diff --git a/Berksfile b/Berksfile
index 50da25e..f2b40ac 100644
--- a/Berksfile
+++ b/Berksfile
@@ -4,3 +4,6 @@ metadata
cookbook "openstack-common",
github: "openstack/cookbook-openstack-common"
+
+cookbook "openstackclient",
+ github: "cloudbau/cookbook-openstackclient"
\ No newline at end of file
diff --git a/README.md b/README.md
index a4fad15..3ed3853 100644
--- a/README.md
+++ b/README.md
@@ -30,7 +30,8 @@ Cookbooks
The following cookbooks are dependencies:
- 'apache2', '~> 3.1'
-- 'openstack-common', '>= 13.0.0'
+- 'openstack-common', '>= 14.0.0'
+- 'openstackclient', '>= 0.1.0'
Attributes
==========
@@ -64,142 +65,6 @@ Recipes
apache webserver. The recipe is documented in detail with inline comments
inside the recipe.
-Resources
-=========
-
-## openstack_identity_register
-
-### Actions
-
-- create_ec2_credentials:
-- create_endpoint:
-- create_role:
-- create_service:
-- create_tenant:
-- create_user:
-- grant_role:
-
-### Attribute Parameters
-
-- auth_uri: The uri used to as authentication endpoint for requests
-- bootstrap_token: The admin bootstrap_token used for authentication
-- service_type: Type of service to create (e.g. 'identity' or 'volume')
-- service_name: The name of the service to create (only for action
- :create_service)
-- service_description: The description for the service to create (only for
- action :create_service)
-- endpoint_region: The region to create the endpoint in (only for action
- :create_endpoint) Defaults to "RegionOne"
.
-- endpoint_adminurl: The public url to register for the endpoint (only for
- action :create_endpoint)
-- endpoint_internalurl: The internal url to register for the endpoint (only for
- action :create_endpoint)
-- endpoint_publicurl: The public url to register for the endpoint (only for
- action :create_endpoint)
-- tenant_name: The name of the tenant to create or create the user in (only for
- action :create_tenant and :create_user)
-- tenant_description: The description of the tenant to create (only for action
- :create_tenant)
-- tenant_enabled: Enable or disable tenant to create (only for action
- :create_tenant) Defaults to true
.
-- user_name: The name of the user to create (only for action :create_user)
-- user_pass: The passwort of the user to create (only for action :create_user)
-- user_enabled: Enable or disable user to create (only for action :create_user)
- Defaults to true
.
-- role_name: The name of the role to create or grant to the user (only for
- :create_role and :grant_role)
-- admin_tenant_name: The name of the admin tenant (only for
- :create_ec2_credentials)
-- admin_user: The name of the admin user (only for :create_ec2_credentials)
-- admin_pass: The password of the admin user (only for :create_ec2_credentials)
-- identity_endpoint: The identity endpoint to use for user and ec2 creation. If
- not specified, default endpoint will be used. (only for create_ec2_credentials
-and create_user)
-
-### Examples
-
-```
-# Create 'openstack' tenant
-openstack_identity_register "Register 'openstack' Tenant" do
- auth_host "192.168.1.10"
- auth_port "35357"
- auth_protocol "http"
- api_ver "/v2.0"
- auth_token "123456789876"
- tenant_name "openstack"
- tenant_description "Default Tenant"
- tenant_enabled "true" # Not required as this is the default
- action :create_tenant
-end
-
-# Create 'admin' user
-openstack_identity_register "Register 'admin' User" do
- auth_host "192.168.1.10"
- auth_port "35357"
- auth_protocol "http"
- api_ver "/v2.0"
- auth_token "123456789876"
- tenant_name "openstack"
- user_name "admin"
- user_pass "secrete"
- user_enabled "true" # Not required as this is the default
- action :create_user
-end
-
-# Create 'admin' role
-openstack_identity_register "Register 'admin' Role" do
- auth_host "192.168.1.10"
- auth_port "35357"
- auth_protocol "http"
- api_ver "/v2.0"
- auth_token "123456789876"
- role_name role_key
- action :create_role
-end
-
-# Grant 'admin' role to 'admin' user in the 'openstack' tenant
-openstack_identity_register "Grant 'admin' Role to 'admin' User" do
- auth_host "192.168.1.10"
- auth_port "35357"
- auth_protocol "http"
- api_ver "/v2.0"
- auth_token "123456789876"
- tenant_name "openstack"
- user_name "admin"
- role_name "admin"
- action :grant_role
-end
-
-# Create 'identity' service
-openstack_identity_register "Register Identity Service" do
- auth_host "192.168.1.10"
- auth_port "35357"
- auth_protocol "http"
- api_ver "/v2.0"
- auth_token "123456789876"
- service_name "keystone"
- service_type "identity"
- service_description "Keystone Identity Service"
- action :create_service
-end
-
-# Create 'identity' endpoint
-openstack_identity_register "Register Identity Endpoint" do
- auth_host "192.168.1.10"
- auth_port "35357"
- auth_protocol "http"
- api_ver "/v2.0"
- auth_token "123456789876"
- service_type "identity"
- endpoint_region "RegionOne"
- endpoint_adminurl "http://192.168.1.10:35357/v2.0"
- endpoint_internalurl "http://192.168.1.10:5001/v2.0"
- endpoint_publicurl "http://1.2.3.4:5001/v2.0"
- action :create_endpoint
-end
-```
-
-
License and Author
==================
@@ -218,6 +83,7 @@ Author:: Ionut Artarisi ()
Author:: Chen Zhiwei (zhiwchen@cn.ibm.com)
Author:: Eric Zhou (zyouzhou@cn.ibm.com)
Author:: Jan Klare (j.klare@cloudbau.de)
+Author:: Christoph Albers ()
Copyright 2012, Rackspace US, Inc.
Copyright 2012-2013, Opscode, Inc.
diff --git a/attributes/default.rb b/attributes/default.rb
index 7932dde..d5bcddc 100644
--- a/attributes/default.rb
+++ b/attributes/default.rb
@@ -30,7 +30,7 @@ default['openstack']['identity']['custom_template_banner'] =
# scheme for openstack admin/internal/public identity endpoint
default['openstack']['endpoints'][ep_type]['identity']['scheme'] = 'http'
# path for openstack admin/internal/public identity endpoint
- default['openstack']['endpoints'][ep_type]['identity']['path'] = '/v2.0'
+ default['openstack']['endpoints'][ep_type]['identity']['path'] = '/v3'
end
# port for openstack public identity endpoint
@@ -96,18 +96,14 @@ default['openstack']['identity']['syslog']['config_facility'] = 'local2'
# user to be created and used for identity service
default['openstack']['identity']['admin_user'] = 'admin'
-# tenant to be created and used for identity service
-default['openstack']['identity']['admin_tenant_name'] = 'admin'
-
-default['openstack']['identity']['users'] = {
- default['openstack']['identity']['admin_user'] => {
- 'default_tenant' => default['openstack']['identity']['admin_tenant_name'],
- 'roles' => {
- 'admin' => ['admin'],
- 'service' => ['admin']
- }
- }
-}
+# project to be created and used for identity service
+default['openstack']['identity']['admin_project'] = 'admin'
+# domain to be created and used for identity service project
+default['openstack']['identity']['admin_project_domain'] = 'default'
+# role to be created and used for identity service
+default['openstack']['identity']['admin_role'] = 'admin'
+# domain to be created and used for identity service user
+default['openstack']['identity']['admin_domain_name'] = 'default'
# specify whether to enable SSL for Keystone API endpoint
default['openstack']['identity']['ssl']['enabled'] = false
@@ -144,6 +140,8 @@ default['openstack']['identity']['fernet']['keys'] = [0, 1]
default['openstack']['identity']['auth']['external'] = 'keystone.auth.plugins.external.DefaultDomain'
# Default auth methods. (List value)
default['openstack']['identity']['auth']['methods'] = 'external, password, token, oauth1'
+# Default auth_version for now
+default['openstack']['identity']['auth']['version'] = 'v3'
# enable or disable the usage of the token flushing cronjob
default['openstack']['identity']['token_flush_cron']['enabled'] = true
diff --git a/libraries/matchers.rb b/libraries/matchers.rb
deleted file mode 100644
index 1f88cc1..0000000
--- a/libraries/matchers.rb
+++ /dev/null
@@ -1,51 +0,0 @@
-# encoding: UTF-8
-if defined?(ChefSpec)
- def create_service_openstack_identity_register(resource_name)
- ChefSpec::Matchers::ResourceMatcher.new(
- :openstack_identity_register,
- :create_service,
- resource_name)
- end
-
- def create_endpoint_openstack_identity_register(resource_name)
- ChefSpec::Matchers::ResourceMatcher.new(
- :openstack_identity_register,
- :create_endpoint,
- resource_name)
- end
-
- def create_tenant_openstack_identity_register(resource_name)
- ChefSpec::Matchers::ResourceMatcher.new(
- :openstack_identity_register,
- :create_tenant,
- resource_name)
- end
-
- def create_user_openstack_identity_register(resource_name)
- ChefSpec::Matchers::ResourceMatcher.new(
- :openstack_identity_register,
- :create_user,
- resource_name)
- end
-
- def create_role_openstack_identity_register(resource_name)
- ChefSpec::Matchers::ResourceMatcher.new(
- :openstack_identity_register,
- :create_role,
- resource_name)
- end
-
- def grant_role_openstack_identity_register(resource_name)
- ChefSpec::Matchers::ResourceMatcher.new(
- :openstack_identity_register,
- :grant_role,
- resource_name)
- end
-
- def create_ec2_credentials_openstack_identity_register(resource_name)
- ChefSpec::Matchers::ResourceMatcher.new(
- :openstack_identity_register,
- :create_ec2_credentials,
- resource_name)
- end
-end
diff --git a/metadata.rb b/metadata.rb
index 99c4f7c..35c3985 100755
--- a/metadata.rb
+++ b/metadata.rb
@@ -14,3 +14,4 @@ end
depends 'apache2', '~> 3.1'
depends 'openstack-common', '>= 14.0.0'
+depends 'openstackclient'
diff --git a/providers/register.rb b/providers/register.rb
deleted file mode 100644
index eae9ccd..0000000
--- a/providers/register.rb
+++ /dev/null
@@ -1,347 +0,0 @@
-# encoding: UTF-8
-#
-# Cookbook Name:: openstack-identity
-# Provider:: register
-#
-# Copyright 2012, Rackspace US, Inc.
-# Copyright 2012-2013, AT&T Services, Inc.
-# Copyright 2013, Opscode, Inc.
-# Copyright 2013, Craig Tracey
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-require 'chef/mixin/shell_out'
-include Chef::Mixin::ShellOut
-include ::Openstack
-
-use_inline_resources
-
-# creates the defined service as new service for keystone
-action :create_service do
- new_resource.updated_by_last_action(false)
- if node['openstack']['identity']['catalog']['backend'] == 'templated'
- Chef::Log.info('Skipping service creation - templated catalog backend in use.')
- else
- begin
- service_uuid = identity_uuid new_resource, 'service', 'type', new_resource.service_type
- need_updated = false
- if service_uuid
- Chef::Log.info("Service Type '#{new_resource.service_type}' already exists..")
- Chef::Log.info("Service UUID: #{service_uuid}")
- need_updated = service_need_updated? new_resource
- if need_updated
- Chef::Log.info("Service Type '#{new_resource.service_type}' needs to be updated, delete it first.")
- identity_command(new_resource, 'service-delete',
- '' => service_uuid)
- end
- end
- unless service_uuid && !need_updated
- identity_command(new_resource, 'service-create',
- 'type' => new_resource.service_type,
- 'name' => new_resource.service_name,
- 'description' => new_resource.service_description)
- Chef::Log.info("Created service '#{new_resource.service_name}'")
- new_resource.updated_by_last_action(true)
- end
- rescue StandardError => e
- raise "Unable to create service '#{new_resource.service_name}' Error:" + e.message
- end
- end
-end
-
-# registers all endpoints for the defined service in keystone
-action :create_endpoint do
- new_resource.updated_by_last_action(false)
- if node['openstack']['identity']['catalog']['backend'] == 'templated'
- Chef::Log.info('Skipping endpoint creation - templated catalog backend in use.')
- else
- begin
- service_uuid = identity_uuid new_resource, 'service', 'type', new_resource.service_type
- raise "Unable to find service type '#{new_resource.service_type}'" unless service_uuid
-
- endpoint_uuid = identity_uuid new_resource, 'endpoint', 'service_id', service_uuid
- need_updated = false
- if endpoint_uuid
- Chef::Log.info("Endpoint already exists for Service Type '#{new_resource.service_type}'.")
- need_updated = endpoint_need_updated? new_resource, 'service_id', service_uuid
- if need_updated
- Chef::Log.info("Endpoint for Service Type '#{new_resource.service_type}' needs to be updated, delete it first.")
- identity_command(new_resource, 'endpoint-delete',
- '' => endpoint_uuid)
- end
- end
- unless endpoint_uuid && !need_updated
- identity_command(new_resource, 'endpoint-create',
- 'region' => new_resource.endpoint_region,
- 'service_id' => service_uuid,
- 'publicurl' => new_resource.endpoint_publicurl,
- 'internalurl' => new_resource.endpoint_internalurl,
- 'adminurl' => new_resource.endpoint_adminurl)
- Chef::Log.info("Created endpoint for service type '#{new_resource.service_type}'")
- new_resource.updated_by_last_action(true)
- end
- rescue StandardError => e
- raise "Unable to create endpoint for service type '#{new_resource.service_type}' Error: " + e.message
- end
- end
-end
-
-# creates the defined tenant in keystone
-action :create_tenant do
- begin
- new_resource.updated_by_last_action(false)
- tenant_uuid = identity_uuid new_resource, 'tenant', 'name', new_resource.tenant_name
-
- if tenant_uuid
- Chef::Log.info("Tenant '#{new_resource.tenant_name}' already exists.. Not creating.")
- Chef::Log.info("Tenant UUID: #{tenant_uuid}") if tenant_uuid
- else
- identity_command(new_resource, 'tenant-create',
- 'name' => new_resource.tenant_name,
- 'description' => new_resource.tenant_description,
- 'enabled' => new_resource.tenant_enabled)
- Chef::Log.info("Created tenant '#{new_resource.tenant_name}'")
- new_resource.updated_by_last_action(true)
- end
- rescue StandardError => e
- raise "Unable to create tenant '#{new_resource.tenant_name}' Error: " + e.message
- end
-end
-
-# creates the defined role in keystone
-action :create_role do
- begin
- new_resource.updated_by_last_action(false)
- role_uuid = identity_uuid new_resource, 'role', 'name', new_resource.role_name
-
- if role_uuid
- Chef::Log.info("Role '#{new_resource.role_name}' already exists.. Not creating.")
- Chef::Log.info("Role UUID: #{role_uuid}")
- else
- identity_command(new_resource, 'role-create',
- 'name' => new_resource.role_name)
- Chef::Log.info("Created Role '#{new_resource.role_name}'")
- new_resource.updated_by_last_action(true)
- end
- rescue StandardError => e
- raise "Unable to create role '#{new_resource.role_name}' Error: " + e.message
- end
-end
-
-# creates the defined user in keystone
-action :create_user do
- begin
- new_resource.updated_by_last_action(false)
-
- output = identity_command(new_resource, 'user-list')
- users = prettytable_to_array output
- user_found = false
- users.each do |user|
- user_found = true if user['name'] == new_resource.user_name
- end
-
- if user_found
- Chef::Log.info("User '#{new_resource.user_name}' already exists")
- begin
- # Check if password is already updated by getting a token
- identity_command(new_resource, 'token-get', {}, 'user')
- rescue StandardError => e
- Chef::Log.debug('Get token error:' + e.message)
- Chef::Log.info("Sync password for user '#{new_resource.user_name}'")
- identity_command(new_resource, 'user-password-update',
- 'pass' => new_resource.user_pass,
- '' => new_resource.user_name)
- new_resource.updated_by_last_action(true)
- end
- next
- end
-
- identity_command(new_resource, 'user-create',
- 'name' => new_resource.user_name,
- 'tenant' => new_resource.tenant_name,
- 'pass' => new_resource.user_pass,
- 'enabled' => new_resource.user_enabled)
- Chef::Log.info("Created user '#{new_resource.user_name}' for tenant '#{new_resource.tenant_name}'")
- new_resource.updated_by_last_action(true)
- rescue StandardError => e
- raise "Unable to create user '#{new_resource.user_name}' for tenant '#{new_resource.tenant_name}' Error: " + e.message
- end
-end
-
-# grants the defined role to a given user in a given tenant
-action :grant_role do
- begin
- new_resource.updated_by_last_action(false)
-
- role_uuid = identity_uuid new_resource, 'role', 'name', new_resource.role_name
- raise "Unable to find role '#{new_resource.role_name}'" unless role_uuid
-
- assigned_role_uuid = identity_uuid(new_resource, 'user-role', 'name',
- new_resource.role_name,
- 'tenant' => new_resource.tenant_name,
- 'user' => new_resource.user_name)
- if role_uuid == assigned_role_uuid
- Chef::Log.info("Role '#{new_resource.role_name}' already granted to User '#{new_resource.user_name}' in Tenant '#{new_resource.tenant_name}'")
- else
- identity_command(new_resource, 'user-role-add',
- 'tenant' => new_resource.tenant_name,
- 'role-id' => role_uuid,
- 'user' => new_resource.user_name)
- Chef::Log.info("Granted Role '#{new_resource.role_name}' to User '#{new_resource.user_name}' in Tenant '#{new_resource.tenant_name}'")
- new_resource.updated_by_last_action(true)
- end
- rescue StandardError => e
- raise "Unable to grant role '#{new_resource.role_name}' to user '#{new_resource.user_name}' Error: " + e.message
- end
-end
-
-# creates ec2_credentials for a given user in a given tenant
-action :create_ec2_credentials do
- begin
- new_resource.updated_by_last_action(false)
- tenant_uuid = identity_uuid new_resource, 'tenant', 'name', new_resource.tenant_name
- raise "Unable to find tenant '#{new_resource.tenant_name}'" unless tenant_uuid
-
- user_uuid = identity_uuid(new_resource, 'user', 'name',
- new_resource.user_name,
- 'tenant-id' => tenant_uuid)
- raise "Unable to find user '#{new_resource.user_name}' with tenant '#{new_resource.tenant_name}'" unless user_uuid
-
- # this is not really a uuid, but this will work nonetheless
- access = identity_uuid new_resource, 'ec2-credentials', 'tenant', new_resource.tenant_name, { 'user-id' => user_uuid }, 'access'
- if access
- Chef::Log.info("EC2 credentials already exist for '#{new_resource.user_name}' in tenant '#{new_resource.tenant_name}'")
- else
- output = identity_command(new_resource, 'ec2-credentials-create',
- { 'user-id' => user_uuid,
- 'tenant-id' => tenant_uuid },
- 'admin')
- Chef::Log.info("Created EC2 Credentials for User '#{new_resource.user_name}' in Tenant '#{new_resource.tenant_name}'")
- data = prettytable_to_array(output)
-
- if data.length != 1
- raise "Got bad data when creating ec2 credentials for #{new_resource.user_name} Data: #{data}"
- else
- # Update node attributes
- node.set['credentials']['EC2'][new_resource.user_name]['access'] = data[0]['access']
- node.set['credentials']['EC2'][new_resource.user_name]['secret'] = data[0]['secret']
- node.save unless Chef::Config[:solo]
- new_resource.updated_by_last_action(true)
- end
- end
- rescue StandardError => e
- raise "Unable to create EC2 Credentials for User '#{new_resource.user_name}' in Tenant '#{new_resource.tenant_name}' Error: " + e.message
- end
-end
-
-private
-
-def generate_boot_creds(resource)
- {
- 'OS_SERVICE_ENDPOINT' => resource.auth_uri,
- 'OS_SERVICE_TOKEN' => resource.bootstrap_token
- }
-end
-
-def generate_admin_creds(resource)
- identity_endpoint = resource.identity_endpoint
- identity_endpoint = admin_endpoint('identity').to_s unless identity_endpoint
- {
- 'OS_USERNAME' => resource.admin_user,
- 'OS_PASSWORD' => resource.admin_pass,
- 'OS_TENANT_NAME' => resource.admin_tenant_name,
- 'OS_AUTH_URL' => identity_endpoint
- }
-end
-
-def generate_user_creds(resource)
- identity_endpoint = resource.identity_endpoint
- identity_endpoint = public_endpoint('identity').to_s unless identity_endpoint
- {
- 'OS_USERNAME' => resource.user_name,
- 'OS_PASSWORD' => resource.user_pass,
- 'OS_TENANT_NAME' => resource.tenant_name,
- 'OS_AUTH_URL' => identity_endpoint
- }
-end
-
-def get_env(resource, env = 'boot')
- case env
- when 'boot'
- generate_boot_creds(resource)
- when 'user'
- generate_user_creds(resource)
- when 'admin'
- generate_admin_creds(resource)
- end
-end
-
-def identity_command(resource, cmd, args = {}, env = 'boot')
- keystonecmd = build_keystone_cmd(cmd, args)
- cmd_env = get_env(resource, env)
- Chef::Log.debug("Running identity command: #{keystonecmd} env: " + cmd_env.to_s)
- rc = shell_out(keystonecmd, env: cmd_env)
- raise "#{rc.stderr} (#{rc.exitstatus})" if rc.exitstatus != 0
- rc.stdout
-end
-
-def build_keystone_cmd(cmd, args)
- keystonecmd = ['keystone'] << '--insecure' << cmd
- args.each do |key, val|
- keystonecmd << "--#{key}" unless key.empty?
- keystonecmd << val.to_s
- end
- keystonecmd
-end
-
-def identity_uuid(resource, type, key, value, args = {}, uuid_field = 'id')
- rc = nil
- begin
- output = identity_command resource, "#{type}-list", args
- output = prettytable_to_array(output)
- rc = (type == 'endpoint') ? search_uuid(output, uuid_field, key => value, 'region' => resource.endpoint_region) : search_uuid(output, uuid_field, key => value)
- rescue RuntimeError => e
- raise "Could not lookup uuid for #{type}:#{key}=>#{value}. Error was #{e.message}"
- end
- rc
-end
-
-def search_uuid(output, uuid_field, required_hash = {})
- rc = nil
- output.each do |obj|
- rc = obj[uuid_field] if obj.key?(uuid_field) && required_hash.values - obj.values_at(*required_hash.keys) == []
- end
- rc
-end
-
-def service_need_updated?(resource, args = {}, uuid_field = 'id')
- begin
- output = identity_command resource, 'service-list', args
- output = prettytable_to_array(output)
- return search_uuid(output, uuid_field, 'name' => resource.service_name).nil?
- rescue RuntimeError => e
- raise "Could not check service attributes for service: type => #{resource.service_type}, name => #{resource.service_name}. Error was #{e.message}"
- end
- false
-end
-
-def endpoint_need_updated?(resource, key, value, args = {}, uuid_field = 'id')
- begin
- output = identity_command resource, 'endpoint-list', args
- output = prettytable_to_array(output)
- return search_uuid(output, uuid_field, key => value, 'region' => resource.endpoint_region, 'publicurl' => resource.endpoint_publicurl, 'internalurl' => resource.endpoint_internalurl, 'adminurl' => resource.endpoint_adminurl).nil?
- rescue RuntimeError => e
- raise "Could not check endpoint attributes for endpoint:#{key}=>#{value}. Error was #{e.message}"
- end
- false
-end
diff --git a/recipes/openrc.rb b/recipes/openrc.rb
index ee68a1d..9c7c8aa 100644
--- a/recipes/openrc.rb
+++ b/recipes/openrc.rb
@@ -24,25 +24,15 @@ class ::Chef::Recipe
include ::Openstack
end
-# check attributes before searching
-if node['openstack']['identity'] && node['openstack']['identity']['admin_tenant_name'] && node['openstack']['identity']['admin_user']
- ksadmin_tenant_name = node['openstack']['identity']['admin_tenant_name']
- ksadmin_user = node['openstack']['identity']['admin_user']
-else
- identity_service_role = node['openstack']['identity_service_chef_role']
- keystone = search_for(identity_service_role).first
-
- if keystone.nil?
- Chef::Log.warn("openrc not created, identity role node not found: #{identity_service_role}")
- return
- end
-
- ksadmin_tenant_name = keystone['openstack']['identity']['admin_tenant_name']
- ksadmin_user = keystone['openstack']['identity']['admin_user']
-end
+ksadmin_project = node['openstack']['identity']['admin_project']
+project_domain_name = node['openstack']['identity']['admin_project_domain']
+ksadmin_user = node['openstack']['identity']['admin_user']
+admin_domain_name = node['openstack']['identity']['admin_domain_name']
+auth_api_version = node['openstack']['api']['auth']['version']
ksadmin_pass = get_password 'user', ksadmin_user
identity_public_endpoint = public_endpoint 'identity'
+auth_url = auth_uri_transform identity_public_endpoint.to_s, auth_api_version
directory node['openstack']['openrc']['path'] do
owner node['openstack']['openrc']['user']
@@ -59,8 +49,11 @@ template "#{node['openstack']['openrc']['path']}/#{node['openstack']['openrc']['
sensitive true
variables(
user: ksadmin_user,
- tenant: ksadmin_tenant_name,
+ user_domain_name: admin_domain_name,
+ project: ksadmin_project,
+ project_domain_name: project_domain_name,
+ api_version: '3',
password: ksadmin_pass,
- identity_endpoint: identity_public_endpoint
+ identity_endpoint: auth_url
)
end
diff --git a/recipes/registration.rb b/recipes/registration.rb
index 99432a4..7afbcff 100644
--- a/recipes/registration.rb
+++ b/recipes/registration.rb
@@ -24,92 +24,65 @@
# comments inside the recipe.
require 'uri'
+require 'chef/mixin/shell_out'
+
class ::Chef::Recipe
include ::Openstack
end
-# define the endpoints to register for the keystone identity service
identity_admin_endpoint = admin_endpoint 'identity'
identity_internal_endpoint = internal_endpoint 'identity'
identity_public_endpoint = public_endpoint 'identity'
-auth_uri = ::URI.decode identity_admin_endpoint.to_s
+auth_url = ::URI.decode identity_admin_endpoint.to_s
# define the credentials to use for the initial admin user
-admin_tenant_name = node['openstack']['identity']['admin_tenant_name']
+admin_project = node['openstack']['identity']['admin_project']
admin_user = node['openstack']['identity']['admin_user']
admin_pass = get_password 'user', node['openstack']['identity']['admin_user']
+admin_role = node['openstack']['identity']['admin_role']
+admin_domain = node['openstack']['identity']['admin_domain_name']
+region = node['openstack']['identity']['region']
-bootstrap_token = get_password 'token', 'openstack_identity_bootstrap_token'
-
-# register all the tenants specified in the users hash
-identity_tenants = node['openstack']['identity']['users'].values.map do |user_info|
- user_info['roles'].values.push(user_info['default_tenant'])
+execute 'bootstrap_keystone' do
+ command "keystone-manage bootstrap \\
+ --bootstrap-password #{admin_pass} \\
+ --bootstrap-username #{admin_user} \\
+ --bootstrap-project-name #{admin_project} \\
+ --bootstrap-role-name #{admin_role} \\
+ --bootstrap-service-name keystone \\
+ --bootstrap-region-id #{region} \\
+ --bootstrap-admin-url #{identity_admin_endpoint} \\
+ --bootstrap-public-url #{identity_public_endpoint} \\
+ --bootstrap-internal-url #{identity_internal_endpoint}"
end
-identity_tenants.flatten.uniq.each do |tenant_name|
- openstack_identity_register "Register '#{tenant_name}' Tenant" do
- auth_uri auth_uri
- bootstrap_token bootstrap_token
- tenant_name tenant_name
- tenant_description "#{tenant_name} Tenant"
+connection_params = {
+ openstack_auth_url: "#{auth_url}/auth/tokens",
+ openstack_username: admin_user,
+ openstack_api_key: admin_pass,
+ openstack_project_name: admin_project,
+ openstack_domain_name: admin_domain
+}
- action :create_tenant
- end
+openstack_domain admin_domain do
+ connection_params connection_params
end
-# register all the roles and users from the users hash
-identity_roles = node['openstack']['identity']['users'].values.map do |user_info|
- user_info['roles'].keys
+openstack_user admin_user do
+ domain_name admin_domain
+ role_name admin_role
+ connection_params connection_params
+ action :grant_domain
end
-identity_roles.flatten.uniq.each do |role_name|
- openstack_identity_register "Register '#{role_name}' Role" do
- auth_uri auth_uri
- bootstrap_token bootstrap_token
- role_name role_name
-
- action :create_role
- end
+# create default service role
+openstack_role 'service' do
+ connection_params connection_params
end
-node['openstack']['identity']['users'].each do |username, user_info|
- pwd = get_password 'user', username
- openstack_identity_register "Register '#{username}' User" do
- auth_uri auth_uri
- bootstrap_token bootstrap_token
- user_name username
- user_pass pwd
- tenant_name user_info['default_tenant']
- user_enabled true # Not required as this is the default
-
- action :create_user
- end
-
- user_info['roles'].each do |rolename, tenant_list|
- tenant_list.each do |tenantname|
- openstack_identity_register "Grant '#{rolename}' Role to '#{username}' User in '#{tenantname}' Tenant" do
- auth_uri auth_uri
- bootstrap_token bootstrap_token
- user_name username
- role_name rolename
- tenant_name tenantname
-
- action :grant_role
- end
- end
- end
-end
-
-# register the identity service itself
-openstack_identity_register 'Register Identity Service' do
- auth_uri auth_uri
- bootstrap_token bootstrap_token
- service_name 'keystone'
- service_type 'identity'
- service_description 'Keystone Identity Service'
-
- action :create_service
- not_if { node['openstack']['identity']['catalog']['backend'] == 'templated' }
+# create default role for horizon dashboard login
+openstack_role '_member_' do
+ connection_params connection_params
end
node.set['openstack']['identity']['adminURL'] = identity_admin_endpoint.to_s
@@ -119,32 +92,3 @@ node.set['openstack']['identity']['publicURL'] = identity_public_endpoint.to_s
Chef::Log.info "Keystone AdminURL: #{identity_admin_endpoint}"
Chef::Log.info "Keystone InternalURL: #{identity_internal_endpoint}"
Chef::Log.info "Keystone PublicURL: #{identity_public_endpoint}"
-
-# register the identity service endpoints
-openstack_identity_register 'Register Identity Endpoint' do
- auth_uri auth_uri
- bootstrap_token bootstrap_token
- service_type 'identity'
- endpoint_region node['openstack']['identity']['region']
- endpoint_adminurl node['openstack']['identity']['adminURL']
- endpoint_internalurl node['openstack']['identity']['internalURL']
- endpoint_publicurl node['openstack']['identity']['publicURL']
-
- action :create_endpoint
- not_if { node['openstack']['identity']['catalog']['backend'] == 'templated' }
-end
-
-# create ec2 creadentials for the users from the users hash
-node['openstack']['identity']['users'].each do |username, user_info|
- openstack_identity_register "Create EC2 credentials for '#{username}' user" do
- auth_uri auth_uri
- bootstrap_token bootstrap_token
- user_name username
- tenant_name user_info['default_tenant']
- admin_tenant_name admin_tenant_name
- admin_user admin_user
- admin_pass admin_pass
-
- action :create_ec2_credentials
- end
-end
diff --git a/recipes/server-apache.rb b/recipes/server-apache.rb
index 9e0979b..afe0891 100644
--- a/recipes/server-apache.rb
+++ b/recipes/server-apache.rb
@@ -120,9 +120,6 @@ node.default['openstack']['identity']['conf_secrets']
.[]('database')['connection'] =
db_uri('identity', db_user, db_pass)
-# define the admin keystone bootstrap token
-bootstrap_token = get_password 'token', 'openstack_identity_bootstrap_token'
-
# search for memcache servers using the method from cookbook-openstack-common
memcache_servers = memcached_servers.join ','
@@ -168,7 +165,6 @@ end
# set keystone config parameters for admin_token, endpoints and memcache
node.default['openstack']['identity']['conf'].tap do |conf|
- conf['DEFAULT']['admin_token'] = bootstrap_token
conf['DEFAULT']['public_endpoint'] = public_endpoint
conf['DEFAULT']['admin_endpoint'] = admin_endpoint
conf['memcache']['servers'] = memcache_servers if memcache_servers
@@ -334,6 +330,11 @@ wsgi_apps.each do |app, opt|
end
end
+# disable keystone-site since ubuntu autoenables this
+apache_site 'keystone' do
+ enable false
+end
+
# wait for apache2 to be fully reloaded and the keystone endpoint to become
# available
execute 'Keystone: sleep' do
diff --git a/resources/register.rb b/resources/register.rb
deleted file mode 100644
index 604df82..0000000
--- a/resources/register.rb
+++ /dev/null
@@ -1,79 +0,0 @@
-# encoding: UTF-8
-#
-# Cookbook Name:: openstack-identity
-# Resource:: register
-#
-# Copyright 2012, Rackspace US, Inc.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-# These resources provide an abstraction layer for interacting with the keystone
-# server's API, allowin for other nodes to register any required users, tenants,
-# roles, services, or endpoints.
-
-actions :create_service, :create_endpoint, :create_tenant, :create_user, :create_role, :grant_role, :create_ec2_credentials
-
-# In earlier versions of Chef the LWRP DSL doesn't support specifying
-# a default action, so you need to drop into Ruby.
-def initialize(*args)
- super
- @action = :create
-end
-
-BOOLEAN = [TrueClass, FalseClass].freeze
-
-# The uri used to as authentication endpoint for requests
-attribute :auth_uri, kind_of: String
-# The admin bootstrap_token used for authentication
-attribute :bootstrap_token, kind_of: String
-# The type of service to create (e.g. 'identity' or 'volume')
-attribute :service_type, kind_of: String
-# The name of the service to create (only for action :create_service)
-attribute :service_name, kind_of: String
-# The description for the service to create (only for action :create_service)
-attribute :service_description, kind_of: String
-# The region to create the endpoint in (only for action :create_endpoint)
-attribute :endpoint_region, kind_of: String, default: 'RegionOne'
-# The admin url to register for the endpoint (only for action :create_endpoint)
-attribute :endpoint_adminurl, kind_of: String
-# The internal url to register for the endpoint (only for action
-# :create_endpoint)
-attribute :endpoint_internalurl, kind_of: String
-# The public url to register for the endpoint (only for action :create_endpoint)
-attribute :endpoint_publicurl, kind_of: String
-# The name of the tenant to create or create the user in (only for action
-# :create_tenant and :create_user)
-attribute :tenant_name, kind_of: String
-# The description of the tenant to create (only for action :create_tenant)
-attribute :tenant_description, kind_of: String
-# Enable or disable tenant to create (only for action :create_tenant)
-attribute :tenant_enabled, kind_of: BOOLEAN, default: true
-# The name of the user to create (only for action :create_user)
-attribute :user_name, kind_of: String
-# The passwort of the user to create (only for action :create_user)
-attribute :user_pass, kind_of: String
-# Enable or disable user to create (only for action :create_user)
-attribute :user_enabled, kind_of: BOOLEAN, default: true
-# The name of the role to create or grant to the user (only for :create_role and
-# :grant_role)
-attribute :role_name, kind_of: String
-# The name of the admin tenant (only for :create_ec2_credentials)
-attribute :admin_tenant_name, kind_of: String
-# The name of the admin user (only for :create_ec2_credentials)
-attribute :admin_user, kind_of: String
-# The password of the admin user (only for :create_ec2_credentials)
-attribute :admin_pass, kind_of: String
-# The identity endpoint to use for user and ec2 creation. If not specified,
-# default endpoint will be used. (only for create_ec2_credentials and
-# create_user)
-attribute :identity_endpoint, kind_of: String
diff --git a/spec/openrc_spec.rb b/spec/openrc_spec.rb
index 927abd5..2c528cc 100644
--- a/spec/openrc_spec.rb
+++ b/spec/openrc_spec.rb
@@ -33,9 +33,12 @@ describe 'openstack-identity::openrc' do
it 'contains auth environment variables' do
[
/^export OS_USERNAME=admin$/,
- /^export OS_TENANT_NAME=admin$/,
+ /^export OS_USER_DOMAIN_NAME=default$/,
/^export OS_PASSWORD=admin$/,
- %r{^export OS_AUTH_URL=http://127.0.0.1:5000/v2.0$},
+ /^export OS_PROJECT_NAME=admin$/,
+ /^export OS_PROJECT_DOMAIN_NAME=default$/,
+ /^export OS_IDENTITY_API_VERSION=3$/,
+ %r{^export OS_AUTH_URL=http://127.0.0.1:5000/v3$},
/^export OS_REGION_NAME=RegionOne$/
].each do |line|
expect(chef_run).to render_file(file.name).with_content(line)
@@ -51,11 +54,19 @@ describe 'openstack-identity::openrc' do
end
it 'contains overridden auth environment variables' do
- node.set['openstack']['identity']['admin_tenant_name'] = 'admin-tenant-name-override'
- node.set['openstack']['identity']['admin_user'] = 'admin-user-override'
+ node.set['openstack']['identity']['admin_project'] =
+ 'admin-project-name-override'
+ node.set['openstack']['identity']['admin_user'] =
+ 'identity_admin'
+ node.set['openstack']['identity']['admin_domain_id'] =
+ 'admin-domain-override'
+ node.set['openstack']['endpoints']['public']['identity']['uri'] =
+ 'https://public.identity:1234/v3'
[
- /^export OS_USERNAME=admin-user-override$/,
- /^export OS_TENANT_NAME=admin-tenant-name-override$/
+ /^export OS_USERNAME=identity_admin$/,
+ /^export OS_PROJECT_NAME=admin-project-name-override$/,
+ /^export OS_PASSWORD=identity_admin_pass$/,
+ %r{^export OS_AUTH_URL=https://public.identity:1234/v3$}
].each do |line|
expect(chef_run).to render_file(file.name).with_content(line)
end
diff --git a/spec/register_spec.rb b/spec/register_spec.rb
deleted file mode 100644
index 0579c8d..0000000
--- a/spec/register_spec.rb
+++ /dev/null
@@ -1,748 +0,0 @@
-# encoding: UTF-8
-
-require_relative 'spec_helper'
-
-describe 'openstack-identity::default' do
- describe 'ubuntu' do
- let(:runner) { ChefSpec::SoloRunner.new(UBUNTU_OPTS) }
- let(:node) { runner.node }
- let(:chef_run) { runner.converge(described_recipe) }
- let(:events) { Chef::EventDispatch::Dispatcher.new }
- let(:cookbook_collection) { Chef::CookbookCollection.new([]) }
- let(:run_context) { Chef::RunContext.new(node, cookbook_collection, events) }
-
- # needed to create the provider class OpenstackIdentityRegister by chef magic
- before { chef_run }
-
- describe 'tenant_create' do
- let(:resource) do
- r = Chef::Resource::OpenstackIdentityRegister.new('tenant1',
- run_context)
- r.tenant_name('tenant1')
- r.tenant_description('tenant1 Tenant')
- r
- end
- let(:provider) do
- Chef::Provider::OpenstackIdentityRegister.new(resource, run_context)
- end
-
- context 'when tenant does not already exist' do
- before do
- allow(provider).to receive(:identity_uuid)
- .with(resource, 'tenant', 'name', 'tenant1')
- allow(provider).to receive(:identity_command)
- .with(resource, 'tenant-create',
- 'name' => 'tenant1',
- 'description' => 'tenant1 Tenant',
- 'enabled' => true)
- .and_return(true)
- end
-
- it 'should create a tenant' do
- provider.run_action(:create_tenant)
-
- expect(resource).to be_updated
- end
- end
-
- context 'when tenant does already exist' do
- before do
- allow(provider).to receive(:identity_uuid)
- .with(resource, 'tenant', 'name', 'tenant1')
- .and_return('1234567890ABCDEFGH')
- end
-
- it 'should not create a tenant' do
- provider.run_action(:create_tenant)
-
- expect(resource).to_not be_updated
- end
- end
-
- context 'when keystone tenant command fails' do
- before do
- allow(provider).to receive(:identity_uuid)
- .with(resource, 'tenant', 'name', 'tenant1')
- .and_raise('Error!')
- end
-
- it 'should raise error' do
- expect { provider.run_action(:create_tenant) }.to raise_error
- end
- end
- end
-
- describe 'service_create' do
- let(:resource) do
- r = Chef::Resource::OpenstackIdentityRegister.new('service1',
- run_context)
- r.service_type('compute')
- r.service_name('service1')
- r.service_description('service1 Service')
- r
- end
- let(:provider) do
- Chef::Provider::OpenstackIdentityRegister.new(resource, run_context)
- end
-
- context 'catalog.backend is sql' do
- before do
- node.set['openstack']['identity']['catalog']['backend'] = 'sql'
- end
-
- context 'when service does not already exist' do
- it 'should create a service' do
- allow(provider).to receive(:identity_uuid)
- .with(resource, 'service', 'type', 'compute')
- allow(provider).to receive(:identity_command)
- .with(resource, 'service-create',
- 'type' => 'compute',
- 'name' => 'service1',
- 'description' => 'service1 Service')
- .and_return(true)
- provider.run_action(:create_service)
-
- expect(resource).to be_updated
- end
- end
-
- context 'when service does already exist' do
- before do
- allow(provider).to receive(:identity_uuid)
- .with(resource, 'service', 'type', 'compute')
- .and_return('1234567890ABCDEFGH')
- allow(provider).to receive(:service_need_updated?)
- .with(resource)
- .and_return(false)
- end
-
- it 'should not create a service' do
- provider.run_action(:create_service)
- expect(resource).to_not be_updated
- end
- end
-
- context 'when service does already exist and needs to be updated' do
- before do
- allow(provider).to receive(:identity_uuid)
- .with(resource, 'service', 'type', 'compute')
- .and_return('1234567890ABCDEFGH')
- allow(provider).to receive(:service_need_updated?)
- .with(resource)
- .and_return(true)
- allow(provider).to receive(:identity_command)
- .with(resource, 'service-delete',
- '' => '1234567890ABCDEFGH')
- allow(provider).to receive(:identity_command)
- .with(resource, 'service-create',
- 'type' => 'compute',
- 'name' => 'service1',
- 'description' => 'service1 Service')
- end
-
- it 'should update the service' do
- provider.run_action(:create_service)
- expect(resource).to be_updated
- end
- end
-
- context '#service_need_updated?, when service exists and does not need to be updated' do
- before do
- output = ' | 1234567890ABCDEFGH | service1 | compute | service1 Service '
- output_array = [{ 'id' => '1234567890ABCDEFGH', 'name' => 'service1', 'type' => 'compute', 'description' => 'service1 Service' }]
- allow(provider).to receive(:identity_command)
- .with(resource, 'service-list', {})
- .and_return(output)
- allow(provider).to receive(:prettytable_to_array)
- .with(output)
- .and_return(output_array)
- end
-
- it 'service should not be updated' do
- expect(
- provider.send(:service_need_updated?, resource)
- ).to eq(false)
- end
- end
-
- context '#service_need_updated?, when service exists and needs to be updated' do
- before do
- output = ' | 1234567890ABCDEFGH | service11 | compute | service11 Service '
- output_array = [{ 'id' => '1234567890ABCDEFGH', 'name' => 'service11', 'type' => 'compute', 'description' => 'service11 Service' }]
- allow(provider).to receive(:identity_command)
- .with(resource, 'service-list', {})
- .and_return(output)
- allow(provider).to receive(:prettytable_to_array)
- .with(output)
- .and_return(output_array)
- end
- it 'service should be updated' do
- expect(
- provider.send(:service_need_updated?, resource)
- ).to eq(true)
- end
- end
- end
-
- context 'when keystone service command fails' do
- before do
- allow(provider).to receive(:identity_uuid)
- .with(resource, 'service', 'name', 'compute')
- .and_raise('Error!')
- end
-
- it 'should raise error' do
- expect { provider.run_action(:create_service) }.to raise_error
- end
- end
-
- context 'catalog.backend is templated' do
- before do
- node.set['openstack']['identity']['catalog']['backend'] = 'templated'
- end
-
- it 'should not create a service if using a templated backend' do
- provider.run_action(:create_service)
- expect(resource).to_not be_updated
- end
- end
- end
-
- describe 'endpoint_create' do
- let(:resource) do
- r = Chef::Resource::OpenstackIdentityRegister.new('endpoint1',
- run_context)
- r.endpoint_region('Region One')
- r.service_type('compute')
- r.endpoint_publicurl('http://public')
- r.endpoint_internalurl('http://internal')
- r.endpoint_adminurl('http://admin')
- r
- end
- let(:provider) do
- Chef::Provider::OpenstackIdentityRegister.new(resource, run_context)
- end
-
- context 'catalog.backend is sql' do
- before do
- node.set['openstack']['identity']['catalog']['backend'] = 'sql'
- end
-
- context 'when endpoint does not already exist' do
- before do
- allow(provider).to receive(:identity_uuid)
- .with(resource, 'service', 'type', 'compute')
- .and_return('1234567890ABCDEFGH')
- allow(provider).to receive(:identity_uuid)
- .with(resource, 'endpoint', 'service_id', '1234567890ABCDEFGH')
- allow(provider).to receive(:identity_command)
- .with(resource, 'endpoint-create',
- 'region' => 'Region One',
- 'service_id' => '1234567890ABCDEFGH',
- 'publicurl' => 'http://public',
- 'internalurl' => 'http://internal',
- 'adminurl' => 'http://admin')
- end
-
- it 'should create an endpoint' do
- provider.run_action(:create_endpoint)
- expect(resource).to be_updated
- end
- end
-
- context 'when endpoint does already exist' do
- before do
- allow(provider).to receive(:identity_uuid)
- .with(resource, 'service', 'type', 'compute')
- .and_return('1234567890ABCDEFGH')
- allow(provider).to receive(:identity_uuid)
- .with(resource, 'endpoint', 'service_id', '1234567890ABCDEFGH')
- .and_return('0987654321HGFEDCBA')
- allow(provider).to receive(:endpoint_need_updated?)
- .with(resource, 'service_id', '1234567890ABCDEFGH')
- .and_return(false)
- end
-
- it 'should not update an endpoint' do
- provider.run_action(:create_endpoint)
- expect(resource).not_to be_updated
- end
- end
-
- context 'when endpoint does already exist and need to be updated' do
- before do
- allow(provider).to receive(:identity_uuid)
- .with(resource, 'service', 'type', 'compute')
- .and_return('1234567890ABCDEFGH')
- allow(provider).to receive(:identity_uuid)
- .with(resource, 'endpoint', 'service_id', '1234567890ABCDEFGH')
- .and_return('0987654321HGFEDCBA')
- allow(provider).to receive(:endpoint_need_updated?)
- .with(resource, 'service_id', '1234567890ABCDEFGH')
- .and_return(true)
- allow(provider).to receive(:identity_command)
- .with(resource, 'endpoint-delete',
- '' => '0987654321HGFEDCBA')
- allow(provider).to receive(:identity_command)
- .with(resource, 'endpoint-create',
- 'region' => 'Region One',
- 'service_id' => '1234567890ABCDEFGH',
- 'publicurl' => 'http://public',
- 'internalurl' => 'http://internal',
- 'adminurl' => 'http://admin')
- end
-
- it 'should update an endpoint' do
- provider.run_action(:create_endpoint)
- expect(resource).to be_updated
- end
- end
-
- context '#identity_uuid, when service id for Region One already exist' do
- before do
- output = ' | 000d9c447d124754a197fc612f9d63d7 | Region One | http://public | http://internal | http://admin | f9511a66e0484f3dbd1584065e8bab1c '
- output_array = [{ 'id' => '000d9c447d124754a197fc612f9d63d7', 'region' => 'Region One', 'publicurl' => 'http://public', 'internalurl' => 'http://internal', 'adminurl' => 'http://admin', 'service_id' => 'f9511a66e0484f3dbd1584065e8bab1c' }]
- allow(provider).to receive(:identity_command)
- .with(resource, 'endpoint-list', {})
- .and_return(output)
- allow(provider).to receive(:prettytable_to_array)
- .with(output)
- .and_return(output_array)
- end
-
- it 'endpoint uuid should be returned' do
- expect(
- provider.send(:identity_uuid, resource, 'endpoint',
- 'service_id', 'f9511a66e0484f3dbd1584065e8bab1c')
- ).to eq('000d9c447d124754a197fc612f9d63d7')
- end
- end
-
- context '#identity_uuid, when service id for Region Two does not exist' do
- before do
- output = ' | 000d9c447d124754a197fc612f9d63d7 | Region Two | http://public | http://internal | http://admin | f9511a66e0484f3dbd1584065e8bab1c '
- output_array = [{ 'id' => '000d9c447d124754a197fc612f9d63d7', 'region' => 'Region Two', 'publicurl' => 'http://public', 'internalurl' => 'http://internal', 'adminurl' => 'http://admin', 'service_id' => 'f9511a66e0484f3dbd1584065e8bab1c' }]
- allow(provider).to receive(:identity_command)
- .with(resource, 'endpoint-list', {})
- .and_return(output)
- allow(provider).to receive(:prettytable_to_array)
- .with(output)
- .and_return(output_array)
- end
-
- it 'no endpoint uuid should be returned' do
- expect(
- provider.send(:identity_uuid, resource, 'endpoint',
- 'service_id', 'f9511a66e0484f3dbd1584065e8bab1c')
- ).to eq(nil)
- end
- end
-
- context '#search_uuid' do
- it 'required_hash only has key id' do
- output_array = [{ 'id' => '000d9c447d124754a197fc612f9d63d7', 'region' => 'Region Two', 'publicurl' => 'http://public' }]
- expect(
- provider.send(:search_uuid, output_array, 'id',
- 'id' => '000d9c447d124754a197fc612f9d63d7')
- ).to eq('000d9c447d124754a197fc612f9d63d7')
- expect(
- provider.send(:search_uuid, output_array, 'id', 'id' => 'abc')
- ).to eq(nil)
- end
-
- it 'required_hash has key id and region' do
- output_array = [{ 'id' => '000d9c447d124754a197fc612f9d63d7', 'region' => 'Region Two', 'publicurl' => 'http://public' }]
- expect(
- provider.send(:search_uuid, output_array, 'id',
- 'id' => '000d9c447d124754a197fc612f9d63d7',
- 'region' => 'Region Two')
- ).to eq('000d9c447d124754a197fc612f9d63d7')
- expect(
- provider.send(:search_uuid, output_array, 'id',
- 'id' => '000d9c447d124754a197fc612f9d63d7',
- 'region' => 'Region One')
- ).to eq(nil)
- expect(
- provider.send(:search_uuid, output_array, 'id',
- 'id' => '000d9c447d124754a197fc612f9d63d7',
- 'region' => 'Region Two', 'key' => 'value')
- ).to eq(nil)
- end
- end
-
- context '#endpoint_need_updated?, when endpoint exist and not need to be updated' do
- before do
- output = ' | 000d9c447d124754a197fc612f9d63d7 | Region One | http://public | http://internal | http://admin | f9511a66e0484f3dbd1584065e8bab1c '
- output_array = [{ 'id' => '000d9c447d124754a197fc612f9d63d7', 'region' => 'Region One', 'publicurl' => 'http://public', 'internalurl' => 'http://internal', 'adminurl' => 'http://admin', 'service_id' => 'f9511a66e0484f3dbd1584065e8bab1c' }]
- allow(provider).to receive(:identity_command)
- .with(resource, 'endpoint-list', {})
- .and_return(output)
- allow(provider).to receive(:prettytable_to_array)
- .with(output)
- .and_return(output_array)
- end
-
- it 'endpoint should not be updated' do
- expect(
- provider.send(:endpoint_need_updated?, resource,
- 'service_id', 'f9511a66e0484f3dbd1584065e8bab1c')
- ).to eq(false)
- end
- end
-
- context '#endpoint_need_updated?, when endpoint exist and need to be updated' do
- before do
- output = ' | 000d9c447d124754a197fc612f9d63d7 | Region One | https://public | https://internal | https://admin | f9511a66e0484f3dbd1584065e8bab1c '
- output_array = [{ 'id' => '000d9c447d124754a197fc612f9d63d7', 'region' => 'Region One', 'publicurl' => 'https://public', 'internalurl' => 'https://internal', 'adminurl' => 'https://admin', 'service_id' => 'f9511a66e0484f3dbd1584065e8bab1c' }]
- allow(provider).to receive(:identity_command)
- .with(resource, 'endpoint-list', {})
- .and_return(output)
- allow(provider).to receive(:prettytable_to_array)
- .with(output)
- .and_return(output_array)
- end
-
- it 'endpoint should be updated' do
- expect(
- provider.send(:endpoint_need_updated?, resource,
- 'service_id', 'f9511a66e0484f3dbd1584065e8bab1c')
- ).to eq(true)
- end
- end
- end
-
- context 'catalog.backend is templated' do
- before do
- node.set['openstack']['identity']['catalog']['backend'] = 'templated'
- end
-
- it 'should not create an endpoint' do
- provider.run_action(:create_endpoint)
- expect(resource).to_not be_updated
- end
- end
-
- context 'when keystone endpoint command fails' do
- before do
- allow(provider).to receive(:identity_uuid)
- .with(resource, 'service', 'type', 'compute')
- .and_raise('Error!')
- end
-
- it 'should raise error' do
- expect { provider.run_action(:create_endpoint) }.to raise_error
- end
- end
- end
-
- describe 'role create' do
- let(:resource) do
- r = Chef::Resource::OpenstackIdentityRegister.new('role1', run_context)
- r.role_name('role1')
- r
- end
- let(:provider) do
- Chef::Provider::OpenstackIdentityRegister.new(resource, run_context)
- end
-
- context 'when role does not already exist' do
- before do
- allow(provider).to receive(:identity_uuid)
- .with(resource, 'role', 'name', 'role1')
- allow(provider).to receive(:identity_command)
- .with(resource, 'role-create',
- 'name' => 'role1')
- end
-
- it 'should create a role' do
- provider.run_action(:create_role)
- expect(resource).to be_updated
- end
- end
-
- context 'when role already exist' do
- before do
- allow(provider).to receive(:identity_uuid)
- .with(resource, 'role', 'name', 'role1')
- .and_return('1234567890ABCDEFGH')
- end
-
- it 'should not create a role' do
- provider.run_action(:create_role)
- expect(resource).to_not be_updated
- end
- end
-
- context 'when keystone role command fails' do
- before do
- allow(provider).to receive(:identity_uuid)
- .with(resource, 'role', 'name', 'role1')
- .and_raise('Error!')
- end
-
- it 'should raise error' do
- expect { provider.run_action(:create_role) }.to raise_error
- end
- end
- end
-
- describe 'user create' do
- let(:resource) do
- r = Chef::Resource::OpenstackIdentityRegister.new('user1', run_context)
- r.user_name('user1')
- r.tenant_name('tenant1')
- r.user_pass('password')
- r
- end
- let(:provider) do
- Chef::Provider::OpenstackIdentityRegister.new(resource, run_context)
- end
-
- context 'when user does not already exist' do
- before do
- allow(provider).to receive(:identity_command)
- .with(resource, 'user-list')
- allow(provider).to receive(:identity_command)
- .with(resource, 'user-create',
- 'name' => 'user1',
- 'tenant' => 'tenant1',
- 'pass' => 'password',
- 'enabled' => true)
- allow(provider).to receive(:prettytable_to_array)
- .and_return([])
- end
-
- it 'should create a user' do
- provider.run_action(:create_user)
- expect(resource).to be_updated
- end
- end
-
- context 'when user already exist with same password' do
- before do
- allow(provider).to receive(:identity_uuid)
- .with(resource, 'tenant', 'name', 'tenant1')
- .and_return('1234567890ABCDEFGH')
- allow(provider).to receive(:identity_command)
- .with(resource, 'user-list')
- allow(provider).to receive(:prettytable_to_array)
- .and_return([{ 'name' => 'user1' }])
- allow(provider).to receive(:identity_uuid)
- .with(resource, 'user', 'name', 'user1')
- .and_return('HGFEDCBA0987654321')
- allow(provider).to receive(:identity_command)
- .with(resource, 'token-get', {}, 'user')
- end
-
- it 'should not create a user' do
- provider.run_action(:create_user)
- expect(resource).to_not be_updated
- end
- end
-
- context 'when user already exist and changed password' do
- before do
- allow(provider).to receive(:identity_uuid)
- .with(resource, 'tenant', 'name', 'tenant1')
- .and_return('1234567890ABCDEFGH')
- allow(provider).to receive(:identity_command)
- .with(resource, 'user-list')
- allow(provider).to receive(:prettytable_to_array)
- .and_return([{ 'name' => 'user1' }])
- allow(provider).to receive(:identity_uuid)
- .with(resource, 'user', 'name', 'user1')
- .and_return('HGFEDCBA0987654321')
- allow(provider).to receive(:identity_command)
- .with(resource, 'token-get', {}, 'user')
- .and_raise('Error!')
- allow(provider).to receive(:identity_command)
- .with(resource, 'user-password-update',
- 'pass' => 'password',
- '' => 'user1')
- end
-
- it 'should update user password' do
- provider.run_action(:create_user)
- expect(resource).to be_updated
- end
- end
-
- describe '#identity_command' do
- it 'should handle false values and long descriptions' do
- allow(provider).to receive(:shell_out)
- .with(['keystone', '--insecure', 'user-create', '--enabled',
- 'false', '--description', 'more than one word'],
- env: {
- 'OS_SERVICE_ENDPOINT' => nil,
- 'OS_SERVICE_TOKEN' => nil })
- .and_return double('shell_out', exitstatus: 0, stdout: 'good')
-
- expect(
- provider.send(:identity_command, resource, 'user-create',
- 'enabled' => false,
- 'description' => 'more than one word')
- ).to eq('good')
- end
- end
-
- context 'when keystone user command fails' do
- before do
- allow(provider).to receive(:identity_uuid)
- .with(resource, 'tenant', 'name', 'tenant1')
- .and_raise('Error!')
- end
-
- it 'should raise error' do
- expect { provider.run_action(:create_user) }.to raise_error
- end
- end
- end
-
- describe 'role grant' do
- let(:resource) do
- r = Chef::Resource::OpenstackIdentityRegister.new('grant1', run_context)
- r.user_name('user1')
- r.tenant_name('tenant1')
- r.role_name('role1')
- r
- end
- let(:provider) do
- Chef::Provider::OpenstackIdentityRegister.new(resource, run_context)
- end
-
- context 'when role has not already been granted' do
- before do
- allow(provider).to receive(:identity_uuid)
- .with(resource, 'role', 'name', 'role1')
- .and_return('ABC1234567890DEF')
- allow(provider).to receive(:identity_uuid)
- .with(resource, 'user-role', 'name', 'role1',
- 'tenant' => 'tenant1',
- 'user' => 'user1')
- .and_return('ABCD1234567890EFGH')
- allow(provider).to receive(:identity_command)
- .with(resource, 'user-role-add',
- 'tenant' => 'tenant1',
- 'role-id' => 'ABC1234567890DEF',
- 'user' => 'user1')
- end
-
- it 'should grant a role' do
- provider.run_action(:grant_role)
- expect(resource).to be_updated
- end
- end
-
- context 'when role has already been granted' do
- before do
- allow(provider).to receive(:identity_uuid)
- .with(resource, 'role', 'name', 'role1')
- .and_return('ABC1234567890DEF')
- allow(provider).to receive(:identity_uuid)
- .with(resource, 'user-role', 'name', 'role1',
- 'tenant' => 'tenant1',
- 'user' => 'user1')
- .and_return('ABC1234567890DEF')
- allow(provider).to receive(:identity_command)
- .with(resource, 'user-role-add',
- 'tenant' => 'tenant1',
- 'role-id' => 'ABC1234567890DEF',
- 'user' => 'user1')
- end
-
- it 'should not grant a role' do
- provider.run_action(:grant_role)
- expect(resource).to_not be_updated
- end
- end
-
- context 'when keystone grant command fails' do
- before do
- allow(provider).to receive(:identity_uuid)
- .with(resource, 'tenant', 'name', 'tenant1')
- .and_raise('Error!')
- end
-
- it 'should raise error' do
- expect { provider.run_action(:grant_role) }.to raise_error
- end
- end
- end
-
- describe 'ec2_credentials create' do
- let(:resource) do
- r = Chef::Resource::OpenstackIdentityRegister.new('ec2', run_context)
- r.user_name('user1')
- r.tenant_name('tenant1')
- r.admin_tenant_name('admintenant1')
- r.admin_user('adminuser1')
- r.admin_pass('password')
- r.identity_endpoint('http://admin')
- r
- end
- let(:provider) do
- Chef::Provider::OpenstackIdentityRegister.new(resource, run_context)
- end
-
- context 'when ec2 creds have not already been created' do
- before do
- allow(provider).to receive(:identity_uuid)
- .with(resource, 'tenant', 'name', 'tenant1')
- .and_return('1234567890ABCDEFGH')
- allow(provider).to receive(:identity_uuid)
- .with(resource, 'user', 'name', 'user1',
- 'tenant-id' => '1234567890ABCDEFGH')
- .and_return('HGFEDCBA0987654321')
- allow(provider).to receive(:identity_uuid)
- .with(resource, 'ec2-credentials', 'tenant', 'tenant1',
- { 'user-id' => 'HGFEDCBA0987654321' }, 'access')
- allow(provider).to receive(:identity_command)
- .with(resource, 'ec2-credentials-create',
- { 'user-id' => 'HGFEDCBA0987654321',
- 'tenant-id' => '1234567890ABCDEFGH' },
- 'admin')
- allow(provider).to receive(:prettytable_to_array)
- .and_return([{ 'access' => 'access', 'secret' => 'secret' }])
- end
-
- it 'should grant ec2 creds' do
- provider.run_action(:create_ec2_credentials)
- expect(resource).to be_updated
- end
- end
-
- context 'when ec2 creds have not already been created' do
- before do
- allow(provider).to receive(:identity_uuid)
- .with(resource, 'tenant', 'name', 'tenant1')
- .and_return('1234567890ABCDEFGH')
- allow(provider).to receive(:identity_uuid)
- .with(resource, 'user', 'name', 'user1',
- 'tenant-id' => '1234567890ABCDEFGH')
- .and_return('HGFEDCBA0987654321')
- allow(provider).to receive(:identity_uuid)
- .with(resource, 'ec2-credentials', 'tenant', 'tenant1',
- { 'user-id' => 'HGFEDCBA0987654321' }, 'access')
- .and_return('ABC1234567890DEF')
- end
-
- it 'should grant ec2 creds if they already exist' do
- provider.run_action(:create_ec2_credentials)
- expect(resource).to_not be_updated
- end
- end
-
- context 'when keystone user command fails' do
- before do
- allow(provider).to receive(:identity_uuid)
- .with(resource, 'tenant', 'name', 'tenant1')
- .and_raise('Error!')
- end
-
- it 'should raise error' do
- expect { provider.run_action(:create_ec2_credentials) }.to raise_error
- end
- end
- end
- end
-end
diff --git a/spec/registration_spec.rb b/spec/registration_spec.rb
index c5ddd98..ab882d3 100644
--- a/spec/registration_spec.rb
+++ b/spec/registration_spec.rb
@@ -8,282 +8,143 @@ describe 'openstack-identity::registration' do
let(:node) { runner.node }
let(:runner) { ChefSpec::SoloRunner.new(UBUNTU_OPTS) }
let(:chef_run) { runner.converge(described_recipe) }
- let(:node_add_user) do
- node.set_unless['openstack']['identity']['users'] = {
- 'user1' => {
- 'default_tenant' => 'default_tenant1',
- 'password' => 'secret1',
- 'roles' => {
- 'role1' => ['role_tenant1'],
- 'role2' => ['default_tenant1']
- }
- }
- }
- end
include_context 'identity_stubs'
- describe 'tenant registration' do
- context 'default tenants' do
- ['admin'].each do |tenant_name|
- it "registers the #{tenant_name} tenant" do
- expect(chef_run).to create_tenant_openstack_identity_register(
- "Register '#{tenant_name}' Tenant"
- ).with(
- auth_uri: 'http://127.0.0.1:35357/v2.0',
- bootstrap_token: 'bootstrap-token',
- tenant_name: tenant_name,
- tenant_description: "#{tenant_name} Tenant"
- )
- end
+ connection_params = {
+ openstack_auth_url: 'http://127.0.0.1:35357/v3/auth/tokens',
+ openstack_username: 'admin',
+ openstack_api_key: 'admin',
+ openstack_project_name: 'admin',
+ openstack_domain_name: 'default'
+ }
+ service_name = 'keystone'
+ service_user = 'admin'
+ region = 'RegionOne'
+ project_name = 'admin'
+ role_name = 'admin'
+ password = 'admin'
+ domain_name = 'default'
+ admin_url = 'http://127.0.0.1:35357/v3'
+ public_url = 'http://127.0.0.1:5000/v3'
+ internal_url = 'http://127.0.0.1:5000/v3'
+
+ describe 'keystone bootstrap' do
+ context 'default values' do
+ it 'bootstrap with keystone-manage' do
+ expect(chef_run).to run_execute('bootstrap_keystone'
+ ).with(command: "keystone-manage bootstrap \\
+ --bootstrap-password #{password} \\
+ --bootstrap-username #{service_user} \\
+ --bootstrap-project-name #{project_name} \\
+ --bootstrap-role-name #{role_name} \\
+ --bootstrap-service-name #{service_name} \\
+ --bootstrap-region-id #{region} \\
+ --bootstrap-admin-url #{admin_url} \\
+ --bootstrap-public-url #{public_url} \\
+ --bootstrap-internal-url #{internal_url}")
end
- end
-
- context 'configured tenants from users attribute' do
- before { node_add_user }
- ['default_tenant1', 'role_tenant1'].each do |tenant_name|
- it "registers the #{tenant_name} tenant" do
- expect(chef_run).to create_tenant_openstack_identity_register(
- "Register '#{tenant_name}' Tenant"
- ).with(
- auth_uri: 'http://127.0.0.1:35357/v2.0',
- bootstrap_token: 'bootstrap-token',
- tenant_name: tenant_name,
- tenant_description: "#{tenant_name} Tenant"
- )
- end
- end
- end
- end
-
- describe 'role registration' do
- context 'default roles' do
- %w(admin service).each do |role_name|
- it "registers the #{role_name} role" do
- expect(chef_run).to create_role_openstack_identity_register(
- "Register '#{role_name}' Role"
- ).with(
- auth_uri: 'http://127.0.0.1:35357/v2.0',
- bootstrap_token: 'bootstrap-token',
- role_name: role_name
- )
- end
- end
- end
-
- context 'configured roles derived from users attribute' do
- before { node_add_user }
-
- ['role1', 'role2'].each do |role_name|
- it "registers the #{role_name} role" do
- expect(chef_run).to create_role_openstack_identity_register(
- "Register '#{role_name}' Role"
- ).with(
- auth_uri: 'http://127.0.0.1:35357/v2.0',
- bootstrap_token: 'bootstrap-token',
- role_name: role_name
- )
- end
- end
- end
- end
-
- describe 'user registration' do
- context 'default users' do
- user_admin = [
- 'admin', 'admin',
- ['admin', 'service']
- ]
-
- [user_admin].each do |user, tenant, roles|
- context "#{user} user" do
- it "registers the #{user} user" do
- expect(chef_run).to create_user_openstack_identity_register(
- "Register '#{user}' User"
- ).with(
- auth_uri: 'http://127.0.0.1:35357/v2.0',
- bootstrap_token: 'bootstrap-token',
- user_name: user,
- user_pass: 'admin',
- tenant_name: tenant
- )
- end
-
- roles.each do |role|
- it "grants '#{role}' role to '#{user}' user in 'admin' tenant" do
- expect(chef_run).to grant_role_openstack_identity_register(
- "Grant '#{role}' Role to '#{user}' User in 'admin' Tenant"
- ).with(
- auth_uri: 'http://127.0.0.1:35357/v2.0',
- bootstrap_token: 'bootstrap-token',
- user_name: user,
- role_name: role,
- tenant_name: 'admin',
- action: [:grant_role]
- )
- end
- end
-
- it 'registers the admin user for ec2' do
- expect(chef_run).to create_ec2_credentials_openstack_identity_register(
- "Create EC2 credentials for 'admin' user"
- ).with(
- auth_uri: 'http://127.0.0.1:35357/v2.0',
- bootstrap_token: 'bootstrap-token',
- user_name: user,
- tenant_name: tenant,
- admin_tenant_name: 'admin',
- admin_user: 'admin',
- admin_pass: 'admin'
- )
- end
- end
- end
- end
-
- context 'configured user' do
- before { node_add_user }
-
- it 'registers the user1 user' do
- expect(chef_run).to create_user_openstack_identity_register(
- "Register 'user1' User"
+ it "registers #{domain_name} domain" do
+ expect(chef_run).to create_openstack_domain(
+ domain_name
).with(
- auth_uri: 'http://127.0.0.1:35357/v2.0',
- bootstrap_token: 'bootstrap-token',
- user_name: 'user1',
- user_pass: 'secret1',
- tenant_name: 'default_tenant1'
+ connection_params: connection_params
)
end
- it "grants 'role1' role to 'user1' user in 'role_tenant1' tenant" do
- expect(chef_run).to grant_role_openstack_identity_register(
- "Grant 'role1' Role to 'user1' User in 'role_tenant1' Tenant"
+ it "grants #{service_user} user to #{domain_name} domain" do
+ expect(chef_run).to grant_domain_openstack_user(
+ service_user
).with(
- auth_uri: 'http://127.0.0.1:35357/v2.0',
- bootstrap_token: 'bootstrap-token',
- user_name: 'user1',
- role_name: 'role1',
- tenant_name: 'role_tenant1'
+ domain_name: domain_name,
+ role_name: role_name,
+ connection_params: connection_params
)
end
- it 'registers the user1 user for ec2' do
- expect(chef_run).to create_ec2_credentials_openstack_identity_register(
- "Create EC2 credentials for 'user1' user"
+ it 'create service role' do
+ expect(chef_run).to create_openstack_role(
+ 'service'
).with(
- auth_uri: 'http://127.0.0.1:35357/v2.0',
- bootstrap_token: 'bootstrap-token',
- user_name: 'user1',
- tenant_name: 'default_tenant1',
- admin_tenant_name: 'admin',
- admin_user: 'admin',
- admin_pass: 'admin'
+ connection_params: connection_params
+ )
+ end
+
+ it 'create service role' do
+ expect(chef_run).to create_openstack_role(
+ '_member_'
+ ).with(
+ connection_params: connection_params
)
end
end
- end
-
- describe 'service registration' do
- context 'with templated catalog backend' do
+ context 'all different values' do
+ connection_params_other = {
+ openstack_auth_url: 'https://admin.identity:1234/v3/auth/tokens',
+ openstack_username: 'identity_admin',
+ openstack_api_key: 'identity_admin_pass',
+ openstack_project_name: 'admin_project',
+ openstack_domain_name: 'identity_domain'
+ }
before do
- node.set['openstack']['identity']['catalog']['backend'] = 'templated'
+ node.set['openstack']['endpoints']['admin']['identity']['uri'] =
+ 'https://admin.identity:1234/v3'
+ node.set['openstack']['endpoints']['internal']['identity']['uri'] =
+ 'https://internal.identity:5678/v3'
+ node.set['openstack']['endpoints']['public']['identity']['uri'] =
+ 'https://public.identity:9753/v3'
+ node.set['openstack']['region'] = 'otherRegion'
+ node.set['openstack']['identity']['admin_project'] = 'admin_project'
+ node.set['openstack']['identity']['admin_user'] = 'identity_admin'
+ node.set['openstack']['identity']['admin_role'] = 'identity_role'
+ node.set['openstack']['identity']['admin_domain_name'] =
+ 'identity_domain'
end
- it 'does not register identity service' do
- expect(chef_run).to_not create_service_openstack_identity_register(
- 'Register Identity Service'
- )
+ it 'bootstrap with keystone-manage' do
+ expect(chef_run).to run_execute('bootstrap_keystone'
+ ).with(command: "keystone-manage bootstrap \\
+ --bootstrap-password identity_admin_pass \\
+ --bootstrap-username identity_admin \\
+ --bootstrap-project-name admin_project \\
+ --bootstrap-role-name identity_role \\
+ --bootstrap-service-name #{service_name} \\
+ --bootstrap-region-id otherRegion \\
+ --bootstrap-admin-url https://admin.identity:1234/v3 \\
+ --bootstrap-public-url https://public.identity:9753/v3 \\
+ --bootstrap-internal-url https://internal.identity:5678/v3")
end
- end
- context 'with sql catalog backend' do
- before do
- node.set['openstack']['identity']['catalog']['backend'] = 'sql'
- end
- it 'registers identity service' do
- expect(chef_run).to create_service_openstack_identity_register(
- 'Register Identity Service'
+ it 'registers identity_domain domain' do
+ expect(chef_run).to create_openstack_domain(
+ 'identity_domain'
).with(
- service_name: 'keystone',
- service_type: 'identity',
- service_description: 'Keystone Identity Service'
+ connection_params: connection_params_other
)
end
- end
- end
- describe 'endpoint registration' do
- context 'with templated catalog backend' do
- before do
- node.set['openstack']['identity']['catalog']['backend'] = 'templated'
- end
-
- it 'does not register identity endpoint' do
- expect(chef_run).to_not create_endpoint_openstack_identity_register(
- 'Register Identity Endpoint'
- )
- end
- end
-
- context 'with sql catalog backend' do
- before do
- node.set['openstack']['identity']['catalog']['backend'] = 'sql'
- end
- it 'registers identity endpoints' do
- expect(chef_run).to create_endpoint_openstack_identity_register(
- 'Register Identity Endpoint'
+ it 'grants identity_admin user to identity_domain domain' do
+ expect(chef_run).to grant_domain_openstack_user(
+ 'identity_admin'
).with(
- auth_uri: 'http://127.0.0.1:35357/v2.0',
- bootstrap_token: 'bootstrap-token',
- service_type: 'identity',
- endpoint_region: 'RegionOne',
- endpoint_adminurl: 'http://127.0.0.1:35357/v2.0',
- endpoint_internalurl: 'http://127.0.0.1:5000/v2.0',
- endpoint_publicurl: 'http://127.0.0.1:5000/v2.0'
+ domain_name: 'identity_domain',
+ role_name: 'identity_role',
+ connection_params: connection_params_other
)
end
- it 'overrides identity endpoint region' do
- node.set['openstack']['identity']['region'] = 'identityRegion'
- expect(chef_run).to create_endpoint_openstack_identity_register(
- 'Register Identity Endpoint'
- ).with(endpoint_region: 'identityRegion')
- end
-
- it 'overrides identity endpoints' do
- node.set['openstack']['endpoints']['admin']['identity']['host'] = '127.0.0.2'
- node.set['openstack']['endpoints']['admin']['identity']['port'] = '5002'
- node.set['openstack']['endpoints']['admin']['identity']['path'] = '/v2.2'
- node.set['openstack']['endpoints']['internal']['identity']['host'] = '127.0.0.3'
- node.set['openstack']['endpoints']['internal']['identity']['port'] = '5003'
- node.set['openstack']['endpoints']['internal']['identity']['path'] = '/v2.3'
- node.set['openstack']['endpoints']['public']['identity']['host'] = '127.0.0.4'
- node.set['openstack']['endpoints']['public']['identity']['port'] = '5004'
- node.set['openstack']['endpoints']['public']['identity']['path'] = '/v2.4'
- expect(chef_run).to create_endpoint_openstack_identity_register(
- 'Register Identity Endpoint'
+ it 'create service role' do
+ expect(chef_run).to create_openstack_role(
+ 'service'
).with(
- endpoint_adminurl: 'http://127.0.0.2:5002/v2.2',
- endpoint_internalurl: 'http://127.0.0.3:5003/v2.3',
- endpoint_publicurl: 'http://127.0.0.4:5004/v2.4'
+ connection_params: connection_params_other
)
end
-
- it 'register endpoint with all different URLs' do
- public_url = 'https://public.host:789/public_path'
- internal_url = 'http://internal.host:456/internal_path'
- admin_url = 'https://admin.host:123/admin_path'
- node.set['openstack']['endpoints']['public']['identity']['uri'] = public_url
- node.set['openstack']['endpoints']['internal']['identity']['uri'] = internal_url
- node.set['openstack']['endpoints']['admin']['identity']['uri'] = admin_url
-
- expect(chef_run).to create_endpoint_openstack_identity_register(
- 'Register Identity Endpoint'
+ it 'create service role' do
+ expect(chef_run).to create_openstack_role(
+ '_member_'
).with(
- endpoint_adminurl: admin_url,
- endpoint_internalurl: internal_url,
- endpoint_publicurl: public_url
+ connection_params: connection_params_other
)
end
end
diff --git a/spec/server-apache_spec.rb b/spec/server-apache_spec.rb
index 1d7bc8c..0889045 100644
--- a/spec/server-apache_spec.rb
+++ b/spec/server-apache_spec.rb
@@ -135,11 +135,6 @@ describe 'openstack-identity::server-apache' do
end
describe '[DEFAULT] section' do
- it 'has admin token' do
- r = line_regexp('admin_token = bootstrap-token')
- expect(chef_run).to render_config_file(path).with_section_content('DEFAULT', r)
- end
-
describe 'syslog configuration' do
log_file = %r{^log_dir = /var/log/keystone$}
log_conf = %r{^log_config_append = /\w+}
diff --git a/spec/spec_helper.rb b/spec/spec_helper.rb
index a968a8b..65550bc 100644
--- a/spec/spec_helper.rb
+++ b/spec/spec_helper.rb
@@ -12,7 +12,7 @@ REDHAT_OPTS = {
}.freeze
UBUNTU_OPTS = {
platform: 'ubuntu',
- version: '14.04',
+ version: '16.04',
log_level: LOG_LEVEL
}.freeze
@@ -47,8 +47,8 @@ shared_context 'identity_stubs' do
.with('user', 'user1')
.and_return('secret1')
allow_any_instance_of(Chef::Recipe).to receive(:get_password)
- .with('token', 'openstack_identity_bootstrap_token')
- .and_return('bootstrap-token')
+ .with('user', 'identity_admin')
+ .and_return('identity_admin_pass')
stub_command('/usr/sbin/apache2 -t')
allow_any_instance_of(Chef::Recipe).to receive(:search_for)
.with('os-identity').and_return(
diff --git a/templates/default/openrc.erb b/templates/default/openrc.erb
index 76e64f2..2c1ee37 100644
--- a/templates/default/openrc.erb
+++ b/templates/default/openrc.erb
@@ -2,8 +2,11 @@
# COMMON OPENSTACK ENVS
export OS_USERNAME=<%= @user %>
+export OS_USER_DOMAIN_NAME=<%= @user_domain_name %>
export OS_PASSWORD=<%= @password %>
-export OS_TENANT_NAME=<%= @tenant %>
+export OS_PROJECT_NAME=<%= @project %>
+export OS_PROJECT_DOMAIN_NAME=<%= @project_domain_name %>
+export OS_IDENTITY_API_VERSION=<%= @api_version %>
export OS_AUTH_URL=<%= @identity_endpoint %>
export OS_REGION_NAME=<%= node['openstack']['region'] %>