monitord user for safe API notification creation
Added monitord user with password to astute.yaml file. This is used by Puppet manifests to create the 'monitord' user with 'monitord' role. This allows to safely access API's /notification resource. Usage of Keystone admin_token is not recommended nor even possible (Keystone doesn't treat admin_token as representing any user and so /notifications returns 401). Change-Id: I5b4fea9e6811c2d995f058b4a0a11025e04f33fb Partial-Bug: #1371757
This commit is contained in:
parent
dc72c0d917
commit
d46db29c63
|
@ -0,0 +1,60 @@
|
|||
# -*- coding: utf-8 -*-
|
||||
|
||||
# Copyright 2015 Mirantis, Inc.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
import logging
|
||||
|
||||
from fuel_upgrade import utils
|
||||
|
||||
from fuel_upgrade.engines.host_system import HostSystemUpgrader
|
||||
from fuel_upgrade.pre_upgrade_hooks.base import PreUpgradeHookBase
|
||||
|
||||
logger = logging.getLogger(__name__)
|
||||
|
||||
|
||||
class AddMonitordKeystoneCredentialsHook(PreUpgradeHookBase):
|
||||
"""Monitoring service Keystone credentials: [1].
|
||||
|
||||
This patch updates the astute.yaml file adding 'monitord' user credentials.
|
||||
This user is required to create Fuel notifications when disk space on
|
||||
master node is getting low. We don't want to use the standard 'admin' user
|
||||
because when user changes password via UI it's not reflected in the
|
||||
astute.yaml file.
|
||||
|
||||
[1] https://bugs.launchpad.net/fuel/+bug/1371757
|
||||
"""
|
||||
|
||||
# : This hook required only for docker and host system engines
|
||||
enable_for_engines = [HostSystemUpgrader]
|
||||
|
||||
# : New credentials
|
||||
keystone_config = {
|
||||
'keystone': {
|
||||
"monitord_user": "monitord",
|
||||
"monitord_password": utils.generate_uuid_string(),
|
||||
}
|
||||
}
|
||||
|
||||
def check_if_required(self):
|
||||
return len(
|
||||
set(self.keystone_config['keystone']).difference(
|
||||
self.config.astute.get('keystone', {})
|
||||
)
|
||||
)
|
||||
|
||||
def run(self):
|
||||
"""Adds default credentials to config file
|
||||
"""
|
||||
self.update_astute_config(defaults=self.keystone_config)
|
|
@ -31,6 +31,8 @@ from fuel_upgrade.pre_upgrade_hooks.from_5_1_to_any_add_keystone_credentials \
|
|||
import AddKeystoneCredentialsHook
|
||||
from fuel_upgrade.pre_upgrade_hooks.from_5_1_to_any_ln_fuelweb_x86_64 \
|
||||
import AddFuelwebX8664LinkForUbuntu
|
||||
from fuel_upgrade.pre_upgrade_hooks.from_6_0_to_any_add_monitord_credentials \
|
||||
import AddMonitordKeystoneCredentialsHook
|
||||
|
||||
logger = logging.getLogger(__name__)
|
||||
|
||||
|
@ -47,6 +49,7 @@ class PreUpgradeHookManager(object):
|
|||
AddCredentialsHook,
|
||||
AddFuelwebX8664LinkForUbuntu,
|
||||
AddKeystoneCredentialsHook,
|
||||
AddMonitordKeystoneCredentialsHook,
|
||||
FixPuppetManifests,
|
||||
FixHostSystemRepoHook,
|
||||
SyncDnsHook,
|
||||
|
|
|
@ -39,6 +39,8 @@ from fuel_upgrade.pre_upgrade_hooks.from_5_1_to_any_add_keystone_credentials \
|
|||
import AddKeystoneCredentialsHook
|
||||
from fuel_upgrade.pre_upgrade_hooks.from_5_1_to_any_ln_fuelweb_x86_64 \
|
||||
import AddFuelwebX8664LinkForUbuntu
|
||||
from fuel_upgrade.pre_upgrade_hooks.from_6_0_to_any_add_monitord_credentials \
|
||||
import AddMonitordKeystoneCredentialsHook
|
||||
|
||||
|
||||
class TestPreUpgradeHooksBase(BaseTestCase):
|
||||
|
@ -555,3 +557,58 @@ class TestCopyOpenstackReleaseVersions(TestPreUpgradeHooksBase):
|
|||
mock_utils.copy_if_exists.call_args_list,
|
||||
[mock.call(self.hook.version_path_5_0,
|
||||
self.hook.dst_version_path_5_0)])
|
||||
|
||||
|
||||
class TestAddMonitordKeystoneCredentialsHook(TestPreUpgradeHooksBase):
|
||||
|
||||
HookClass = AddMonitordKeystoneCredentialsHook
|
||||
|
||||
def setUp(self):
|
||||
super(TestAddMonitordKeystoneCredentialsHook, self).setUp()
|
||||
self.monitord_keys = [
|
||||
'monitord_user',
|
||||
'monitord_password',
|
||||
]
|
||||
|
||||
def test_is_required_returns_true(self):
|
||||
hook = self.get_hook({})
|
||||
self.assertTrue(hook.check_if_required())
|
||||
|
||||
def test_is_required_returns_false(self):
|
||||
hook = self.get_hook({
|
||||
'astute': {
|
||||
'keystone': {
|
||||
'monitord_user': '',
|
||||
'monitord_password': '',
|
||||
}
|
||||
}
|
||||
})
|
||||
|
||||
self.assertFalse(hook.check_if_required())
|
||||
|
||||
@mock.patch('fuel_upgrade.pre_upgrade_hooks.base.read_yaml_config')
|
||||
@mock.patch('fuel_upgrade.pre_upgrade_hooks.base.utils.copy_file')
|
||||
@mock.patch('fuel_upgrade.pre_upgrade_hooks.base.utils.save_as_yaml')
|
||||
def test_run(self, msave_as_yaml, mcopy_file, mread_yaml_config):
|
||||
file_key = 'this_key_was_here_before_upgrade'
|
||||
file_value = 'some value'
|
||||
hook = self.get_hook({
|
||||
'astute': {
|
||||
'keystone': {file_key: file_value}}
|
||||
})
|
||||
mread_yaml_config.return_value = hook.config.astute
|
||||
hook.run()
|
||||
|
||||
mcopy_file.assert_called_once_with(
|
||||
'/etc/fuel/astute.yaml',
|
||||
'/etc/fuel/astute.yaml_0',
|
||||
overwrite=False)
|
||||
|
||||
args = msave_as_yaml.call_args
|
||||
self.assertEqual(args[0][0], '/etc/fuel/astute.yaml')
|
||||
|
||||
# Check that all required keys are in method call
|
||||
called_config = args[0][1]['keystone']
|
||||
self.assertTrue(set(self.monitord_keys).issubset(called_config))
|
||||
# Check that nothing else was changed
|
||||
self.assertEqual(called_config[file_key], file_value)
|
||||
|
|
|
@ -384,6 +384,8 @@ def save_only(iface, settingsfile='/etc/fuel/astute.yaml'):
|
|||
"keystone/ostf_password": pwgen.password(),
|
||||
"keystone/nailgun_user": "nailgun",
|
||||
"keystone/nailgun_password": pwgen.password(),
|
||||
"keystone/monitord_user": "monitord",
|
||||
"keystone/monitord_password": pwgen.password(),
|
||||
"mcollective/user": "mcollective",
|
||||
"mcollective/password": pwgen.password(),
|
||||
"postgres/keystone_dbname": "keystone",
|
||||
|
|
|
@ -70,6 +70,16 @@ class servicepws(urwid.WidgetWrap):
|
|||
"label": "Keystone password for OSTF",
|
||||
"tooltip": "",
|
||||
"value": pwgen.password()},
|
||||
"keystone/monitord_user": {
|
||||
"label": "Master node monitoring user",
|
||||
"tooltip": "",
|
||||
"value": "monitord"
|
||||
},
|
||||
"keystone/monitord_password": {
|
||||
"label": "Master node monitoring password",
|
||||
"tooltip": "",
|
||||
"value": pwgen.password(),
|
||||
},
|
||||
"mcollective/user": {"label": "Mcollective user",
|
||||
"tooltip": "",
|
||||
"value": "mcollective"},
|
||||
|
|
Loading…
Reference in New Issue