Merge "Drop admin endpoints"
This commit is contained in:
commit
c8a2a909b0
|
@ -8,6 +8,7 @@
|
||||||
# Copyright 2013, IBM Corp.
|
# Copyright 2013, IBM Corp.
|
||||||
# Copyright 2017, x-ion GmbH
|
# Copyright 2017, x-ion GmbH
|
||||||
# Copyright 2018, Workday, Inc.
|
# Copyright 2018, Workday, Inc.
|
||||||
|
# Copyright 2019, x-ion GmbH
|
||||||
#
|
#
|
||||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
# you may not use this file except in compliance with the License.
|
# you may not use this file except in compliance with the License.
|
||||||
|
@ -55,19 +56,7 @@ default['openstack']['identity']['token']['backend'] = 'sql'
|
||||||
# will be used (keystone-paste.ini.erb)
|
# will be used (keystone-paste.ini.erb)
|
||||||
default['openstack']['identity']['pastefile_url'] = nil
|
default['openstack']['identity']['pastefile_url'] = nil
|
||||||
|
|
||||||
# This specify the pipeline of the keystone public API,
|
# This specifies the pipeline of the keystone V3 API,
|
||||||
# all Identity public API requests will be processed by the order of the pipeline.
|
|
||||||
# this value will be used in the templated version of keystone-paste.ini
|
|
||||||
# The last item in this pipeline must be public_service or an equivalent
|
|
||||||
# application. It cannot be a filter.
|
|
||||||
default['openstack']['identity']['pipeline']['public_api'] = 'healthcheck cors sizelimit http_proxy_to_wsgi osprofiler url_normalize request_id build_auth_context token_auth json_body ec2_extension public_service'
|
|
||||||
# This specify the pipeline of the keystone admin API,
|
|
||||||
# all Identity admin API requests will be processed by the order of the pipeline.
|
|
||||||
# this value will be used in the templated version of keystone-paste.ini
|
|
||||||
# The last item in this pipeline must be admin_service or an equivalent
|
|
||||||
# application. It cannot be a filter.
|
|
||||||
default['openstack']['identity']['pipeline']['admin_api'] = 'healthcheck cors sizelimit http_proxy_to_wsgi osprofiler url_normalize request_id build_auth_context token_auth json_body ec2_extension s3_extension admin_service'
|
|
||||||
# This specify the pipeline of the keystone V3 API,
|
|
||||||
# all Identity V3 API requests will be processed by the order of the pipeline.
|
# all Identity V3 API requests will be processed by the order of the pipeline.
|
||||||
# this value will be used in the templated version of keystone-paste.ini
|
# this value will be used in the templated version of keystone-paste.ini
|
||||||
# The last item in this pipeline must be service_v3 or an equivalent
|
# The last item in this pipeline must be service_v3 or an equivalent
|
||||||
|
|
|
@ -38,15 +38,20 @@ auth_url = ::URI.decode identity_internal_endpoint.to_s
|
||||||
admin_project = node['openstack']['identity']['admin_project']
|
admin_project = node['openstack']['identity']['admin_project']
|
||||||
admin_user = node['openstack']['identity']['admin_user']
|
admin_user = node['openstack']['identity']['admin_user']
|
||||||
admin_pass = get_password 'user', node['openstack']['identity']['admin_user']
|
admin_pass = get_password 'user', node['openstack']['identity']['admin_user']
|
||||||
admin_role = node['openstack']['identity']['admin_role']
|
|
||||||
admin_domain = node['openstack']['identity']['admin_domain_name']
|
admin_domain = node['openstack']['identity']['admin_domain_name']
|
||||||
|
|
||||||
|
# endpoint type to use when creating resources
|
||||||
|
# NOTE(frickler): fog-openstack defaults to the 'admin' endpoint for
|
||||||
|
# Identity operations, so we need to override this after we dropped that one
|
||||||
|
endpoint_type = node['openstack']['identity']['endpoint_type']
|
||||||
|
|
||||||
connection_params = {
|
connection_params = {
|
||||||
openstack_auth_url: "#{auth_url}/auth/tokens",
|
openstack_auth_url: "#{auth_url}/auth/tokens",
|
||||||
openstack_username: admin_user,
|
openstack_username: admin_user,
|
||||||
openstack_api_key: admin_pass,
|
openstack_api_key: admin_pass,
|
||||||
openstack_project_name: admin_project,
|
openstack_project_name: admin_project,
|
||||||
openstack_domain_id: admin_domain,
|
openstack_domain_id: admin_domain,
|
||||||
|
openstack_endpoint_type: endpoint_type,
|
||||||
}
|
}
|
||||||
|
|
||||||
ruby_block 'wait for identity endpoint' do
|
ruby_block 'wait for identity endpoint' do
|
||||||
|
@ -65,31 +70,13 @@ ruby_block 'wait for identity endpoint' do
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
openstack_domain 'identity' do
|
|
||||||
connection_params connection_params
|
|
||||||
end
|
|
||||||
|
|
||||||
openstack_user admin_user do
|
|
||||||
domain_name admin_domain
|
|
||||||
role_name admin_role
|
|
||||||
connection_params connection_params
|
|
||||||
action :grant_domain
|
|
||||||
end
|
|
||||||
|
|
||||||
# create default service role
|
# create default service role
|
||||||
openstack_role 'service' do
|
openstack_role 'service' do
|
||||||
connection_params connection_params
|
connection_params connection_params
|
||||||
end
|
end
|
||||||
|
|
||||||
# create default role for horizon dashboard login
|
|
||||||
openstack_role '_member_' do
|
|
||||||
connection_params connection_params
|
|
||||||
end
|
|
||||||
|
|
||||||
node.normal['openstack']['identity']['adminURL'] = identity_internal_endpoint.to_s
|
|
||||||
node.normal['openstack']['identity']['internalURL'] = identity_internal_endpoint.to_s
|
node.normal['openstack']['identity']['internalURL'] = identity_internal_endpoint.to_s
|
||||||
node.normal['openstack']['identity']['publicURL'] = identity_endpoint.to_s
|
node.normal['openstack']['identity']['publicURL'] = identity_endpoint.to_s
|
||||||
|
|
||||||
Chef::Log.info "Keystone AdminURL: #{identity_internal_endpoint}"
|
|
||||||
Chef::Log.info "Keystone InternalURL: #{identity_internal_endpoint}"
|
Chef::Log.info "Keystone InternalURL: #{identity_internal_endpoint}"
|
||||||
Chef::Log.info "Keystone PublicURL: #{identity_endpoint}"
|
Chef::Log.info "Keystone PublicURL: #{identity_endpoint}"
|
||||||
|
|
|
@ -170,7 +170,6 @@ end
|
||||||
# set keystone config parameters for endpoints, memcache
|
# set keystone config parameters for endpoints, memcache
|
||||||
node.default['openstack']['identity']['conf'].tap do |conf|
|
node.default['openstack']['identity']['conf'].tap do |conf|
|
||||||
conf['DEFAULT']['public_endpoint'] = api_endpoint
|
conf['DEFAULT']['public_endpoint'] = api_endpoint
|
||||||
conf['DEFAULT']['admin_endpoint'] = api_endpoint
|
|
||||||
conf['memcache']['servers'] = memcache_servers if memcache_servers
|
conf['memcache']['servers'] = memcache_servers if memcache_servers
|
||||||
end
|
end
|
||||||
|
|
||||||
|
@ -204,6 +203,7 @@ execute 'keystone-manage db_sync' do
|
||||||
end
|
end
|
||||||
|
|
||||||
# bootstrap keystone after keystone.conf is generated
|
# bootstrap keystone after keystone.conf is generated
|
||||||
|
# TODO(frickler): drop admin endpoint once keystonemiddleware is fixed
|
||||||
execute 'bootstrap_keystone' do
|
execute 'bootstrap_keystone' do
|
||||||
command "keystone-manage bootstrap \\
|
command "keystone-manage bootstrap \\
|
||||||
--bootstrap-password #{admin_pass} \\
|
--bootstrap-password #{admin_pass} \\
|
||||||
|
|
|
@ -17,11 +17,8 @@ describe 'openstack-identity::registration' do
|
||||||
openstack_api_key: 'admin',
|
openstack_api_key: 'admin',
|
||||||
openstack_project_name: 'admin',
|
openstack_project_name: 'admin',
|
||||||
openstack_domain_id: 'default',
|
openstack_domain_id: 'default',
|
||||||
|
openstack_endpoint_type: 'internalURL',
|
||||||
}
|
}
|
||||||
service_user = 'admin'
|
|
||||||
role_name = 'admin'
|
|
||||||
admin_domain_name = 'default'
|
|
||||||
domain_name = 'identity'
|
|
||||||
|
|
||||||
describe 'keystone bootstrap' do
|
describe 'keystone bootstrap' do
|
||||||
context 'default values' do
|
context 'default values' do
|
||||||
|
@ -29,24 +26,6 @@ describe 'openstack-identity::registration' do
|
||||||
expect(chef_run).to run_ruby_block('wait for identity endpoint')
|
expect(chef_run).to run_ruby_block('wait for identity endpoint')
|
||||||
end
|
end
|
||||||
|
|
||||||
it "registers #{domain_name} domain" do
|
|
||||||
expect(chef_run).to create_openstack_domain(
|
|
||||||
domain_name
|
|
||||||
).with(
|
|
||||||
connection_params: connection_params
|
|
||||||
)
|
|
||||||
end
|
|
||||||
|
|
||||||
it "grants #{service_user} user to #{domain_name} domain" do
|
|
||||||
expect(chef_run).to grant_domain_openstack_user(
|
|
||||||
service_user
|
|
||||||
).with(
|
|
||||||
domain_name: admin_domain_name,
|
|
||||||
role_name: role_name,
|
|
||||||
connection_params: connection_params
|
|
||||||
)
|
|
||||||
end
|
|
||||||
|
|
||||||
it 'create service role' do
|
it 'create service role' do
|
||||||
expect(chef_run).to create_openstack_role(
|
expect(chef_run).to create_openstack_role(
|
||||||
'service'
|
'service'
|
||||||
|
@ -54,14 +33,6 @@ describe 'openstack-identity::registration' do
|
||||||
connection_params: connection_params
|
connection_params: connection_params
|
||||||
)
|
)
|
||||||
end
|
end
|
||||||
|
|
||||||
it 'create service role' do
|
|
||||||
expect(chef_run).to create_openstack_role(
|
|
||||||
'_member_'
|
|
||||||
).with(
|
|
||||||
connection_params: connection_params
|
|
||||||
)
|
|
||||||
end
|
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
|
@ -20,9 +20,7 @@ describe 'openstack-identity::server-apache' do
|
||||||
project_name = 'admin'
|
project_name = 'admin'
|
||||||
role_name = 'admin'
|
role_name = 'admin'
|
||||||
password = 'admin'
|
password = 'admin'
|
||||||
admin_url = 'http://127.0.0.1:5000/v3'
|
|
||||||
public_url = 'http://127.0.0.1:5000/v3'
|
public_url = 'http://127.0.0.1:5000/v3'
|
||||||
internal_url = 'http://127.0.0.1:5000/v3'
|
|
||||||
|
|
||||||
it 'runs logging recipe if node attributes say to' do
|
it 'runs logging recipe if node attributes say to' do
|
||||||
node.override['openstack']['identity']['syslog']['use'] = true
|
node.override['openstack']['identity']['syslog']['use'] = true
|
||||||
|
@ -53,9 +51,9 @@ describe 'openstack-identity::server-apache' do
|
||||||
--bootstrap-role-name #{role_name} \\
|
--bootstrap-role-name #{role_name} \\
|
||||||
--bootstrap-service-name #{service_name} \\
|
--bootstrap-service-name #{service_name} \\
|
||||||
--bootstrap-region-id #{region} \\
|
--bootstrap-region-id #{region} \\
|
||||||
--bootstrap-admin-url #{admin_url} \\
|
--bootstrap-admin-url #{public_url} \\
|
||||||
--bootstrap-public-url #{public_url} \\
|
--bootstrap-public-url #{public_url} \\
|
||||||
--bootstrap-internal-url #{internal_url}")
|
--bootstrap-internal-url #{public_url}")
|
||||||
end
|
end
|
||||||
|
|
||||||
describe '/etc/keystone' do
|
describe '/etc/keystone' do
|
||||||
|
@ -241,26 +239,13 @@ describe 'openstack-identity::server-apache' do
|
||||||
let(:path) { '/etc/keystone/keystone-paste.ini' }
|
let(:path) { '/etc/keystone/keystone-paste.ini' }
|
||||||
|
|
||||||
it 'has default api pipeline values' do
|
it 'has default api pipeline values' do
|
||||||
expect(chef_run).to render_config_file(path).with_section_content(
|
|
||||||
'pipeline:public_api',
|
|
||||||
/^pipeline = healthcheck cors sizelimit http_proxy_to_wsgi osprofiler url_normalize request_id build_auth_context token_auth json_body ec2_extension public_service$/
|
|
||||||
)
|
|
||||||
expect(chef_run).to render_config_file(path).with_section_content(
|
|
||||||
'pipeline:admin_api',
|
|
||||||
/^pipeline = healthcheck cors sizelimit http_proxy_to_wsgi osprofiler url_normalize request_id build_auth_context token_auth json_body ec2_extension s3_extension admin_service$/
|
|
||||||
)
|
|
||||||
expect(chef_run).to render_config_file(path).with_section_content(
|
expect(chef_run).to render_config_file(path).with_section_content(
|
||||||
'pipeline:api_v3',
|
'pipeline:api_v3',
|
||||||
/^pipeline = healthcheck cors sizelimit http_proxy_to_wsgi osprofiler url_normalize request_id build_auth_context token_auth json_body ec2_extension_v3 s3_extension service_v3$/
|
/^pipeline = healthcheck cors sizelimit http_proxy_to_wsgi osprofiler url_normalize request_id build_auth_context token_auth json_body ec2_extension_v3 s3_extension service_v3$/
|
||||||
)
|
)
|
||||||
end
|
end
|
||||||
it 'template api pipeline set correct' do
|
it 'template api pipeline set correct' do
|
||||||
node.override['openstack']['identity']['pipeline']['public_api'] = 'public_service'
|
|
||||||
node.override['openstack']['identity']['pipeline']['api_v3'] = 'service_v3'
|
node.override['openstack']['identity']['pipeline']['api_v3'] = 'service_v3'
|
||||||
expect(chef_run).to render_config_file(path).with_section_content(
|
|
||||||
'pipeline:public_api',
|
|
||||||
/^pipeline = public_service$/
|
|
||||||
)
|
|
||||||
expect(chef_run).to render_config_file(path).with_section_content(
|
expect(chef_run).to render_config_file(path).with_section_content(
|
||||||
'pipeline:api_v3',
|
'pipeline:api_v3',
|
||||||
/^pipeline = service_v3$/
|
/^pipeline = service_v3$/
|
||||||
|
|
|
@ -51,42 +51,20 @@ use = egg:keystone#public_service
|
||||||
[app:service_v3]
|
[app:service_v3]
|
||||||
use = egg:keystone#service_v3
|
use = egg:keystone#service_v3
|
||||||
|
|
||||||
[app:admin_service]
|
|
||||||
use = egg:keystone#admin_service
|
|
||||||
|
|
||||||
[pipeline:public_api]
|
|
||||||
pipeline = <%=node['openstack']['identity']['pipeline']['public_api'] %>
|
|
||||||
|
|
||||||
[pipeline:admin_api]
|
|
||||||
pipeline = <%=node['openstack']['identity']['pipeline']['admin_api'] %>
|
|
||||||
|
|
||||||
[pipeline:api_v3]
|
[pipeline:api_v3]
|
||||||
pipeline = <%=node['openstack']['identity']['pipeline']['api_v3'] %>
|
pipeline = <%=node['openstack']['identity']['pipeline']['api_v3'] %>
|
||||||
|
|
||||||
[app:public_version_service]
|
[app:public_version_service]
|
||||||
use = egg:keystone#public_version_service
|
use = egg:keystone#public_version_service
|
||||||
|
|
||||||
[app:admin_version_service]
|
|
||||||
use = egg:keystone#admin_version_service
|
|
||||||
|
|
||||||
[pipeline:public_version_api]
|
[pipeline:public_version_api]
|
||||||
pipeline = healthcheck cors sizelimit osprofiler url_normalize public_version_service
|
pipeline = healthcheck cors sizelimit osprofiler url_normalize public_version_service
|
||||||
|
|
||||||
[pipeline:admin_version_api]
|
|
||||||
pipeline = healthcheck cors sizelimit osprofiler url_normalize admin_version_service
|
|
||||||
|
|
||||||
[composite:main]
|
[composite:main]
|
||||||
use = egg:Paste#urlmap
|
use = egg:Paste#urlmap
|
||||||
/v2.0 = public_api
|
|
||||||
/v3 = api_v3
|
/v3 = api_v3
|
||||||
/ = public_version_api
|
/ = public_version_api
|
||||||
|
|
||||||
[composite:admin]
|
|
||||||
use = egg:Paste#urlmap
|
|
||||||
/v2.0 = admin_api
|
|
||||||
/v3 = api_v3
|
|
||||||
/ = admin_version_api
|
|
||||||
|
|
||||||
<% if node['openstack']['identity']['misc_paste'] %>
|
<% if node['openstack']['identity']['misc_paste'] %>
|
||||||
<% node['openstack']['identity']['misc_paste'].each do |m| %>
|
<% node['openstack']['identity']['misc_paste'].each do |m| %>
|
||||||
<%= m %>
|
<%= m %>
|
||||||
|
|
Loading…
Reference in New Issue