Merge "Drop admin endpoints"

attributes/default.rb

@@ -8,6 +8,7 @@
 # Copyright 2013, IBM Corp.
 # Copyright 2017, x-ion GmbH
 # Copyright 2018, Workday, Inc.
+# Copyright 2019, x-ion GmbH
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -55,19 +56,7 @@ default['openstack']['identity']['token']['backend'] = 'sql'
 # will be used (keystone-paste.ini.erb)
 default['openstack']['identity']['pastefile_url'] = nil
 
-# This specify the pipeline of the keystone public API,
-# all Identity public API requests will be processed by the order of the pipeline.
-# this value will be used in the templated version of keystone-paste.ini
-# The last item in this pipeline must be public_service or an equivalent
-# application. It cannot be a filter.
-default['openstack']['identity']['pipeline']['public_api'] = 'healthcheck cors sizelimit http_proxy_to_wsgi osprofiler url_normalize request_id build_auth_context token_auth json_body ec2_extension public_service'
-# This specify the pipeline of the keystone admin API,
-# all Identity admin API requests will be processed by the order of the pipeline.
-# this value will be used in the templated version of keystone-paste.ini
-# The last item in this pipeline must be admin_service or an equivalent
-# application. It cannot be a filter.
-default['openstack']['identity']['pipeline']['admin_api'] = 'healthcheck cors sizelimit http_proxy_to_wsgi osprofiler url_normalize request_id build_auth_context token_auth json_body ec2_extension s3_extension admin_service'
-# This specify the pipeline of the keystone V3 API,
+# This specifies the pipeline of the keystone V3 API,
 # all Identity V3 API requests will be processed by the order of the pipeline.
 # this value will be used in the templated version of keystone-paste.ini
 # The last item in this pipeline must be service_v3 or an equivalent

recipes/registration.rb

@@ -38,15 +38,20 @@ auth_url = ::URI.decode identity_internal_endpoint.to_s
 admin_project = node['openstack']['identity']['admin_project']
 admin_user = node['openstack']['identity']['admin_user']
 admin_pass = get_password 'user', node['openstack']['identity']['admin_user']
-admin_role = node['openstack']['identity']['admin_role']
 admin_domain = node['openstack']['identity']['admin_domain_name']
 
+# endpoint type to use when creating resources
+# NOTE(frickler): fog-openstack defaults to the 'admin' endpoint for
+# Identity operations, so we need to override this after we dropped that one
+endpoint_type = node['openstack']['identity']['endpoint_type']
+
 connection_params = {
-  openstack_auth_url:     "#{auth_url}/auth/tokens",
-  openstack_username:     admin_user,
-  openstack_api_key:      admin_pass,
-  openstack_project_name: admin_project,
-  openstack_domain_id:    admin_domain,
+  openstack_auth_url:      "#{auth_url}/auth/tokens",
+  openstack_username:      admin_user,
+  openstack_api_key:       admin_pass,
+  openstack_project_name:  admin_project,
+  openstack_domain_id:     admin_domain,
+  openstack_endpoint_type: endpoint_type,
 }
 
 ruby_block 'wait for identity endpoint' do
@@ -65,31 +70,13 @@ ruby_block 'wait for identity endpoint' do
   end
 end
 
-openstack_domain 'identity' do
-  connection_params connection_params
-end
-
-openstack_user admin_user do
-  domain_name admin_domain
-  role_name admin_role
-  connection_params connection_params
-  action :grant_domain
-end
-
 # create default service role
 openstack_role 'service' do
   connection_params connection_params
 end
 
-# create default role for horizon dashboard login
-openstack_role '_member_' do
-  connection_params connection_params
-end
-
-node.normal['openstack']['identity']['adminURL'] = identity_internal_endpoint.to_s
 node.normal['openstack']['identity']['internalURL'] = identity_internal_endpoint.to_s
 node.normal['openstack']['identity']['publicURL'] = identity_endpoint.to_s
 
-Chef::Log.info "Keystone AdminURL: #{identity_internal_endpoint}"
 Chef::Log.info "Keystone InternalURL: #{identity_internal_endpoint}"
 Chef::Log.info "Keystone PublicURL: #{identity_endpoint}"

recipes/server-apache.rb

@@ -170,7 +170,6 @@ end
 # set keystone config parameters for endpoints, memcache
 node.default['openstack']['identity']['conf'].tap do |conf|
   conf['DEFAULT']['public_endpoint'] = api_endpoint
-  conf['DEFAULT']['admin_endpoint'] = api_endpoint
   conf['memcache']['servers'] = memcache_servers if memcache_servers
 end
 
@@ -204,6 +203,7 @@ execute 'keystone-manage db_sync' do
 end
 
 # bootstrap keystone after keystone.conf is generated
+# TODO(frickler): drop admin endpoint once keystonemiddleware is fixed
 execute 'bootstrap_keystone' do
   command "keystone-manage bootstrap \\
           --bootstrap-password #{admin_pass} \\

spec/registration_spec.rb

@@ -17,11 +17,8 @@ describe 'openstack-identity::registration' do
       openstack_api_key: 'admin',
       openstack_project_name: 'admin',
       openstack_domain_id: 'default',
+      openstack_endpoint_type: 'internalURL',
     }
-    service_user = 'admin'
-    role_name = 'admin'
-    admin_domain_name = 'default'
-    domain_name = 'identity'
 
     describe 'keystone bootstrap' do
       context 'default values' do
@@ -29,24 +26,6 @@ describe 'openstack-identity::registration' do
           expect(chef_run).to run_ruby_block('wait for identity endpoint')
         end
 
-        it "registers #{domain_name} domain" do
-          expect(chef_run).to create_openstack_domain(
-            domain_name
-          ).with(
-            connection_params: connection_params
-          )
-        end
-
-        it "grants #{service_user} user to #{domain_name} domain" do
-          expect(chef_run).to grant_domain_openstack_user(
-            service_user
-          ).with(
-            domain_name: admin_domain_name,
-            role_name: role_name,
-            connection_params: connection_params
-          )
-        end
-
         it 'create service role' do
           expect(chef_run).to create_openstack_role(
             'service'
@@ -54,14 +33,6 @@ describe 'openstack-identity::registration' do
             connection_params: connection_params
           )
         end
-
-        it 'create service role' do
-          expect(chef_run).to create_openstack_role(
-            '_member_'
-          ).with(
-            connection_params: connection_params
-          )
-        end
       end
     end
   end

spec/server-apache_spec.rb

@@ -20,9 +20,7 @@ describe 'openstack-identity::server-apache' do
     project_name = 'admin'
     role_name = 'admin'
     password = 'admin'
-    admin_url = 'http://127.0.0.1:5000/v3'
     public_url = 'http://127.0.0.1:5000/v3'
-    internal_url = 'http://127.0.0.1:5000/v3'
 
     it 'runs logging recipe if node attributes say to' do
       node.override['openstack']['identity']['syslog']['use'] = true
@@ -53,9 +51,9 @@ describe 'openstack-identity::server-apache' do
           --bootstrap-role-name #{role_name} \\
           --bootstrap-service-name #{service_name} \\
           --bootstrap-region-id #{region} \\
-          --bootstrap-admin-url #{admin_url} \\
+          --bootstrap-admin-url #{public_url} \\
           --bootstrap-public-url #{public_url} \\
-          --bootstrap-internal-url #{internal_url}")
+          --bootstrap-internal-url #{public_url}")
     end
 
     describe '/etc/keystone' do
@@ -241,26 +239,13 @@ describe 'openstack-identity::server-apache' do
       let(:path) { '/etc/keystone/keystone-paste.ini' }
 
       it 'has default api pipeline values' do
-        expect(chef_run).to render_config_file(path).with_section_content(
-          'pipeline:public_api',
-          /^pipeline = healthcheck cors sizelimit http_proxy_to_wsgi osprofiler url_normalize request_id build_auth_context token_auth json_body ec2_extension public_service$/
-        )
-        expect(chef_run).to render_config_file(path).with_section_content(
-          'pipeline:admin_api',
-          /^pipeline = healthcheck cors sizelimit http_proxy_to_wsgi osprofiler url_normalize request_id build_auth_context token_auth json_body ec2_extension s3_extension admin_service$/
-        )
         expect(chef_run).to render_config_file(path).with_section_content(
           'pipeline:api_v3',
           /^pipeline = healthcheck cors sizelimit http_proxy_to_wsgi osprofiler url_normalize request_id build_auth_context token_auth json_body ec2_extension_v3 s3_extension service_v3$/
         )
       end
       it 'template api pipeline set correct' do
-        node.override['openstack']['identity']['pipeline']['public_api'] = 'public_service'
         node.override['openstack']['identity']['pipeline']['api_v3'] = 'service_v3'
-        expect(chef_run).to render_config_file(path).with_section_content(
-          'pipeline:public_api',
-          /^pipeline = public_service$/
-        )
         expect(chef_run).to render_config_file(path).with_section_content(
           'pipeline:api_v3',
           /^pipeline = service_v3$/

templates/default/keystone-paste.ini.erb

@@ -51,42 +51,20 @@ use = egg:keystone#public_service
 [app:service_v3]
 use = egg:keystone#service_v3
 
-[app:admin_service]
-use = egg:keystone#admin_service
-
-[pipeline:public_api]
-pipeline = <%=node['openstack']['identity']['pipeline']['public_api'] %>
-
-[pipeline:admin_api]
-pipeline = <%=node['openstack']['identity']['pipeline']['admin_api'] %>
-
 [pipeline:api_v3]
 pipeline = <%=node['openstack']['identity']['pipeline']['api_v3'] %>
 
 [app:public_version_service]
 use = egg:keystone#public_version_service
 
-[app:admin_version_service]
-use = egg:keystone#admin_version_service
-
 [pipeline:public_version_api]
 pipeline = healthcheck cors sizelimit osprofiler url_normalize public_version_service
 
-[pipeline:admin_version_api]
-pipeline = healthcheck cors sizelimit osprofiler url_normalize admin_version_service
-
 [composite:main]
 use = egg:Paste#urlmap
-/v2.0 = public_api
 /v3 = api_v3
 / = public_version_api
 
-[composite:admin]
-use = egg:Paste#urlmap
-/v2.0 = admin_api
-/v3 = api_v3
-/ = admin_version_api
-
 <% if node['openstack']['identity']['misc_paste'] %>
 <% node['openstack']['identity']['misc_paste'].each do |m| %>
 <%= m %>