diff --git a/devstack/plugin.sh b/devstack/plugin.sh index 3b7804ad6..fcd97952f 100755 --- a/devstack/plugin.sh +++ b/devstack/plugin.sh @@ -18,6 +18,8 @@ else MURANO_BIN_DIR=$(get_python_exec_prefix) fi +MURANO_AUTH_CACHE_DIR=${MURANO_AUTH_CACHE_DIR:-/var/cache/murano} + # create_murano_accounts() - Set up common required murano accounts # @@ -184,14 +186,15 @@ function configure_murano { #------------------------- # Setup keystone_authtoken section - iniset $MURANO_CONF_FILE keystone_authtoken auth_uri "http://${KEYSTONE_AUTH_HOST}:5000" - iniset $MURANO_CONF_FILE keystone_authtoken auth_host $KEYSTONE_AUTH_HOST - iniset $MURANO_CONF_FILE keystone_authtoken auth_port $KEYSTONE_AUTH_PORT - iniset $MURANO_CONF_FILE keystone_authtoken auth_protocol $KEYSTONE_AUTH_PROTOCOL - iniset $MURANO_CONF_FILE keystone_authtoken cafile $KEYSTONE_SSL_CA - iniset $MURANO_CONF_FILE keystone_authtoken admin_tenant_name $SERVICE_TENANT_NAME - iniset $MURANO_CONF_FILE keystone_authtoken admin_user $MURANO_ADMIN_USER - iniset $MURANO_CONF_FILE keystone_authtoken admin_password $SERVICE_PASSWORD + configure_auth_token_middleware $MURANO_CONF_FILE $MURANO_ADMIN_USER $MURANO_AUTH_CACHE_DIR + + # Setup murano_auth section + iniset $MURANO_CONF_FILE murano_auth auth_uri $KEYSTONE_AUTH_URI + iniset $MURANO_CONF_FILE murano_auth admin_project_name $SERVICE_TENANT_NAME + iniset $MURANO_CONF_FILE murano_auth admin_user $MURANO_ADMIN_USER + iniset $MURANO_CONF_FILE murano_auth admin_password $SERVICE_PASSWORD + iniset $MURANO_CONF_FILE murano_auth user_domain_name "$SERVICE_DOMAIN_NAME" + iniset $MURANO_CONF_FILE murano_auth project_domain_name "$SERVICE_DOMAIN_NAME" configure_murano_rpc_backend @@ -202,10 +205,10 @@ function configure_murano { iniset $MURANO_CONF_FILE database connection `database_connection_url murano` # Configure keystone auth url - iniset $MURANO_CONF_FILE keystone auth_url "http://${KEYSTONE_AUTH_HOST}:5000" + iniset $MURANO_CONF_FILE keystone auth_url $KEYSTONE_SERVICE_URI # Configure Murano API URL - iniset $MURANO_CONF_FILE murano url "http://127.0.0.1:8082" + iniset $MURANO_CONF_FILE murano url "$MURANO_SERVICE_PROTOCOL://$MURANO_SERVICE_HOST:$MURANO_SERVICE_PORT" # Configure the number of api workers if [[ -n "$MURANO_API_WORKERS" ]]; then @@ -265,8 +268,8 @@ function install_murano_apps() { murano --os-username $OS_USERNAME \ --os-password $OS_PASSWORD \ --os-tenant-name $OS_PROJECT_NAME \ - --os-auth-url http://$KEYSTONE_AUTH_HOST:5000 \ - --murano-url http://127.0.0.1:8082 \ + --os-auth-url $KEYSTONE_SERVICE_URI \ + --murano-url "$MURANO_SERVICE_PROTOCOL://$MURANO_SERVICE_HOST:$MURANO_SERVICE_PORT" \ --glare-url $GLANCE_SERVICE_PROTOCOL://$GLANCE_GLARE_HOSTPORT \ --murano-packages-service $MURANO_PACKAGES_SERVICE \ package-import \ @@ -290,20 +293,13 @@ function configure_service_broker { iniset $MURANO_CFAPI_CONF_FILE cfapi tenant "$MURANO_CFAPI_DEFAULT_TENANT" iniset $MURANO_CFAPI_CONF_FILE cfapi bind_host "$MURANO_SERVICE_HOST" iniset $MURANO_CFAPI_CONF_FILE cfapi bind_port "$MURANO_CFAPI_SERVICE_PORT" - iniset $MURANO_CFAPI_CONF_FILE cfapi auth_url "http://${KEYSTONE_AUTH_HOST}:5000" + iniset $MURANO_CFAPI_CONF_FILE cfapi auth_url "$KEYSTONE_SERVICE_URI" # configure the database. iniset $MURANO_CFAPI_CONF_FILE database connection `database_connection_url murano_cfapi` # Setup keystone_authtoken section - iniset $MURANO_CFAPI_CONF_FILE keystone_authtoken auth_uri "http://${KEYSTONE_AUTH_HOST}:5000" - iniset $MURANO_CFAPI_CONF_FILE keystone_authtoken auth_host $KEYSTONE_AUTH_HOST - iniset $MURANO_CFAPI_CONF_FILE keystone_authtoken auth_port $KEYSTONE_AUTH_PORT - iniset $MURANO_CFAPI_CONF_FILE keystone_authtoken auth_protocol $KEYSTONE_AUTH_PROTOCOL - iniset $MURANO_CFAPI_CONF_FILE keystone_authtoken cafile $KEYSTONE_SSL_CA - iniset $MURANO_CFAPI_CONF_FILE keystone_authtoken admin_tenant_name $SERVICE_TENANT_NAME - iniset $MURANO_CFAPI_CONF_FILE keystone_authtoken admin_user $MURANO_ADMIN_USER - iniset $MURANO_CFAPI_CONF_FILE keystone_authtoken admin_password $SERVICE_PASSWORD + configure_auth_token_middleware $MURANO_CFAPI_CONF_FILE $MURANO_ADMIN_USER $MURANO_AUTH_CACHE_DIR } @@ -328,8 +324,18 @@ function init_murano() { recreate_database murano utf8 $MURANO_BIN_DIR/murano-db-manage --config-file $MURANO_CONF_FILE upgrade + + create_murano_cache_dir + } +# create_murano_cache_dir() - Part of the init_murano() process +function create_murano_cache_dir { + # Create cache dirs + sudo install -d -o $STACK_USER $MURANO_AUTH_CACHE_DIR +} + + # init_murano_cfapi() - Initialize databases, etc. function init_murano_cfapi() { @@ -347,9 +353,9 @@ function setup_core_library() { murano --os-username admin \ --os-password $ADMIN_PASSWORD \ --os-tenant-name admin \ - --os-auth-url http://$KEYSTONE_AUTH_HOST:5000 \ + --os-auth-url $KEYSTONE_SERVICE_URI \ --os-region-name $REGION_NAME \ - --murano-url http://127.0.0.1:8082 \ + --murano-url "$MURANO_SERVICE_PROTOCOL://$MURANO_SERVICE_HOST:$MURANO_SERVICE_PORT" \ --glare-url $GLANCE_SERVICE_PROTOCOL://$GLANCE_GLARE_HOSTPORT \ --murano-packages-service $MURANO_PACKAGES_SERVICE \ package-import $MURANO_DIR/meta/*.zip \ @@ -613,11 +619,12 @@ if is_service_enabled murano; then init_murano_cfapi start_service_broker fi - setup_core_library # Give Murano some time to Start sleep 3 + setup_core_library + # Install Murano apps, if needed install_murano_apps elif [[ "$1" == "stack" && "$2" == "test-config" ]]; then diff --git a/murano/cmd/test_runner.py b/murano/cmd/test_runner.py index 640cc3a07..e570ec959 100644 --- a/murano/cmd/test_runner.py +++ b/murano/cmd/test_runner.py @@ -23,7 +23,6 @@ from muranoclient.common import utils from oslo_config import cfg from oslo_db import options from oslo_log import log as logging -from oslo_utils import importutils from oslo_utils import timeutils import six @@ -170,7 +169,7 @@ class MuranoTestRunner(object): 'auth_url': 'auth_uri', 'username': 'admin_user', 'password': 'admin_password', - 'project_name': 'admin_tenant_name'} + 'project_name': 'admin_project_name'} ks_opts = {'auth_url': getattr(args, 'os_auth_url', None), 'username': getattr(args, 'os_username', None), @@ -184,12 +183,10 @@ class MuranoTestRunner(object): '--os-project-name', '--os-tenant-id'])) LOG.error(msg) self.error(msg) - # Load keystone configuration parameters from config - importutils.import_module('keystonemiddleware.auth_token') for param, value in six.iteritems(ks_opts): if not value: - ks_opts[param] = getattr(CONF.keystone_authtoken, + ks_opts[param] = getattr(CONF.murano_auth, ks_opts_to_config[param]) if param == 'auth_url': ks_opts[param] = ks_opts[param].replace('v2.0', 'v3') diff --git a/murano/common/auth_utils.py b/murano/common/auth_utils.py index ab89ffccb..263e1017a 100644 --- a/murano/common/auth_utils.py +++ b/murano/common/auth_utils.py @@ -16,32 +16,49 @@ from keystoneauth1 import identity from keystoneauth1 import loading as ka_loading from keystoneclient.v3 import client as ks_client from oslo_config import cfg +from oslo_log import log as logging +from oslo_log import versionutils from murano.dsl import helpers CFG_KEYSTONE_GROUP = 'keystone_authtoken' +LOG = logging.getLogger(__name__) cfg.CONF.import_group(CFG_KEYSTONE_GROUP, 'keystonemiddleware.auth_token') def _get_keystone_auth(trust_id=None): - if not cfg.CONF[CFG_KEYSTONE_GROUP].auth_type: + auth_uri = cfg.CONF['murano_auth'].auth_uri + username = cfg.CONF['murano_auth'].admin_user + password = cfg.CONF['murano_auth'].admin_password + user_domain_name = cfg.CONF['murano_auth'].user_domain_name or "Default" + auth_type = cfg.CONF['murano_auth'].auth_type + project_name = cfg.CONF['murano_auth'].admin_project_name + project_domain_name = cfg.CONF['murano_auth'].project_domain_name or \ + "Default" + if not (auth_uri and username and password): + versionutils.report_deprecated_feature( + LOG, "Please update configuration in 'murano_auth' group") + auth_uri = cfg.CONF[CFG_KEYSTONE_GROUP].auth_uri + username = cfg.CONF[CFG_KEYSTONE_GROUP].admin_user + password = cfg.CONF[CFG_KEYSTONE_GROUP].admin_password + auth_type = cfg.CONF[CFG_KEYSTONE_GROUP].auth_type + project_name = cfg.CONF[CFG_KEYSTONE_GROUP].admin_tenant_name + if not auth_type: # Fallback to legacy v2 options if no auth_type is set. # If auth_type is set, it is possible to use the auth loader # from keystoneauth1. This is the same fallback as keystonemiddleware # uses. kwargs = { - 'auth_url': - cfg.CONF[CFG_KEYSTONE_GROUP].auth_uri.replace('v2.0', 'v3'), - 'username': cfg.CONF[CFG_KEYSTONE_GROUP].admin_user, - 'password': cfg.CONF[CFG_KEYSTONE_GROUP].admin_password, - 'user_domain_name': "Default" + 'auth_url': auth_uri.replace('v2.0', 'v3'), + 'username': username, + 'password': password, + 'user_domain_name': user_domain_name } if not trust_id: - kwargs['project_name'] = \ - cfg.CONF[CFG_KEYSTONE_GROUP].admin_tenant_name - kwargs['project_domain_name'] = "Default" + kwargs['project_name'] = project_name + kwargs['project_domain_name'] = project_domain_name else: kwargs['trust_id'] = trust_id auth = identity.Password(**kwargs) diff --git a/murano/common/config.py b/murano/common/config.py index 53e03ae21..9f63a9c0c 100644 --- a/murano/common/config.py +++ b/murano/common/config.py @@ -328,6 +328,27 @@ home_region = cfg.StrOpt( 'home_region', help="Default region name used to get services endpoints.") +murano_auth_opts = [ + cfg.StrOpt('auth_type', help='Authentication type to load.'), + + cfg.StrOpt('auth_uri', help='Identity API endpoint.'), + + cfg.StrOpt('admin_user', + help='User name for murano authentication.'), + + cfg.StrOpt('admin_password', + help='Password for murano authentication.'), + + cfg.StrOpt('user_domain_name', + help="User's domain name for authentication."), + + cfg.StrOpt('admin_project_name', + help="Project name for project scoping."), + + cfg.StrOpt('project_domain_name', + help="Project's domain name."), +] + CONF = cfg.CONF CONF.register_opts(paste_deploy_opts, group='paste_deploy') @@ -345,6 +366,7 @@ CONF.register_opts(stats_opts, group='stats') CONF.register_opts(networking_opts, group='networking') CONF.register_opts(glare_opts, group='glare') CONF.register_opts(glance_opts, group='glance') +CONF.register_opts(murano_auth_opts, group='murano_auth') def parse_args(args=None, usage=None, default_config_files=None): diff --git a/murano/opts.py b/murano/opts.py index ee1039b41..edb849389 100644 --- a/murano/opts.py +++ b/murano/opts.py @@ -44,6 +44,7 @@ _opt_lists = [ ('mistral', murano.common.config.mistral_opts), ('networking', murano.common.config.networking_opts), ('stats', murano.common.config.stats_opts), + ('murano_auth', murano.common.config.murano_auth_opts), (None, build_list([ murano.common.config.metadata_dir, murano.common.config.bind_opts, diff --git a/murano/tests/unit/common/test_auth_utils.py b/murano/tests/unit/common/test_auth_utils.py index 0f8b14163..dd1db165c 100644 --- a/murano/tests/unit/common/test_auth_utils.py +++ b/murano/tests/unit/common/test_auth_utils.py @@ -45,7 +45,9 @@ class TestAuthUtils(base.MuranoTestCase): mock_conf.auth_uri = 'foo_auth_uri/v2.0' mock_conf.admin_user = mock.sentinel.admin_user mock_conf.admin_password = mock.sentinel.admin_password - mock_conf.admin_tenant_name = mock.sentinel.admin_tenant_name + mock_conf.admin_project_name = mock.sentinel.admin_project_name + mock_conf.user_domain_name = mock.sentinel.user_domain_name + mock_conf.project_domain_name = mock.sentinel.project_domain_name return mock_cfg, mock_auth_obj def test_get_keystone_auth(self): @@ -55,9 +57,9 @@ class TestAuthUtils(base.MuranoTestCase): 'auth_url': 'foo_auth_uri/v3', 'username': mock.sentinel.admin_user, 'password': mock.sentinel.admin_password, - 'user_domain_name': 'Default', - 'project_name': mock.sentinel.admin_tenant_name, - 'project_domain_name': 'Default' + 'user_domain_name': mock.sentinel.user_domain_name, + 'project_name': mock.sentinel.admin_project_name, + 'project_domain_name': mock.sentinel.project_domain_name } expected_auth = mock.sentinel.auth actual_auth = auth_utils._get_keystone_auth() @@ -72,7 +74,7 @@ class TestAuthUtils(base.MuranoTestCase): 'auth_url': 'foo_auth_uri/v3', 'username': mock.sentinel.admin_user, 'password': mock.sentinel.admin_password, - 'user_domain_name': 'Default', + 'user_domain_name': mock.sentinel.user_domain_name, 'trust_id': mock.sentinel.trust_id } expected_auth = mock.sentinel.auth