From 284d54be798a3cdea0f1745f22e39a0cc0db2a0f Mon Sep 17 00:00:00 2001 From: Jens Harbott Date: Thu, 4 Apr 2019 12:39:38 +0000 Subject: [PATCH] Drop admin endpoints The admin endpoints offer no special functionality, users may talk to the public endpoints instead. The only historic use case has been the keystone v2 admin endpoint, but with keystone v3 API, even that is no longer needed, except that it's use is hardcoded in keystonemiddleware. So we prepare everything for completely getting rid of the admin Identity endpoint, but still create it during bootstrap. Also drop explicitly creating resources that are created during keystone bootstrap anyway. [0] https://opendev.org/openstack/openstack-chef-specs/src/branch/master/specs/ocata/all/drop-admin-endpoints.rst Depends-On: https://review.openstack.org/652052 Depends-On: https://review.openstack.org/652064 Depends-On: https://review.openstack.org/652098 Depends-On: https://review.openstack.org/652589 Change-Id: Iddfae1c2cb29217cd9aae89d56bc65fa935fcd28 --- attributes/default.rb | 15 ++-------- recipes/registration.rb | 35 ++++++++---------------- recipes/server-apache.rb | 2 +- spec/registration_spec.rb | 31 +-------------------- spec/server-apache_spec.rb | 19 ++----------- templates/default/keystone-paste.ini.erb | 22 --------------- 6 files changed, 17 insertions(+), 107 deletions(-) diff --git a/attributes/default.rb b/attributes/default.rb index 4ce2217..4306b0b 100644 --- a/attributes/default.rb +++ b/attributes/default.rb @@ -8,6 +8,7 @@ # Copyright 2013, IBM Corp. # Copyright 2017, x-ion GmbH # Copyright 2018, Workday, Inc. +# Copyright 2019, x-ion GmbH # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -55,19 +56,7 @@ default['openstack']['identity']['token']['backend'] = 'sql' # will be used (keystone-paste.ini.erb) default['openstack']['identity']['pastefile_url'] = nil -# This specify the pipeline of the keystone public API, -# all Identity public API requests will be processed by the order of the pipeline. -# this value will be used in the templated version of keystone-paste.ini -# The last item in this pipeline must be public_service or an equivalent -# application. It cannot be a filter. -default['openstack']['identity']['pipeline']['public_api'] = 'healthcheck cors sizelimit http_proxy_to_wsgi osprofiler url_normalize request_id build_auth_context token_auth json_body ec2_extension public_service' -# This specify the pipeline of the keystone admin API, -# all Identity admin API requests will be processed by the order of the pipeline. -# this value will be used in the templated version of keystone-paste.ini -# The last item in this pipeline must be admin_service or an equivalent -# application. It cannot be a filter. -default['openstack']['identity']['pipeline']['admin_api'] = 'healthcheck cors sizelimit http_proxy_to_wsgi osprofiler url_normalize request_id build_auth_context token_auth json_body ec2_extension s3_extension admin_service' -# This specify the pipeline of the keystone V3 API, +# This specifies the pipeline of the keystone V3 API, # all Identity V3 API requests will be processed by the order of the pipeline. # this value will be used in the templated version of keystone-paste.ini # The last item in this pipeline must be service_v3 or an equivalent diff --git a/recipes/registration.rb b/recipes/registration.rb index 0cb885b..81de878 100644 --- a/recipes/registration.rb +++ b/recipes/registration.rb @@ -38,15 +38,20 @@ auth_url = ::URI.decode identity_internal_endpoint.to_s admin_project = node['openstack']['identity']['admin_project'] admin_user = node['openstack']['identity']['admin_user'] admin_pass = get_password 'user', node['openstack']['identity']['admin_user'] -admin_role = node['openstack']['identity']['admin_role'] admin_domain = node['openstack']['identity']['admin_domain_name'] +# endpoint type to use when creating resources +# NOTE(frickler): fog-openstack defaults to the 'admin' endpoint for +# Identity operations, so we need to override this after we dropped that one +endpoint_type = node['openstack']['identity']['endpoint_type'] + connection_params = { - openstack_auth_url: "#{auth_url}/auth/tokens", - openstack_username: admin_user, - openstack_api_key: admin_pass, - openstack_project_name: admin_project, - openstack_domain_id: admin_domain, + openstack_auth_url: "#{auth_url}/auth/tokens", + openstack_username: admin_user, + openstack_api_key: admin_pass, + openstack_project_name: admin_project, + openstack_domain_id: admin_domain, + openstack_endpoint_type: endpoint_type, } ruby_block 'wait for identity endpoint' do @@ -65,31 +70,13 @@ ruby_block 'wait for identity endpoint' do end end -openstack_domain 'identity' do - connection_params connection_params -end - -openstack_user admin_user do - domain_name admin_domain - role_name admin_role - connection_params connection_params - action :grant_domain -end - # create default service role openstack_role 'service' do connection_params connection_params end -# create default role for horizon dashboard login -openstack_role '_member_' do - connection_params connection_params -end - -node.normal['openstack']['identity']['adminURL'] = identity_internal_endpoint.to_s node.normal['openstack']['identity']['internalURL'] = identity_internal_endpoint.to_s node.normal['openstack']['identity']['publicURL'] = identity_endpoint.to_s -Chef::Log.info "Keystone AdminURL: #{identity_internal_endpoint}" Chef::Log.info "Keystone InternalURL: #{identity_internal_endpoint}" Chef::Log.info "Keystone PublicURL: #{identity_endpoint}" diff --git a/recipes/server-apache.rb b/recipes/server-apache.rb index 0df8cc3..86603dd 100644 --- a/recipes/server-apache.rb +++ b/recipes/server-apache.rb @@ -170,7 +170,6 @@ end # set keystone config parameters for endpoints, memcache node.default['openstack']['identity']['conf'].tap do |conf| conf['DEFAULT']['public_endpoint'] = api_endpoint - conf['DEFAULT']['admin_endpoint'] = api_endpoint conf['memcache']['servers'] = memcache_servers if memcache_servers end @@ -204,6 +203,7 @@ execute 'keystone-manage db_sync' do end # bootstrap keystone after keystone.conf is generated +# TODO(frickler): drop admin endpoint once keystonemiddleware is fixed execute 'bootstrap_keystone' do command "keystone-manage bootstrap \\ --bootstrap-password #{admin_pass} \\ diff --git a/spec/registration_spec.rb b/spec/registration_spec.rb index bbb6568..02ddef6 100644 --- a/spec/registration_spec.rb +++ b/spec/registration_spec.rb @@ -17,11 +17,8 @@ describe 'openstack-identity::registration' do openstack_api_key: 'admin', openstack_project_name: 'admin', openstack_domain_id: 'default', + openstack_endpoint_type: 'internalURL', } - service_user = 'admin' - role_name = 'admin' - admin_domain_name = 'default' - domain_name = 'identity' describe 'keystone bootstrap' do context 'default values' do @@ -29,24 +26,6 @@ describe 'openstack-identity::registration' do expect(chef_run).to run_ruby_block('wait for identity endpoint') end - it "registers #{domain_name} domain" do - expect(chef_run).to create_openstack_domain( - domain_name - ).with( - connection_params: connection_params - ) - end - - it "grants #{service_user} user to #{domain_name} domain" do - expect(chef_run).to grant_domain_openstack_user( - service_user - ).with( - domain_name: admin_domain_name, - role_name: role_name, - connection_params: connection_params - ) - end - it 'create service role' do expect(chef_run).to create_openstack_role( 'service' @@ -54,14 +33,6 @@ describe 'openstack-identity::registration' do connection_params: connection_params ) end - - it 'create service role' do - expect(chef_run).to create_openstack_role( - '_member_' - ).with( - connection_params: connection_params - ) - end end end end diff --git a/spec/server-apache_spec.rb b/spec/server-apache_spec.rb index 4fe36a4..ce5a5d1 100644 --- a/spec/server-apache_spec.rb +++ b/spec/server-apache_spec.rb @@ -20,9 +20,7 @@ describe 'openstack-identity::server-apache' do project_name = 'admin' role_name = 'admin' password = 'admin' - admin_url = 'http://127.0.0.1:5000/v3' public_url = 'http://127.0.0.1:5000/v3' - internal_url = 'http://127.0.0.1:5000/v3' it 'runs logging recipe if node attributes say to' do node.override['openstack']['identity']['syslog']['use'] = true @@ -53,9 +51,9 @@ describe 'openstack-identity::server-apache' do --bootstrap-role-name #{role_name} \\ --bootstrap-service-name #{service_name} \\ --bootstrap-region-id #{region} \\ - --bootstrap-admin-url #{admin_url} \\ + --bootstrap-admin-url #{public_url} \\ --bootstrap-public-url #{public_url} \\ - --bootstrap-internal-url #{internal_url}") + --bootstrap-internal-url #{public_url}") end describe '/etc/keystone' do @@ -241,26 +239,13 @@ describe 'openstack-identity::server-apache' do let(:path) { '/etc/keystone/keystone-paste.ini' } it 'has default api pipeline values' do - expect(chef_run).to render_config_file(path).with_section_content( - 'pipeline:public_api', - /^pipeline = healthcheck cors sizelimit http_proxy_to_wsgi osprofiler url_normalize request_id build_auth_context token_auth json_body ec2_extension public_service$/ - ) - expect(chef_run).to render_config_file(path).with_section_content( - 'pipeline:admin_api', - /^pipeline = healthcheck cors sizelimit http_proxy_to_wsgi osprofiler url_normalize request_id build_auth_context token_auth json_body ec2_extension s3_extension admin_service$/ - ) expect(chef_run).to render_config_file(path).with_section_content( 'pipeline:api_v3', /^pipeline = healthcheck cors sizelimit http_proxy_to_wsgi osprofiler url_normalize request_id build_auth_context token_auth json_body ec2_extension_v3 s3_extension service_v3$/ ) end it 'template api pipeline set correct' do - node.override['openstack']['identity']['pipeline']['public_api'] = 'public_service' node.override['openstack']['identity']['pipeline']['api_v3'] = 'service_v3' - expect(chef_run).to render_config_file(path).with_section_content( - 'pipeline:public_api', - /^pipeline = public_service$/ - ) expect(chef_run).to render_config_file(path).with_section_content( 'pipeline:api_v3', /^pipeline = service_v3$/ diff --git a/templates/default/keystone-paste.ini.erb b/templates/default/keystone-paste.ini.erb index 5e78296..9a36edb 100644 --- a/templates/default/keystone-paste.ini.erb +++ b/templates/default/keystone-paste.ini.erb @@ -51,42 +51,20 @@ use = egg:keystone#public_service [app:service_v3] use = egg:keystone#service_v3 -[app:admin_service] -use = egg:keystone#admin_service - -[pipeline:public_api] -pipeline = <%=node['openstack']['identity']['pipeline']['public_api'] %> - -[pipeline:admin_api] -pipeline = <%=node['openstack']['identity']['pipeline']['admin_api'] %> - [pipeline:api_v3] pipeline = <%=node['openstack']['identity']['pipeline']['api_v3'] %> [app:public_version_service] use = egg:keystone#public_version_service -[app:admin_version_service] -use = egg:keystone#admin_version_service - [pipeline:public_version_api] pipeline = healthcheck cors sizelimit osprofiler url_normalize public_version_service -[pipeline:admin_version_api] -pipeline = healthcheck cors sizelimit osprofiler url_normalize admin_version_service - [composite:main] use = egg:Paste#urlmap -/v2.0 = public_api /v3 = api_v3 / = public_version_api -[composite:admin] -use = egg:Paste#urlmap -/v2.0 = admin_api -/v3 = api_v3 -/ = admin_version_api - <% if node['openstack']['identity']['misc_paste'] %> <% node['openstack']['identity']['misc_paste'].each do |m| %> <%= m %>