_role $alt_demo_user $alt_demo_project get_or_add_user_project_role $admin_role $admin_user $alt_demo_project get_or_add_user_project_role $another_role $alt_demo_user $alt_demo_project # groups local admin_group admin_group=$(get_or_create_group "admins" \ "default" "openstack admin group") local non_admin_group non_admin_group=$(get_or_create_group "nonadmins" \ "default" "non-admin group") get_or_add_group_project_role $member_role $non_admin_group $demo_project get_or_add_group_project_role $another_role $non_admin_group $demo_project get_or_add_group_project_role $member_role $non_admin_group $alt_demo_project get_or_add_group_project_role $another_role $non_admin_group $alt_demo_project get_or_add_group_project_role $admin_role $admin_group $admin_project } # Create a user that is capable of verifying keystone tokens for use with auth_token middleware. # # create_service_user [role] # # We always add the service role, other roles are also allowed to be added as historically # a lot of projects have configured themselves with the admin or other role here if they are # using this user for other purposes beyond simply auth_token middleware. function create_service_user { get_or_create_user "$1" "$SERVICE_PASSWORD" "$SERVICE_DOMAIN_NAME" get_or_add_user_project_role service "$1" "$SERVICE_PROJECT_NAME" "$SERVICE_DOMAIN_NAME" "$SERVICE_DOMAIN_NAME" if [[ -n "$2" ]]; then get_or_add_user_project_role "$2" "$1" "$SERVICE_PROJECT_NAME" "$SERVICE_DOMAIN_NAME" "$SERVICE_DOMAIN_NAME" fi } # Configure the service to use the auth token middleware. # # configure_auth_token_middleware conf_file admin_user signing_dir [section] # # section defaults to keystone_authtoken, which is where auth_token looks in # the .conf file. If the paste config file is used (api-paste.ini) then # provide the section name for the auth_token filter. function configure_auth_token_middleware { local conf_file=$1 local admin_user=$2 local signing_dir=$3 local section=${4:-keystone_authtoken} iniset $conf_file $section auth_type password iniset $conf_file $section auth_url $KEYSTONE_AUTH_URI iniset $conf_file $section username $admin_user iniset $conf_file $section password $SERVICE_PASSWORD iniset $conf_file $section user_domain_name "$SERVICE_DOMAIN_NAME" iniset $conf_file $section project_name $SERVICE_PROJECT_NAME iniset $conf_file $section project_domain_name "$SERVICE_DOMAIN_NAME" iniset $conf_file $section auth_uri $KEYSTONE_SERVICE_URI iniset $conf_file $section cafile $SSL_BUNDLE_FILE iniset $conf_file $section signing_dir $signing_dir iniset $conf_file $section memcached_servers $SERVICE_HOST:11211 } # init_keystone() - Initialize databases, etc. function init_keystone { if is_service_enabled ldap; then init_ldap fi if [[ "$RECREATE_KEYSTONE_DB" == True ]]; then # (Re)create keystone database recreate_database keystone fi # Initialize keystone database $KEYSTONE_BIN_DIR/keystone-manage --config-file $KEYSTONE_CONF db_sync if [[ "$KEYSTONE_TOKEN_FORMAT" == "pki" || "$KEYSTONE_TOKEN_FORMAT" == "pkiz" ]]; then # Set up certificates rm -rf $KEYSTONE_CONF_DIR/ssl $KEYSTONE_BIN_DIR/keystone-manage --config-file $KEYSTONE_CONF pki_setup fi if [[ "$KEYSTONE_TOKEN_FORMAT" == "fernet" ]]; then rm -rf "$KEYSTONE_CONF_DIR/fernet-keys/" $KEYSTONE_BIN_DIR/keystone-manage --config-file $KEYSTONE_CONF fernet_setup fi rm -rf "$KEYSTONE_CONF_DIR/credential-keys/" $KEYSTONE_BIN_DIR/keystone-manage --config-file $KEYSTONE_CONF credential_setup } # install_keystoneauth() - Collect source and prepare function install_keystoneauth { if use_library_from_git "keystoneauth"; then git_clone_by_name "keystoneauth" setup_dev_lib "keystoneauth" fi } # install_keystoneclient() - Collect source and prepare function install_keystoneclient { if use_library_from_git "python-keystoneclient"; then git_clone_by_name "python-keystoneclient" setup_dev_lib "python-keystoneclient" fi } # install_keystonemiddleware() - Collect source and prepare function install_keystonemiddleware { # install_keystonemiddleware() is called when keystonemiddleware is needed # to provide an opportunity to install it from the source repo if use_library_from_git "keystonemiddleware"; then git_clone_by_name "keystonemiddleware" setup_dev_lib "keystonemiddleware" else # When not installing from repo, keystonemiddleware is still needed... pip_install_gr keystonemiddleware fi # Install the memcache library so keystonemiddleware can cache tokens in a # shared location. pip_install_gr python-memcached } # install_keystone() - Collect source and prepare function install_keystone { # only install ldap if the service has been enabled if is_service_enabled ldap; then install_ldap fi git_clone $KEYSTONE_REPO $KEYSTONE_DIR $KEYSTONE_BRANCH setup_develop $KEYSTONE_DIR if is_service_enabled ldap; then setup_develop $KEYSTONE_DIR ldap fi if [ "$KEYSTONE_DEPLOY" == "mod_wsgi" ]; then install_apache_wsgi if is_ssl_enabled_service "key"; then enable_mod_ssl fi elif [ "$KEYSTONE_DEPLOY" == "uwsgi" ]; then pip_install uwsgi fi } # start_keystone() - Start running processes, including screen function start_keystone { # Get right service port for testing local service_port=$KEYSTONE_SERVICE_PORT local auth_protocol=$KEYSTONE_AUTH_PROTOCOL if is_service_enabled tls-proxy; then service_port=$KEYSTONE_SERVICE_PORT_INT auth_protocol="http" fi if [ "$KEYSTONE_DEPLOY" == "mod_wsgi" ]; then enable_apache_site keystone restart_apache_server tail_log key /var/log/$APACHE_NAME/keystone.log tail_log key-access /var/log/$APACHE_NAME/keystone_access.log else # uwsgi # TODO(sdague): we should really get down to a single keystone here enable_service key-p enable_service key-a run_process key-p "$KEYSTONE_BIN_DIR/uwsgi $KEYSTONE_PUBLIC_UWSGI_FILE" "" run_process key-a "$KEYSTONE_BIN_DIR/uwsgi $KEYSTONE_ADMIN_UWSGI_FILE" "" fi echo "Waiting for keystone to start..." # Check that the keystone service is running. Even if the tls tunnel # should be enabled, make sure the internal port is checked using # unencryted traffic at this point. # If running in Apache, use the path rather than port. local service_uri=$auth_protocol://$KEYSTONE_SERVICE_HOST:$service_port/v$IDENTITY_API_VERSION/ if [ "$KEYSTONE_DEPLOY" == "mod_wsgi" ]; then service_uri=$auth_protocol://$KEYSTONE_SERVICE_HOST/identity/v$IDENTITY_API_VERSION/ fi if ! wait_for_service $SERVICE_TIMEOUT $service_uri; then die $LINENO "keystone did not start" fi # Start proxies if enabled if is_service_enabled tls-proxy; then start_tls_proxy keystone-service '*' $KEYSTONE_SERVICE_PORT $KEYSTONE_SERVICE_HOST $KEYSTONE_SERVICE_PORT_INT start_tls_proxy keystone-auth '*' $KEYSTONE_AUTH_PORT $KEYSTONE_AUTH_HOST $KEYSTONE_AUTH_PORT_INT fi # (re)start memcached to make sure we have a clean memcache. restart_service memcached } # stop_keystone() - Stop running processes function stop_keystone { if [ "$KEYSTONE_DEPLOY" == "mod_wsgi" ]; then disable_apache_site keystone restart_apache_server fi # Kill the Keystone screen window stop_process key } # bootstrap_keystone() - Initialize user, role and project # This function uses the following GLOBAL variables: # - ``KEYSTONE_BIN_DIR`` # - ``ADMIN_PASSWORD`` # - ``IDENTITY_API_VERSION`` # - ``KEYSTONE_AUTH_URI`` # - ``REGION_NAME`` # - ``KEYSTONE_SERVICE_PROTOCOL`` # - ``KEYSTONE_SERVICE_HOST`` # - ``KEYSTONE_SERVICE_PORT`` function bootstrap_keystone { $KEYSTONE_BIN_DIR/keystone-manage bootstrap \ --bootstrap-username admin \ --bootstrap-password "$ADMIN_PASSWORD" \ --bootstrap-project-name admin \ --bootstrap-role-name admin \ --bootstrap-service-name keystone \ --bootstrap-region-id "$REGION_NAME" \ --bootstrap-admin-url "$KEYSTONE_AUTH_URI" \ --bootstrap-public-url "$KEYSTONE_SERVICE_URI" } # Restore xtrace $_XTRACE_KEYSTONE # Tell emacs to use shell-script-mode ## Local variables: ## mode: shell-script ## End: