use_cookbook-openstackclient/identity_v3

- Now use cookbook-openstackclient to create endpoints role service and
  user
- added domain creation and access granting
- added values to work with identity_v3
- rewrote specs to work again
- updated readme

Change-Id: If5c3758c786b2d11cec6d64dc57530367acd2976
Depends-On: I0f8955f05de9b33711c54b9a198f45018cceb8e1
This commit is contained in:
Christoph Albers 2016-08-31 16:02:06 +02:00
parent 1e41bc7811
commit f2c3db560e
7 changed files with 219 additions and 222 deletions

View File

@ -6,3 +6,6 @@ cookbook "openstack-identity",
github: "openstack/cookbook-openstack-identity"
cookbook "openstack-common",
github: "openstack/cookbook-openstack-common"
cookbook "openstackclient",
github: "cloudbau/cookbook-openstackclient"

View File

@ -27,6 +27,7 @@ The following cookbooks are dependencies:
- 'openstack-common', '>= 14.0.0'
- 'openstack-identity', '>= 14.0.0'
- 'openstackclient', '>= 0.1.0'
Attributes
==========
@ -74,6 +75,7 @@ License and Author
| **Author** | Mark Vanderwiel (<vanderwl@us.ibm.com>) |
| **Author** | Jan Klare (<j.klare@x-ion.de>) |
| **Author** | Dr. Jens Rosenboom (<j.rosenboom@x-ion.de>) |
| **Author** | Christoph Albers (<c.albers@x-ion.de>) |
| | |
| **Copyright** | Copyright (c) 2013-2014, IBM Corp. |
| **Copyright** | Copyright (c) 2014, SUSE Linux, GmbH. |

View File

@ -19,8 +19,10 @@
default['openstack']['orchestration']['conf']['DEFAULT']['log_dir'] = '/var/log/heat'
default['openstack']['orchestration']['conf']['oslo_messaging_notifications']['driver'] = 'heat.openstack.common.notifier.rpc_notifier'
default['openstack']['orchestration']['conf']['keystone_authtoken']['auth_type'] = 'v2password'
default['openstack']['orchestration']['conf']['keystone_authtoken']['auth_type'] = 'v3password'
default['openstack']['orchestration']['conf']['keystone_authtoken']['username'] = 'heat'
default['openstack']['orchestration']['conf']['keystone_authtoken']['tenant_name'] = 'service'
default['openstack']['orchestration']['conf']['trustee']['auth_plugin'] = 'v2password'
default['openstack']['orchestration']['conf']['keystone_authtoken']['project_name'] = 'service'
default['openstack']['orchestration']['conf']['keystone_authtoken']['project_domain_name'] = 'Default'
default['openstack']['orchestration']['conf']['keystone_authtoken']['user_domain_name'] = 'Default'
default['openstack']['orchestration']['conf']['trustee']['auth_plugin'] = 'v3password'
default['openstack']['orchestration']['conf']['trustee']['username'] = 'heat'

View File

@ -15,3 +15,4 @@ end
depends 'openstack-common', '>= 14.0.0'
depends 'openstack-identity', '>= 14.0.0'
depends 'openstackclient'

View File

@ -26,7 +26,6 @@ end
identity_admin_endpoint = admin_endpoint 'identity'
token = get_password 'token', 'openstack_identity_bootstrap_token'
auth_url = ::URI.decode identity_admin_endpoint.to_s
admin_heat_endpoint = admin_endpoint 'orchestration-api'
@ -37,36 +36,88 @@ internal_heat_cfn_endpoint = internal_endpoint 'orchestration-api-cfn'
public_heat_cfn_endpoint = public_endpoint 'orchestration-api-cfn'
service_pass = get_password 'service', 'openstack-orchestration'
service_tenant_name = node['openstack']['orchestration']['conf']['keystone_authtoken']['tenant_name']
service_project_name = node['openstack']['orchestration']['conf']['keystone_authtoken']['project_name']
service_user = node['openstack']['orchestration']['conf']['keystone_authtoken']['username']
service_role = node['openstack']['orchestration']['service_role']
region = node['openstack']['orchestration']['conf']['DEFAULT']['region_name_for_services']
service_type = 'orchestration'
service_name = 'heat'
service_domain_name = node['openstack']['orchestration']['conf']['keystone_authtoken']['user_domain_name']
admin_user = node['openstack']['identity']['admin_user']
admin_pass = get_password 'user', node['openstack']['identity']['admin_user']
admin_project = node['openstack']['identity']['admin_project']
admin_domain = node['openstack']['identity']['admin_domain_name']
region = node['openstack']['region']
# Do not configure a service/endpoint in keystone for heat-api-cloudwatch(Bug #1167927),
# See discussions on https://bugs.launchpad.net/heat/+bug/1167927
# Register Heat API Service
openstack_identity_register 'Register Heat Orchestration Service' do
auth_uri auth_url
bootstrap_token token
service_name 'heat'
service_type 'orchestration'
service_description 'Heat Orchestration Service'
connection_params = {
openstack_auth_url: "#{auth_url}/auth/tokens",
openstack_username: admin_user,
openstack_api_key: admin_pass,
openstack_project_name: admin_project,
openstack_domain_name: admin_domain
}
action :create_service
# Register Orchestration Service
openstack_service service_name do
type service_type
connection_params connection_params
end
# Register Heat API Endpoint
openstack_identity_register 'Register Heat Orchestration Endpoint' do
auth_uri auth_url
bootstrap_token token
service_type 'orchestration'
endpoint_region region
endpoint_adminurl admin_heat_endpoint.to_s
endpoint_internalurl internal_heat_endpoint.to_s
endpoint_publicurl public_heat_endpoint.to_s
# Register Orchestration Public-Endpoint
openstack_endpoint service_type do
service_name service_name
interface 'public'
url public_heat_endpoint.to_s
region region
connection_params connection_params
end
action :create_endpoint
# Register Orchestration Internal-Endpoint
openstack_endpoint service_type do
service_name service_name
url internal_heat_endpoint.to_s
region region
connection_params connection_params
end
# Register Orchestration Admin-Endpoint
openstack_endpoint service_type do
service_name service_name
interface 'admin'
url admin_heat_endpoint.to_s
region region
connection_params connection_params
end
# Register Service Tenant
openstack_project service_project_name do
connection_params connection_params
end
# Register Service User
openstack_user service_user do
project_name service_project_name
role_name service_role
password service_pass
connection_params connection_params
end
## Grant Service role to Service User for Service Tenant ##
openstack_user service_user do
role_name service_role
project_name service_project_name
connection_params connection_params
action :grant_role
end
openstack_user service_user do
domain_name service_domain_name
role_name service_role
user_name service_user
connection_params connection_params
action :grant_domain
end
# TODO: (MRV) Revert this change until a better solution can be found
@ -74,61 +125,62 @@ end
# if node.run_list.include?('openstack-orchestration::api-cfn')
# Register Heat API Cloudformation Service
openstack_identity_register 'Register Heat Cloudformation Service' do
auth_uri auth_url
bootstrap_token token
openstack_service 'heat-cfn' do
type 'cloudformation'
connection_params connection_params
end
# Register Heat API CloudFormation Public-Endpoint
openstack_endpoint 'cloudformation' do
service_name 'heat-cfn'
service_type 'cloudformation'
service_description 'Heat Cloudformation Service'
action :create_service
interface 'public'
url public_heat_cfn_endpoint.to_s
region region
connection_params connection_params
end
# Register Heat API CloudFormation Endpoint
openstack_identity_register 'Register Heat Cloudformation Endpoint' do
auth_uri auth_url
bootstrap_token token
service_type 'cloudformation'
endpoint_region region
endpoint_adminurl admin_heat_cfn_endpoint.to_s
endpoint_internalurl internal_heat_cfn_endpoint.to_s
endpoint_publicurl public_heat_cfn_endpoint.to_s
action :create_endpoint
# Register Heat API CloudFormation Internal-Endpoint
openstack_endpoint 'cloudformation' do
service_name 'heat-cfn'
url internal_heat_cfn_endpoint.to_s
region region
connection_params connection_params
end
# Register Heat API CloudFormation Admin-Endpoint
openstack_endpoint 'cloudformation' do
service_name 'heat-cfn'
interface 'admin'
url admin_heat_cfn_endpoint.to_s
region region
connection_params connection_params
end
# end
# Register Service Tenant
openstack_identity_register 'Register Service Tenant' do
auth_uri auth_url
bootstrap_token token
tenant_name service_tenant_name
tenant_description 'Service Tenant'
tenant_enabled true # Not required as this is the default
action :create_tenant
openstack_project service_project_name do
connection_params connection_params
end
# Register Service User
openstack_identity_register 'Register Heat Service User' do
auth_uri auth_url
bootstrap_token token
tenant_name service_tenant_name
user_name service_user
user_pass service_pass
# String until https://review.openstack.org/#/c/29498/ merged
user_enabled true
action :create_user
openstack_user service_user do
project_name service_project_name
role_name service_role
password service_pass
connection_params connection_params
end
## Grant Service role to Service User for Service Tenant ##
openstack_identity_register "Grant '#{service_role}' Role to #{service_user} User for #{service_tenant_name} Tenant" do
auth_uri auth_url
bootstrap_token token
tenant_name service_tenant_name
user_name service_user
openstack_user service_user do
role_name service_role
project_name service_project_name
connection_params connection_params
action :grant_role
end
openstack_user service_user do
domain_name service_domain_name
role_name service_role
user_name service_user
connection_params connection_params
action :grant_domain
end

View File

@ -9,171 +9,106 @@ describe 'openstack-orchestration::identity_registration' do
include_context 'orchestration_stubs'
it 'register heat orchestration service' do
expect(chef_run).to create_service_openstack_identity_register(
'Register Heat Orchestration Service'
connection_params = {
openstack_auth_url: 'http://127.0.0.1:35357/v3/auth/tokens',
openstack_username: 'admin',
openstack_api_key: 'admin-pass',
openstack_project_name: 'admin',
openstack_domain_name: 'default'
}
service_name = 'heat'
service_type = 'orchestration'
service_user = 'heat'
url = 'http://127.0.0.1:8004/v1/%(tenant_id)s'
region = 'RegionOne'
project_name = 'service'
role_name = 'service'
password = 'heat-pass'
domain_name = 'Default'
it "registers #{project_name} Project" do
expect(chef_run).to create_openstack_project(
project_name
).with(
auth_uri: 'http://127.0.0.1:35357/v2.0',
bootstrap_token: 'bootstrap-token',
service_name: 'heat',
service_type: 'orchestration',
service_description: 'Heat Orchestration Service',
action: [:create_service]
connection_params: connection_params
)
end
it 'register heat orchestration endpoint' do
expect(chef_run).to create_endpoint_openstack_identity_register(
'Register Heat Orchestration Endpoint'
it "registers #{service_name} service" do
expect(chef_run).to create_openstack_service(
service_name
).with(
auth_uri: 'http://127.0.0.1:35357/v2.0',
bootstrap_token: 'bootstrap-token',
service_type: 'orchestration',
endpoint_region: 'RegionOne',
endpoint_adminurl: 'http://127.0.0.1:8004/v1/%(tenant_id)s',
endpoint_internalurl: 'http://127.0.0.1:8004/v1/%(tenant_id)s',
endpoint_publicurl: 'http://127.0.0.1:8004/v1/%(tenant_id)s',
action: [:create_endpoint]
connection_params: connection_params,
type: service_type
)
end
it 'register heat orchestration endpoint with custom region override' do
node.set['openstack']['orchestration']['conf']['DEFAULT']['region_name_for_services'] = 'region123'
context "registers #{service_name} endpoint" do
%w(admin internal public).each do |interface|
it "#{interface} endpoint with default values" do
expect(chef_run).to create_openstack_endpoint(
service_type
).with(
service_name: service_name,
# interface: interface,
url: url,
region: region,
connection_params: connection_params
)
end
end
end
expect(chef_run).to create_endpoint_openstack_identity_register(
'Register Heat Orchestration Endpoint'
it 'registers service user' do
expect(chef_run).to create_openstack_user(
service_user
).with(
endpoint_region: 'region123',
auth_uri: 'http://127.0.0.1:35357/v2.0',
bootstrap_token: 'bootstrap-token',
service_type: 'orchestration',
endpoint_adminurl: 'http://127.0.0.1:8004/v1/%(tenant_id)s',
endpoint_internalurl: 'http://127.0.0.1:8004/v1/%(tenant_id)s',
endpoint_publicurl: 'http://127.0.0.1:8004/v1/%(tenant_id)s',
action: [:create_endpoint]
project_name: project_name,
role_name: role_name,
password: password,
connection_params: connection_params
)
end
it do
expect(chef_run).to grant_domain_openstack_user(
service_user
).with(
domain_name: domain_name,
role_name: role_name,
connection_params: connection_params
)
end
it do
expect(chef_run).to grant_role_openstack_user(
service_user
).with(
project_name: project_name,
role_name: role_name,
password: password,
connection_params: connection_params
)
end
it 'register heat cloudformation service' do
expect(chef_run).to create_service_openstack_identity_register(
'Register Heat Cloudformation Service'
expect(chef_run).to create_openstack_service(
'heat-cfn'
).with(
auth_uri: 'http://127.0.0.1:35357/v2.0',
bootstrap_token: 'bootstrap-token',
service_name: 'heat-cfn',
service_type: 'cloudformation',
service_description: 'Heat Cloudformation Service',
action: [:create_service]
connection_params: connection_params
)
end
it 'registers heat-api endpoint with different urls' do
admin_url = 'https://admin.host:123/admin_path'
public_url = 'http://public.host:456/public_path'
internal_url = 'http://internal.host:456/internal_path'
node.set['openstack']['endpoints']['admin']['orchestration-api']['uri'] = admin_url
node.set['openstack']['endpoints']['public']['orchestration-api']['uri'] = public_url
node.set['openstack']['endpoints']['internal']['orchestration-api']['uri'] = internal_url
expect(chef_run).to create_endpoint_openstack_identity_register(
'Register Heat Orchestration Endpoint'
).with(
auth_uri: 'http://127.0.0.1:35357/v2.0',
bootstrap_token: 'bootstrap-token',
service_type: 'orchestration',
endpoint_region: 'RegionOne',
endpoint_adminurl: admin_url,
endpoint_internalurl: internal_url,
endpoint_publicurl: public_url,
action: [:create_endpoint]
)
end
it 'register heat cloudformation endpoint' do
expect(chef_run).to create_endpoint_openstack_identity_register(
'Register Heat Cloudformation Endpoint'
).with(
auth_uri: 'http://127.0.0.1:35357/v2.0',
bootstrap_token: 'bootstrap-token',
service_type: 'cloudformation',
endpoint_region: 'RegionOne',
endpoint_adminurl: 'http://127.0.0.1:8000/v1',
endpoint_internalurl: 'http://127.0.0.1:8000/v1',
endpoint_publicurl: 'http://127.0.0.1:8000/v1',
action: [:create_endpoint]
)
end
it 'register heat-cfn endpoint with all different urls' do
admin_url = 'https://admin.host:123/admin_path'
internal_url = 'http://internal.host:456/internal_path'
public_url = 'https://public.host:789/public_path'
node.set['openstack']['endpoints']['admin']['orchestration-api-cfn']['uri'] = admin_url
node.set['openstack']['endpoints']['internal']['orchestration-api-cfn']['uri'] = internal_url
node.set['openstack']['endpoints']['public']['orchestration-api-cfn']['uri'] = public_url
expect(chef_run).to create_endpoint_openstack_identity_register(
'Register Heat Cloudformation Endpoint'
).with(
auth_uri: 'http://127.0.0.1:35357/v2.0',
bootstrap_token: 'bootstrap-token',
service_type: 'cloudformation',
endpoint_region: 'RegionOne',
endpoint_adminurl: admin_url,
endpoint_internalurl: internal_url,
endpoint_publicurl: public_url,
action: [:create_endpoint]
)
end
it 'registers service tenant' do
expect(chef_run).to create_tenant_openstack_identity_register(
'Register Service Tenant'
).with(
auth_uri: 'http://127.0.0.1:35357/v2.0',
bootstrap_token: 'bootstrap-token',
tenant_name: 'service',
tenant_description: 'Service Tenant'
)
end
it 'registers heat service user' do
expect(chef_run).to create_user_openstack_identity_register(
'Register Heat Service User'
).with(
auth_uri: 'http://127.0.0.1:35357/v2.0',
bootstrap_token: 'bootstrap-token',
tenant_name: 'service',
user_name: 'heat',
user_pass: 'heat-pass',
user_enabled: true,
action: [:create_user]
)
end
it 'grants service role to service user for service tenant' do
expect(chef_run).to grant_role_openstack_identity_register(
"Grant 'service' Role to heat User for service Tenant"
).with(
auth_uri: 'http://127.0.0.1:35357/v2.0',
bootstrap_token: 'bootstrap-token',
tenant_name: 'service',
user_name: 'heat',
role_name: 'service',
action: [:grant_role]
)
end
it 'does not create role for template defined users by default' do
expect(chef_run).not_to create_role_openstack_identity_register(
"Create '' Role for template defined users"
).with(
auth_uri: 'http://127.0.0.1:35357/v2.0',
bootstrap_token: 'bootstrap-token',
role_name: '',
action: [:create_role]
)
%w(admin internal public).each do |interface|
it "#{interface} cloudformation endpoint with default values" do
expect(chef_run).to create_openstack_endpoint(
'cloudformation'
).with(
service_name: 'heat-cfn',
url: 'http://127.0.0.1:8000/v1',
region: region,
connection_params: connection_params
)
end
end
end
end

View File

@ -48,7 +48,7 @@ shared_context 'orchestration_stubs' do
.and_return 'heat-pass'
allow_any_instance_of(Chef::Recipe).to receive(:get_password)
.with('user', 'admin')
.and_return 'admin_pass'
.and_return 'admin-pass'
allow_any_instance_of(Chef::Recipe).to receive(:get_password)
.with('token', 'orchestration_auth_encryption_key')
.and_return 'auth_encryption_key_secret'
@ -182,7 +182,7 @@ shared_examples 'expects to create heat conf' do
describe 'has ec2authtoken values' do
it 'has default ec2authtoken values' do
expect(chef_run).to render_config_file(file.name).with_section_content('ec2authtoken', %r{^auth_uri = http://127.0.0.1:5000/v2.0$})
expect(chef_run).to render_config_file(file.name).with_section_content('ec2authtoken', %r{^auth_uri = http://127.0.0.1:5000/v3$})
end
end
@ -206,10 +206,12 @@ shared_examples 'expects to create heat conf' do
describe 'has keystone_authtoken values' do
it 'has default keystone_authtoken values' do
[
%r{^auth_url = http://127.0.0.1:5000/v2.0$},
/^auth_type = v2password$/,
%r{^auth_url = http://127.0.0.1:5000/v3$},
/^auth_type = v3password$/,
/^username = heat$/,
/^tenant_name = service$/,
/^project_name = service$/,
/^user_domain_name = Default/,
/^project_domain_name = Default/,
/^password = heat-pass$/
].each do |line|
expect(chef_run).to render_config_file(file.name).with_section_content('keystone_authtoken', line)
@ -220,8 +222,8 @@ shared_examples 'expects to create heat conf' do
describe 'has trustee values' do
it 'has default trustee values' do
[
%r{^auth_url = http://127.0.0.1:35357/v2.0$},
/^auth_plugin = v2password$/,
%r{^auth_url = http://127.0.0.1:35357/v3$},
/^auth_plugin = v3password$/,
/^username = heat$/,
/^password = heat-pass$/
].each do |line|