bootstrap keystone using new bootstrap command
Be gone ADMIN_TOKEN, long live keystone-manage bootstrap. This patch reworks the initial setup for keystone by using the new bootstrap command. After a minimal service catalog has been created, using this process, we simply authenticate as usual. implements bp: bootstrap Depends-On: I113c6934b6b83ceff23a94101967a6df1126873f Change-Id: Ia1475d461eab60b68c6a0356714b21c7f92e0194
This commit is contained in:
Steve Martinelli
parent
8df31a107d
commit
923be5f791
76
lib/keystone
76
lib/keystone
|
|
@ -12,7 +12,6 @@
|
|||
# - ``IDENTITY_API_VERSION``
|
||||
# - ``BASE_SQL_CONN``
|
||||
# - ``SERVICE_HOST``, ``SERVICE_PROTOCOL``
|
||||
# - ``SERVICE_TOKEN``
|
||||
# - ``S3_SERVICE_PORT`` (template backend only)
|
||||
|
||||
# ``stack.sh`` calls the entry points in this order:
|
||||
|
|
@ -22,6 +21,7 @@
|
|||
# - _config_keystone_apache_wsgi
|
||||
# - init_keystone
|
||||
# - start_keystone
|
||||
# - bootstrap_keystone
|
||||
# - create_keystone_accounts
|
||||
# - stop_keystone
|
||||
# - cleanup_keystone
|
||||
|
|
@ -230,8 +230,6 @@ function configure_keystone {
|
|||
iniset $KEYSTONE_CONF DEFAULT admin_endpoint $KEYSTONE_AUTH_URI
|
||||
fi
|
||||
|
||||
iniset $KEYSTONE_CONF DEFAULT admin_token "$SERVICE_TOKEN"
|
||||
|
||||
if [[ "$KEYSTONE_TOKEN_FORMAT" != "" ]]; then
|
||||
iniset $KEYSTONE_CONF token provider $KEYSTONE_TOKEN_FORMAT
|
||||
fi
|
||||
|
|
@ -324,14 +322,16 @@ function configure_keystone {
|
|||
# Migrated from keystone_data.sh
|
||||
function create_keystone_accounts {
|
||||
|
||||
# admin
|
||||
# The keystone bootstrapping process (performed via keystone-manage bootstrap)
|
||||
# creates an admin user, admin role and admin project. As a sanity check
|
||||
# we exercise the CLI to retrieve the IDs for these values.
|
||||
local admin_tenant
|
||||
admin_tenant=$(get_or_create_project "admin" default)
|
||||
admin_tenant=$(openstack project show "admin" -f value -c id)
|
||||
local admin_user
|
||||
admin_user=$(get_or_create_user "admin" "$ADMIN_PASSWORD" default)
|
||||
admin_user=$(openstack user show "admin" -f value -c id)
|
||||
local admin_role
|
||||
admin_role=$(get_or_create_role "admin")
|
||||
get_or_add_user_project_role $admin_role $admin_user $admin_tenant
|
||||
admin_role=$(openstack role show "admin" -f value -c id)
|
||||
|
||||
get_or_add_user_domain_role $admin_role $admin_user default
|
||||
|
||||
# Create service project/role
|
||||
|
|
@ -381,17 +381,6 @@ function create_keystone_accounts {
|
|||
get_or_add_group_project_role $member_role $non_admin_group $demo_tenant
|
||||
get_or_add_group_project_role $another_role $non_admin_group $demo_tenant
|
||||
get_or_add_group_project_role $admin_role $admin_group $admin_tenant
|
||||
|
||||
# Keystone
|
||||
if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
|
||||
|
||||
get_or_create_service "keystone" "identity" "Keystone Identity Service"
|
||||
get_or_create_endpoint "identity" \
|
||||
"$REGION_NAME" \
|
||||
"$KEYSTONE_SERVICE_PROTOCOL://$KEYSTONE_SERVICE_HOST:$KEYSTONE_SERVICE_PORT/v$IDENTITY_API_VERSION" \
|
||||
"$KEYSTONE_AUTH_PROTOCOL://$KEYSTONE_AUTH_HOST:$KEYSTONE_AUTH_PORT/v$IDENTITY_API_VERSION" \
|
||||
"$KEYSTONE_SERVICE_PROTOCOL://$KEYSTONE_SERVICE_HOST:$KEYSTONE_SERVICE_PORT/v$IDENTITY_API_VERSION"
|
||||
fi
|
||||
}
|
||||
|
||||
# Create a user that is capable of verifying keystone tokens for use with auth_token middleware.
|
||||
|
|
@ -565,6 +554,55 @@ function stop_keystone {
|
|||
stop_process key
|
||||
}
|
||||
|
||||
# bootstrap_keystone() - Initialize user, role and project
|
||||
# This function uses the following GLOBAL variables:
|
||||
# - ``KEYSTONE_BIN_DIR``
|
||||
# - ``ADMIN_PASSWORD``
|
||||
# - ``IDENTITY_API_VERSION``
|
||||
# - ``KEYSTONE_CATALOG_BACKEND``
|
||||
# - ``KEYSTONE_AUTH_URI``
|
||||
# - ``REGION_NAME``
|
||||
# - ``KEYSTONE_SERVICE_PROTOCOL``
|
||||
# - ``KEYSTONE_SERVICE_HOST``
|
||||
# - ``KEYSTONE_SERVICE_PORT``
|
||||
function bootstrap_keystone {
|
||||
|
||||
# Initialize keystone, this will create an 'admin' user, 'admin' project,
|
||||
# 'admin' role, and assign the user the role on the project. These resources
|
||||
# are created only if they do not already exist.
|
||||
$KEYSTONE_BIN_DIR/keystone-manage bootstrap --bootstrap-password $ADMIN_PASSWORD
|
||||
|
||||
# Create the keystone service and endpoints. To do this with the new
|
||||
# bootstrapping process, we need to get a token and use that token to
|
||||
# interact with the new APIs. The token will only be used to create services
|
||||
# and endpoints, thus creating a minimal service catalog.
|
||||
# They are unset immediately after.
|
||||
# TODO(stevemar): OpenStackClient and KeystoneClient do not have support to
|
||||
# handle interactions that not return service catalogs. Eventually remove
|
||||
# this section when the support is in place. Use token based auth for now.
|
||||
local token_id
|
||||
token_id=$(openstack token issue -c id -f value \
|
||||
--os-username admin --os-project-name admin \
|
||||
--os-user-domain-id default --os-project-domain-id default \
|
||||
--os-identity-api-version 3 --os-auth-url $KEYSTONE_AUTH_URI \
|
||||
--os-password $ADMIN_PASSWORD)
|
||||
|
||||
if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
|
||||
|
||||
export OS_TOKEN=$token_id
|
||||
export OS_URL=$KEYSTONE_AUTH_URI/v3
|
||||
export OS_IDENTITY_API_VERSION=3
|
||||
|
||||
get_or_create_service "keystone" "identity" "Keystone Identity Service"
|
||||
get_or_create_endpoint "identity" \
|
||||
"$REGION_NAME" \
|
||||
"$KEYSTONE_SERVICE_PROTOCOL://$KEYSTONE_SERVICE_HOST:$KEYSTONE_SERVICE_PORT/v$IDENTITY_API_VERSION" \
|
||||
"$KEYSTONE_AUTH_URI/v$IDENTITY_API_VERSION" \
|
||||
"$KEYSTONE_SERVICE_PROTOCOL://$KEYSTONE_SERVICE_HOST:$KEYSTONE_SERVICE_PORT/v$IDENTITY_API_VERSION"
|
||||
fi
|
||||
|
||||
unset OS_TOKEN OS_URL OS_IDENTITY_API_VERSION
|
||||
}
|
||||
|
||||
# Restore xtrace
|
||||
$_XTRACE_KEYSTONE
|
||||
|
|
|
|||
|
|
@ -23,10 +23,8 @@
|
|||
# While ``stack.sh`` is happy to run without ``localrc``, devlife is better when
|
||||
# there are a few minimal variables set:
|
||||
|
||||
# If the ``SERVICE_TOKEN`` and ``*_PASSWORD`` variables are not set
|
||||
# here you will be prompted to enter values for them by ``stack.sh``
|
||||
# and they will be added to ``local.conf``.
|
||||
SERVICE_TOKEN=azertytoken
|
||||
# If the ``*_PASSWORD`` variables are not set here you will be prompted to enter
|
||||
# values for them by ``stack.sh``and they will be added to ``local.conf``.
|
||||
ADMIN_PASSWORD=nomoresecrete
|
||||
DATABASE_PASSWORD=stackdb
|
||||
RABBIT_PASSWORD=stackqueue
|
||||
|
|
|
|||
59
stack.sh
59
stack.sh
|
|
@ -652,9 +652,6 @@ fi
|
|||
# --------
|
||||
|
||||
if is_service_enabled keystone; then
|
||||
# The ``SERVICE_TOKEN`` is used to bootstrap the Keystone database. It is
|
||||
# just a string and is not a 'real' Keystone token.
|
||||
read_password SERVICE_TOKEN "ENTER A SERVICE_TOKEN TO USE FOR THE SERVICE ADMIN TOKEN."
|
||||
# Services authenticate to Identity with servicename/``SERVICE_PASSWORD``
|
||||
read_password SERVICE_PASSWORD "ENTER A SERVICE_PASSWORD TO USE FOR THE SERVICE AUTHENTICATION."
|
||||
# Horizon currently truncates usernames and passwords at 20 characters
|
||||
|
|
@ -994,22 +991,34 @@ if is_service_enabled keystone; then
|
|||
if [ "$KEYSTONE_AUTH_HOST" == "$SERVICE_HOST" ]; then
|
||||
init_keystone
|
||||
start_keystone
|
||||
bootstrap_keystone
|
||||
fi
|
||||
|
||||
export OS_IDENTITY_API_VERSION=3
|
||||
|
||||
# Set up a temporary admin URI for Keystone
|
||||
SERVICE_ENDPOINT=$KEYSTONE_AUTH_URI/v3
|
||||
|
||||
if is_service_enabled tls-proxy; then
|
||||
export OS_CACERT=$INT_CA_DIR/ca-chain.pem
|
||||
# Until the client support is fixed, just use the internal endpoint
|
||||
SERVICE_ENDPOINT=http://$KEYSTONE_AUTH_HOST:$KEYSTONE_AUTH_PORT_INT/v3
|
||||
fi
|
||||
|
||||
# Setup OpenStackClient token-endpoint auth
|
||||
export OS_TOKEN=$SERVICE_TOKEN
|
||||
export OS_URL=$SERVICE_ENDPOINT
|
||||
# Rather than just export these, we write them out to a
|
||||
# intermediate userrc file that can also be used to debug if
|
||||
# something goes wrong between here and running
|
||||
# tools/create_userrc.sh (this script relies on services other
|
||||
# than keystone being available, so we can't call it right now)
|
||||
cat > $TOP_DIR/userrc_early <<EOF
|
||||
# Use this for debugging issues before files in accrc are created
|
||||
|
||||
# Set up password auth credentials now that Keystone is bootstrapped
|
||||
export OS_IDENTITY_API_VERSION=3
|
||||
export OS_AUTH_URL=$KEYSTONE_AUTH_URI
|
||||
export OS_USERNAME=admin
|
||||
export OS_USER_DOMAIN_ID=default
|
||||
export OS_PASSWORD=$ADMIN_PASSWORD
|
||||
export OS_PROJECT_NAME=admin
|
||||
export OS_PROJECT_DOMAIN_ID=default
|
||||
export OS_REGION_NAME=$REGION_NAME
|
||||
|
||||
EOF
|
||||
|
||||
source $TOP_DIR/userrc_early
|
||||
|
||||
create_keystone_accounts
|
||||
create_nova_accounts
|
||||
|
|
@ -1025,30 +1034,6 @@ if is_service_enabled keystone; then
|
|||
create_heat_accounts
|
||||
fi
|
||||
|
||||
# Begone token auth
|
||||
unset OS_TOKEN OS_URL
|
||||
|
||||
# Rather than just export these, we write them out to a
|
||||
# intermediate userrc file that can also be used to debug if
|
||||
# something goes wrong between here and running
|
||||
# tools/create_userrc.sh (this script relies on services other
|
||||
# than keystone being available, so we can't call it right now)
|
||||
cat > $TOP_DIR/userrc_early <<EOF
|
||||
# Use this for debugging issues before files in accrc are created
|
||||
|
||||
# Set up password auth credentials now that Keystone is bootstrapped
|
||||
export OS_AUTH_URL=$KEYSTONE_AUTH_URI
|
||||
export OS_USERNAME=admin
|
||||
export OS_USER_DOMAIN_ID=default
|
||||
export OS_PASSWORD=$ADMIN_PASSWORD
|
||||
export OS_PROJECT_NAME=admin
|
||||
export OS_PROJECT_DOMAIN_ID=default
|
||||
export OS_REGION_NAME=$REGION_NAME
|
||||
|
||||
EOF
|
||||
|
||||
source $TOP_DIR/userrc_early
|
||||
|
||||
fi
|
||||
|
||||
# Write a clouds.yaml file
|
||||
|
|
|
|||
Loading…
Reference in New Issue