openstack/cookbook-openstack-identity
Code Issues Proposed changes

Documenation update after refactoring

Browse Source 
* added a lot of inline comments for attributes, recipes and provider
* updated README to the current state of the cookbook

Change-Id: Ic7b7ae6d26ce56e2237fe3215aff9ab447946b48
This commit is contained in:
Jan Klare
2016-04-21 09:13:04 -05:00
parent 24757760b3
commit 4fda2a0d5b
13 changed files with 360 additions and 447 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
.rubocop_todo.yml
View File

@@ -1,6 +1,6 @@
# This configuration was generated by
# `rubocop --auto-gen-config`
# on 2016-02-16 10:26:21 +0100 using RuboCop version 0.34.2.
# on 2016-04-26 16:37:57 -0500 using RuboCop version 0.34.2.
# The point is for the user to remove these configuration records
# one by one as the offenses are removed from the code base.
# Note that changes in the inspected code, or installation of new
@@ -27,5 +27,5 @@ Style/Documentation:
Exclude:
- 'recipes/_fernet_tokens.rb'
- 'recipes/client.rb'
- 'recipes/openrc.rb'
- 'recipes/registration.rb'
- 'recipes/server-apache.rb'

489
README.md
View File

@@ -1,357 +1,204 @@
Description
===========
This cookbook installs the OpenStack Identity Service **Keystone** as part of the OpenStack reference deployment Chef for OpenStack. The https://github.com/openstack/openstack-chef-repo contains documentation for using this cookbook in the context of a full OpenStack deployment. Keystone is installed from packages, creating the default user, tenant, and roles. It also registers the identity service and identity endpoint.
This cookbook installs the OpenStack Identity Service **Keystone** as part of
the OpenStack reference deployment Chef for OpenStack. The
https://github.com/openstack/openstack-chef-repo contains documentation for
using this cookbook in the context of a full OpenStack deployment. Keystone is
installed from packages, creating the default user, tenant, and roles. It also
registers the identity service and identity endpoint.
http://keystone.openstack.org/
http://keystone.openstack.org
Requirements
============
Chef 0.10.0 or higher required (for Chef environment use)
- Chef 12 or higher
- chefdk 0.9.0 for testing (also includes berkshelf for cookbook dependency
resolution)
Platform
========
- ubuntu
- redhat
- centos
Cookbooks
---------
=========
The following cookbooks are dependencies:
* openstack-common
Usage
=====
client
------
Installs the keystone client packages
server (deprecated, will be removed in M release)
------
Installs and Configures Keystone Service
```json
"run_list": [
"recipe[openstack-identity::server]"
]
```
server-apache
-------------
Installs and Configures Keystone Service under Apache
```json
"run_list": [
"recipe[openstack-identity::server-apache]"
]
```
Resources/Providers
===================
These resources provide an abstraction layer for interacting with the keystone server's API, allowing for other nodes to register any required users, tenants, roles, services, or endpoints.
register
--------
Register users, tenants, roles, services and endpoints with Keystone
### Actions
- :create_tenant: Create a tenant
- :create_user: Create a user for a specified tenant
- :create_role: Create a role
- :grant_role: Grant a role to a specified user for a specified tenant
- :create_service: Create a service
- :create_endpoint: Create an endpoint for a sepcified service
### General Attributes
- auth_protocol: Required communication protocol with Keystone server
- Acceptable values are [ "http", "https" ]
- auth_host: Keystone server IP Address
- auth_port: Port Keystone server is listening on
- api_ver: API Version for Keystone server
- Accepted values are [ "/v2.0" ]
- auth_token: Auth Token for communication with Keystone server
- misc_keystone: Array of strings to be added to the keystone.conf file
### :create_tenant Specific Attributes
- tenant_name: Name of tenant to create
- tenant_description: Description of tenant to create
- tenant_enabled: Enable or Disable tenant
- Accepted values are [ "true", "false" ]
- Default is "true"
### :create_user Specific Attributes
- user_name: Name of user account to create
- user_pass: Password for the user account
- user_enabled: Enable or Disable user
- Accepted values are [ "true", "false" ]
- Default is "true"
- tenant_name: Name of tenant to create user in
### :create_role Specific Attributes
- role_name: Name of the role to create
### :grant_role Specific Attributes
- role_name: Name of the role to grant
- user_name: User name to grant the role to
- tenant_name: Name of tenant to grant role in
### :create_service Specific Attributes
- service_name: Name of service
- service_description: Description of service
- service_type: Type of service to create
- Accepted values are [ "image", "identity", "compute", "storage", "ec2", "volume", "object-store", "metering", "network", "orchestration", "cloudformation" ]
- **NOTE:** call will be skipped if `openstack['identity']['catalog']['backend']` is set to 'templated'
### :create_endpoint Specific Attributes
- endpoint_region: Default value is "RegionOne"
- endpoint_adminurl: URL to admin endpoint (using admin port)
- endpoint_internalurl: URL to service endpoint (using service port)
- endpoint_publicurl: URL to public endpoint
- Default is same as endpoint_internalURL
- service_type: Type of service to create endpoint for
- Accepted values are [ "image", "identity", "compute", "storage", "ec2", "volume", "object-store", "metering", "network", "orchestration", "cloudformation" ]
- **NOTE:** call will be skipped if `openstack['identity']['catalog']['backend']` is set to 'templated'
### Examples
# Create 'openstack' tenant
openstack_identity_register "Register 'openstack' Tenant" do
auth_host "192.168.1.10"
auth_port "35357"
auth_protocol "http"
api_ver "/v2.0"
auth_token "123456789876"
tenant_name "openstack"
tenant_description "Default Tenant"
tenant_enabled "true" # Not required as this is the default
action :create_tenant
end
# Create 'admin' user
openstack_identity_register "Register 'admin' User" do
auth_host "192.168.1.10"
auth_port "35357"
auth_protocol "http"
api_ver "/v2.0"
auth_token "123456789876"
tenant_name "openstack"
user_name "admin"
user_pass "secrete"
user_enabled "true" # Not required as this is the default
action :create_user
end
# Create 'admin' role
openstack_identity_register "Register 'admin' Role" do
auth_host "192.168.1.10"
auth_port "35357"
auth_protocol "http"
api_ver "/v2.0"
auth_token "123456789876"
role_name role_key
action :create_role
end
# Grant 'admin' role to 'admin' user in the 'openstack' tenant
openstack_identity_register "Grant 'admin' Role to 'admin' User" do
auth_host "192.168.1.10"
auth_port "35357"
auth_protocol "http"
api_ver "/v2.0"
auth_token "123456789876"
tenant_name "openstack"
user_name "admin"
role_name "admin"
action :grant_role
end
# Create 'identity' service
openstack_identity_register "Register Identity Service" do
auth_host "192.168.1.10"
auth_port "35357"
auth_protocol "http"
api_ver "/v2.0"
auth_token "123456789876"
service_name "keystone"
service_type "identity"
service_description "Keystone Identity Service"
action :create_service
end
# Create 'identity' endpoint
openstack_identity_register "Register Identity Endpoint" do
auth_host "192.168.1.10"
auth_port "35357"
auth_protocol "http"
api_ver "/v2.0"
auth_token "123456789876"
service_type "identity"
endpoint_region "RegionOne"
endpoint_adminurl "http://192.168.1.10:35357/v2.0"
endpoint_internalurl "http://192.168.1.10:5001/v2.0"
endpoint_publicurl "http://1.2.3.4:5001/v2.0"
action :create_endpoint
end
credentials
-----------
Create EC2 credentials for a given user in the specified tenant
### Actions
- :create_ec2: create EC2 credentials
### General Attributes
- auth_protocol: Required communication protocol with Keystone server. Acceptable values are [ "http", "https" ]
- auth_host: Keystone server IP Address
- auth_port: Port Keystone server is listening on
- api_ver: API Version for Keystone server
- Accepted values are [ "/v2.0" ]
- auth_token: Auth Token for communication with Keystone server
### :create_ec2 Specific Attributes
- user_name: User name to grant the credentials for
- tenant_name: Tenant name to grant the credentials in
### Examples
openstack_identity_credentials "Create EC2 credentials for 'admin' user" do
auth_host "192.168.1.10"
auth_port "35357"
auth_protocol "http"
api_ver "/v2.0"
auth_token "123456789876"
user_name "admin"
tenant_name "openstack"
end
- 'apache2', '~> 3.1'
- 'openstack-common', '>= 13.0.0'
Attributes
==========
**TODO**: Clean up after refactoring.
Please refer to the Common cookbook for more attributes.
Please see the extensive inline documentation in `attributes/*.rb` for
descriptions of all the settable attributes for this cookbook.
* `openstack['identity']['db_server_chef_role']` - The name of the Chef role that knows about the db server
* `openstack['identity']['user']` - User keystone runs as
* `openstack['identity']['group']` - Group keystone runs as
* `openstack['identity']['db']` - Name of keystone database
* `openstack['identity']['db_user']` - Username for keystone database access
* `openstack['identity']['db_passwd']` - Password for keystone database access
* `openstack['identity']['db_ipaddress']` - IP address of the keystone database
* `openstack['identity']['api_ipaddress']` - IP address for the keystone API to bind to. _TODO_: Rename to bind_address
* `openstack['identity']['admin_token']` - Admin token for bootstraping keystone server
* `openstack['identity']['admin_workers']` - The number of worker processes to serve the admin WSGI application
* `openstack['identity']['public_workers']` - The number of worker processes to serve the public WSGI application
* `openstack['identity']['roles']` - Array of roles to create in the keystone server
* `openstack['identity']['users']` - Array of users to create in the keystone server
* `openstack['identity']['pastefile_url']` - Specify the URL for a keystone-paste.ini file that will override the default packaged file
* `openstack['identity']['token']['expiration']` - Token validity time in seconds
* `openstack['identity']['token']['hash_algorithm']` - Hash algorithms to use for hashing PKI tokens
* `openstack['identity']['catalog']['backend']` - Storage mechanism for the keystone service catalog
* `openstack['identity']["control_exchange"]` - The AMQP exchange to connect to if using RabbitMQ or Qpid, defaults to openstack
* `openstack['identity']['rpc_backend']` - The messaging module to use
* `openstack['identity']['rpc_thread_pool_size']` - Size of RPC thread pool
* `openstack['identity']['rpc_conn_pool_size']` - Size of RPC connection pool
* `openstack['identity']['rpc_response_timeout']` - Seconds to wait for a response from call or multicall
* `openstack['identity']['ldap']['url']` - LDAP host URL (default: 'ldap://localhost')
* `openstack['identity']['ldap']['user']` - LDAP bind DN (default: 'dc=Manager,dc=example,dc=com')
* `openstack['identity']['ldap']['password']` - LDAP bind password (default: nil)
* `openstack['identity']['ldap']['use_tls']` - Use TLS for LDAP (default: false)
* `openstack['identity']['ldap']['tls_cacertfile']` - Path to CA cert file (default: nil)
* `openstack['identity']['ldap']['tls_cacertdir']` - Path to CA cert directory (default: nil)
* `openstack['identity']['ldap']['tls_req_cert']` - CA cert check ('demand', 'allow' or 'never', default: 'demand')
* `openstack['identity']['ldap']['use_pool']` - Enable LDAP connection pool
* `openstack['identity']['ldap']['pool_size']` - Connection pool size
* `openstack['identity']['ldap']['pool_retry_max']` - Maximum count of reconnect trials
* `openstack['identity']['ldap']['pool_retry_delay']` - Time span in seconds to wait between two reconnect trials (floating point value)
* `openstack['identity']['ldap']['pool_connection_timeout']` - Connector timeout in seconds. Value -1 indicates indefinite
* `openstack['identity']['ldap']['pool_connection_lifetime']` - Connection lifetime in seconds.(integer value)
* `openstack['identity']['ldap']['use_auth_pool']` - Enable LDAP connection pooling for end user authentication
* `openstack['identity']['ldap']['auth_pool_size']` - End user auth connection pool size. (integer value)
* `openstack['identity']['ldap']['auth_pool_connection_lifetime']` - End user auth connection lifetime in seconds. (integervalue)
Note that all attributes are in the `default['openstack']` "namespace"
* `openstack['identity']['misc_keystone']` - **Array of strings to be added to keystone.conf**
* `openstack['identity']['list_limit']` - Maximum number of entities that will be returned in a collection
* `openstack['identity']['assignment']['list_limit']` - Maximum number of entities that will be returned in a assignment collection
* `openstack['identity']['catalog']['list_limit']` - Maximum number of entities that will be returned in a catalog collection
* `openstack['identity']['identity']['list_limit']` - Maximum number of entities that will be returned in a identity collection
* `openstack['identity']['policy']['list_limit']` - Maximum number of entities that will be returned in a policy collection
* `openstack['identity']['pipeline']['public_api']` - Pipeline of identity public api
* `openstack['identity']['pipeline']['admin_api']` - Pipeline of identity admin api
* `openstack['identity']['pipeline']['api_v3']` - Pipeline of identity V3 api
* `openstack['identity']['ssl']['enabled']` - Enable HTTPS Keystone API endpoint. Default is false
* `openstack['identity']['ssl']['cert_required']` - When SSL is enabled this flag is used to require client certificate. Default is false.
* `openstack['identity']['ssl']['basedir']` - Path to Keystone SSL directory
* `openstack['identity']['ssl']['certfile']`- Cert file location
* `openstack['identity']['ssl']['keyfile']` - Key file location
* `openstack['identity']['ssl']['ca_certs']` - Path to CA certificate file
The usage of attributes to generate the keystone.conf is decribed in the
openstack-common cookbook.
Most `openstack['identity']['ldap']` attributes map directly to the corresponding config options in keystone.conf's `[ldap]` backend. They are primarily used when configuring `openstack['identity']['identity']['backend']` and/or `openstack["identity"]["assignment"]["backend"]` as `ldap` (both default to `sql`).
Recipes
=======
The `openstack['identity']['ldap']['use_tls']` option should not be used in conjunction with an `ldaps://` url. When the latter is used (and `openstack['identity']['ldap']['use_tls'] = false`), the certificate path and validation will instead be subject to the OS's LDAP config.
## openstack-identity::client
- Installs the packages require to use keystone client.
If `openstack['identity']['ldap']['tls_cacertfile']` is set, `openstack['identity']['ldap']['tls_cacertdir']` will be ignored. Set `openstack['identity']['ldap']['tls_cacertfile']` to `nil` if `openstack['identity']['ldap']['tls_cacertdir']` is desired.
Values of `openstack['identity']['ldap']['tls_req_cert']` correspond to the standard options permitted by the TLS_REQCERT TLS option (`never` performs no validation of certs, `allow` performs some basic name checks but no thorough CA validation, `demand` requires the certificate chain to be valid for the connection to succeed).
## openstack-identity::openrc
- Creates a fully usable openrc file to export the needed environment variables
to use the openstack client.
The following attributes are defined in attributes/default.rb of the common cookbook, but are documented here due to their relevance:
## openstack-identity::registration
- Registers the initial keystone endpoint as well as users, tenants and roles
needed for the initial configuration utilizing the LWRP provided inside of
this cookbook. The recipe is documented in detail with inline comments inside
the recipe.
* `openstack['endpoints']['identity-bind']['host']` - The IP address to bind the identity services to
* `openstack['endpoints']['identity-bind']['scheme']` - Unused
* `openstack['endpoints']['identity-bind']['port']` - Unused
* `openstack['endpoints']['identity-bind']['path']` - Unused
* `openstack['endpoints']['identity-bind']['bind_interface']` - The interface name to bind the identity services to
## openstack-identity::server-apache
- Installs and configures the OpenStack Identity Service running inside of an
apache webserver. The recipe is documented in detail with inline comments
inside the recipe.
If the value of the 'bind_interface' attribute is non-nil, then the identity service will be bound to the first IP address on that interface. If the value of the 'bind_interface' attribute is nil, then the identity service will be bound to the IP address specified in the host attribute.
Resources
=========
### SSL enabling
To enable SSL on Keystone, a key and certficate must be created and installed on server running Keystone. The location of these files can be provided with the node attributes described above. Also, note that `openstack['endpoints']['identity-bind']['scheme']`, from openstack common cookbook, must be set to 'https' in order to enable SSL.
## openstack_identity_register
### Token flushing
When managing tokens with an SQL backend the token database may grow unboundedly as new tokens are issued and expired
tokens are not disposed of. Expired tokens may need to be kept around in order to allow for auditability.
### Actions
It is up to deployers to define when their tokens can be safely deleted. Keystone provides a tool to purge expired tokens,
and the server recipe can create a cronjob to run that tool. By default the cronjob will be configured to run hourly.
- create_ec2_credentials:
- create_endpoint:
- create_role:
- create_service:
- create_tenant:
- create_user:
- grant_role:
The flush tokens cronjob configuration parameters are listed below:
### Attribute Parameters
* `openstack['identity']['token_flush_cron']['enabled']` - Boolean indicating whether the flush tokens cronjob is enabled. It is by default enabled if the token backend is 'sql'.
* `openstack['identity']['token_flush_cron']['log_file']` - The log file for the flush tokens tool.
* `openstack['identity']['token_flush_cron']['hour']` - The hour at which the flush tokens cronjob should run (values 0 - 23).
* `openstack['identity']['token_flush_cron']['minute']` - The minute at which the flush tokens cronjob should run (values 0 - 59).
* `openstack']['identity']['token_flush_cron']['day']` - The day of the month when the flush tokens cronjob should run (values 1 - 31).
* `openstack['identity']['token_flush_cron']['weekday']` = The day of the week at which the flush tokens cronjob should run (values 0 - 6, where Sunday is 0).
- auth_uri: The uri used to as authentication endpoint for requests
- bootstrap_token: The admin bootstrap_token used for authentication
- service_type: Type of service to create (e.g. 'identity' or 'volume')
- service_name: The name of the service to create (only for action
:create_service)
- service_description: The description for the service to create (only for
action :create_service)
- endpoint_region: The region to create the endpoint in (only for action
:create_endpoint) Defaults to <code>"RegionOne"</code>.
- endpoint_adminurl: The public url to register for the endpoint (only for
action :create_endpoint)
- endpoint_internalurl: The internal url to register for the endpoint (only for
action :create_endpoint)
- endpoint_publicurl: The public url to register for the endpoint (only for
action :create_endpoint)
- tenant_name: The name of the tenant to create or create the user in (only for
action :create_tenant and :create_user)
- tenant_description: The description of the tenant to create (only for action
:create_tenant)
- tenant_enabled: Enable or disable tenant to create (only for action
:create_tenant) Defaults to <code>true</code>.
- user_name: The name of the user to create (only for action :create_user)
- user_pass: The passwort of the user to create (only for action :create_user)
- user_enabled: Enable or disable user to create (only for action :create_user)
Defaults to <code>true</code>.
- role_name: The name of the role to create or grant to the user (only for
:create_role and :grant_role)
- admin_tenant_name: The name of the admin tenant (only for
:create_ec2_credentials)
- admin_user: The name of the admin user (only for :create_ec2_credentials)
- admin_pass: The password of the admin user (only for :create_ec2_credentials)
- identity_endpoint: The identity endpoint to use for user and ec2 creation. If
not specified, default endpoint will be used. (only for create_ec2_credentials
and create_user)
Testing
=====
### Examples
Please refer to the [TESTING.md](TESTING.md) for instructions for testing the cookbook.
```
# Create 'openstack' tenant
openstack_identity_register "Register 'openstack' Tenant" do
auth_host "192.168.1.10"
auth_port "35357"
auth_protocol "http"
api_ver "/v2.0"
auth_token "123456789876"
tenant_name "openstack"
tenant_description "Default Tenant"
tenant_enabled "true" # Not required as this is the default
action :create_tenant
end
Berkshelf
=====
# Create 'admin' user
openstack_identity_register "Register 'admin' User" do
auth_host "192.168.1.10"
auth_port "35357"
auth_protocol "http"
api_ver "/v2.0"
auth_token "123456789876"
tenant_name "openstack"
user_name "admin"
user_pass "secrete"
user_enabled "true" # Not required as this is the default
action :create_user
end
# Create 'admin' role
openstack_identity_register "Register 'admin' Role" do
auth_host "192.168.1.10"
auth_port "35357"
auth_protocol "http"
api_ver "/v2.0"
auth_token "123456789876"
role_name role_key
action :create_role
end
# Grant 'admin' role to 'admin' user in the 'openstack' tenant
openstack_identity_register "Grant 'admin' Role to 'admin' User" do
auth_host "192.168.1.10"
auth_port "35357"
auth_protocol "http"
api_ver "/v2.0"
auth_token "123456789876"
tenant_name "openstack"
user_name "admin"
role_name "admin"
action :grant_role
end
# Create 'identity' service
openstack_identity_register "Register Identity Service" do
auth_host "192.168.1.10"
auth_port "35357"
auth_protocol "http"
api_ver "/v2.0"
auth_token "123456789876"
service_name "keystone"
service_type "identity"
service_description "Keystone Identity Service"
action :create_service
end
# Create 'identity' endpoint
openstack_identity_register "Register Identity Endpoint" do
auth_host "192.168.1.10"
auth_port "35357"
auth_protocol "http"
api_ver "/v2.0"
auth_token "123456789876"
service_type "identity"
endpoint_region "RegionOne"
endpoint_adminurl "http://192.168.1.10:35357/v2.0"
endpoint_internalurl "http://192.168.1.10:5001/v2.0"
endpoint_publicurl "http://1.2.3.4:5001/v2.0"
action :create_endpoint
end
```
Berks will resolve version requirements and dependencies on first run and
store these in Berksfile.lock. If new cookbooks become available you can run
`berks update` to update the references in Berksfile.lock. Berksfile.lock will
be included in stable branches to provide a known good set of dependencies.
Berksfile.lock will not be included in development branches to encourage
development against the latest cookbooks.
License and Author
==================
@@ -370,7 +217,7 @@ Author:: Sean Gallagher (<sean.gallagher@att.com>)
Author:: Ionut Artarisi (<iartarisi@suse.cz>)
Author:: Chen Zhiwei (zhiwchen@cn.ibm.com)
Author:: Eric Zhou (zyouzhou@cn.ibm.com)
Author:: Jan Klare (j.klare@x-ion.de)
Author:: Jan Klare (j.klare@cloudbau.de)
Copyright 2012, Rackspace US, Inc.
Copyright 2012-2013, Opscode, Inc.

136
attributes/default.rb
View File

@@ -18,43 +18,43 @@
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
# Set to some text value if you want templated config files
# to contain a custom banner at the top of the written file
default['openstack']['identity']['custom_template_banner'] = "
# This file autogenerated by Chef
# Do not edit, changes will be overwritten
"
default['openstack']['identity']['custom_template_banner'] =
'# This file autogenerated by Chef, changes will be overwritten'
# Set the endpoints for the identity service to allow all other cookbooks to
# access and use them
%w(public internal admin).each do |ep_type|
# openstack identity service endpoints (used by users and services)
%w(admin internal public).each do |ep_type|
# host for openstack admin/internal/public identity endpoint
default['openstack']['endpoints'][ep_type]['identity']['host'] = '127.0.0.1'
# scheme for openstack admin/internal/public identity endpoint
default['openstack']['endpoints'][ep_type]['identity']['scheme'] = 'http'
# path for openstack admin/internal/public identity endpoint
default['openstack']['endpoints'][ep_type]['identity']['path'] = '/v2.0'
end
# port for openstack public identity endpoint
default['openstack']['endpoints']['public']['identity']['port'] = 5000
# port for openstack internal identity endpoint
default['openstack']['endpoints']['internal']['identity']['port'] = 5000
# port for openstack admin identity endpoint
default['openstack']['endpoints']['admin']['identity']['port'] = 35357
# address for openstack identity service main endpoint to bind to
default['openstack']['bind_service']['main']['identity']['host'] = '127.0.0.1'
# port for openstack identity service main endpoint to bind to
default['openstack']['bind_service']['main']['identity']['port'] = 5000
# address for openstack identity service admin endpoint to bind to
default['openstack']['bind_service']['admin']['identity']['host'] = '127.0.0.1'
# port for openstack identity service admin endpoint to bind to
default['openstack']['bind_service']['admin']['identity']['port'] = 35357
# identity service catalog backend for service endpoints
default['openstack']['identity']['catalog']['backend'] = 'sql'
# identity service token backend for user and service tokens
default['openstack']['identity']['token']['backend'] = 'sql'
# Adding these as blank
# this needs to be here for the initial deep-merge to work
default['credentials']['EC2']['admin']['access'] = ''
default['credentials']['EC2']['admin']['secret'] = ''
default['openstack']['identity']['verbose'] = 'False'
default['openstack']['identity']['debug'] = 'False'
# Keystone service startup delay, in seconds
# identity service startup delay, in seconds
default['openstack']['identity']['start_delay'] = 10
# Specify a location to retrieve keystone-paste.ini from
@@ -84,14 +84,19 @@ default['openstack']['identity']['pipeline']['admin_api'] = 'sizelimit url_norma
# application. It cannot be a filter.
default['openstack']['identity']['pipeline']['api_v3'] = 'sizelimit url_normalize request_id build_auth_context token_auth admin_token_auth json_body ec2_extension_v3 s3_extension simple_cert_extension revoke_extension federation_extension oauth1_extension endpoint_filter_extension service_v3'
# region to be used for endpoint registration
default['openstack']['identity']['region'] = node['openstack']['region']
# Logging stuff
# enable or disable the usage of syslog
default['openstack']['identity']['syslog']['use'] = false
# syslog log facility to log to in case syslog is used
default['openstack']['identity']['syslog']['facility'] = 'LOG_LOCAL2'
# syslog config facility in case syslog is used
default['openstack']['identity']['syslog']['config_facility'] = 'local2'
# user to be created and used for identity service
default['openstack']['identity']['admin_user'] = 'admin'
# tenant to be created and used for identity service
default['openstack']['identity']['admin_tenant_name'] = 'admin'
default['openstack']['identity']['users'] = {
@@ -104,23 +109,25 @@ default['openstack']['identity']['users'] = {
}
}
# SSL Options
# Specify whether to enable SSL for Keystone API endpoint
# specify whether to enable SSL for Keystone API endpoint
default['openstack']['identity']['ssl']['enabled'] = false
# Specify server whether to enforce client certificate requirement
# specify server whether to enforce client certificate requirement
default['openstack']['identity']['ssl']['cert_required'] = false
# SSL certificate, keyfile and CA certficate file locations
default['openstack']['identity']['ssl']['basedir'] = '/etc/keystone/ssl'
# Path of the cert file for SSL.
# Protocol for SSL (Apache)
default['openstack']['identity']['ssl']['protocol'] = 'All -SSLv2 -SSLv3'
# Which ciphers to use with the SSL/TLS protocol (Apache)
# Example: 'RSA:HIGH:MEDIUM:!LOW:!kEDH:!aNULL:!ADH:!eNULL:!EXP:!SSLv2:!SEED:!CAMELLIA:!PSK!RC4:!RC4-MD5:!RC4-SHA'
default['openstack']['identity']['ssl']['ciphers'] = nil
# PKI signing. Corresponds to the [signing] section of keystone.conf
# Note this section is only written if node['openstack']['auth']['strategy'] == 'pki'
default['openstack']['identity']['signing']['basedir'] = '/etc/keystone/ssl'
# path of the cert file for SSL.
default['openstack']['identity']['ssl']['certfile'] = "#{node['openstack']['identity']['ssl']['basedir']}/certs/sslcert.pem"
# path of the keyfile for SSL.
default['openstack']['identity']['ssl']['keyfile'] = "#{node['openstack']['identity']['ssl']['basedir']}/private/sslkey.pem"
# path of the CA cert file for SSL.
default['openstack']['identity']['ssl']['ca_certs'] = "#{node['openstack']['identity']['ssl']['basedir']}/certs/sslca.pem"
# path of the CA cert files for SSL (Apache)
default['openstack']['identity']['ssl']['ca_certs_path'] = "#{node['openstack']['identity']['ssl']['basedir']}/certs/"
# Fernet keys. Note this section is only written if
# node['openstack']['auth']['strategy'] == 'fernet'
@@ -132,57 +139,46 @@ default['openstack']['identity']['signing']['basedir'] = '/etc/keystone/ssl'
# http://docs.openstack.org/admin-guide-cloud/keystone_fernet_token_faq.html
default['openstack']['identity']['fernet']['keys'] = [0, 1]
# The authorization configuration options
# The external (REMOTE_USER) auth plugin module. (String value)
default['openstack']['identity']['auth']['external'] = 'keystone.auth.plugins.external.DefaultDomain'
# Default auth methods. (List value)
default['openstack']['identity']['auth']['methods'] = 'external, password, token, oauth1'
# Token flushing cronjob
default['openstack']['identity']['token_flush_cron']['log_file'] = '/var/log/keystone/token-flush.log'
default['openstack']['identity']['token_flush_cron']['hour'] = '*'
default['openstack']['identity']['token_flush_cron']['minute'] = '0'
default['openstack']['identity']['token_flush_cron']['day'] = '*'
default['openstack']['identity']['token_flush_cron']['weekday'] = '*'
# enable or disable the usage of the token flushing cronjob
default['openstack']['identity']['token_flush_cron']['enabled'] = true
# log file location for token flushing cronjob
default['openstack']['identity']['token_flush_cron']['log_file'] = '/var/log/keystone/token-flush.log'
# hour to run token flushing cronjob
default['openstack']['identity']['token_flush_cron']['hour'] = '*'
# minute to run token flushing cronjob
default['openstack']['identity']['token_flush_cron']['minute'] = '0'
# day to run token flushing cronjob
default['openstack']['identity']['token_flush_cron']['day'] = '*'
# weekday to run token flushing cronjob
default['openstack']['identity']['token_flush_cron']['weekday'] = '*'
# configuration directory for keystone domain specific options
default['openstack']['identity']['identity']['domain_config_dir'] = '/etc/keystone/domains'
# PKI signing. Corresponds to the [signing] section of keystone.conf
# Note this section is only written if node['openstack']['auth']['strategy'] == 'pki'
default['openstack']['identity']['signing']['basedir'] = '/etc/keystone/ssl'
# certfile used for keystone pki token signing
default['openstack']['identity']['signing']['certfile'] = "#{node['openstack']['identity']['signing']['basedir']}/certs/signing_cert.pem"
# keyfile used for keystone pki token signing
default['openstack']['identity']['signing']['keyfile'] = "#{node['openstack']['identity']['signing']['basedir']}/private/signing_key.pem"
# certificate authority used for keystone pki token signing
default['openstack']['identity']['signing']['ca_certs'] = "#{node['openstack']['identity']['signing']['basedir']}/certs/ca.pem"
# Misc option support
# Allow additional strings to be added to keystone.conf
# For example: ['# Comment', 'key=value']
default['openstack']['identity']['misc_keystone'] = []
# SSL Options
# Specify whether to enable SSL for Keystone API endpoint
default['openstack']['identity']['ssl']['enabled'] = false
# Specify server whether to enforce client certificate requirement
default['openstack']['identity']['ssl']['cert_required'] = false
# SSL certificate, keyfile and CA certficate file locations
default['openstack']['identity']['ssl']['basedir'] = '/etc/keystone/ssl'
# Path of the cert file for SSL.
default['openstack']['identity']['ssl']['certfile'] = "#{node['openstack']['identity']['ssl']['basedir']}/certs/sslcert.pem"
# Path of the keyfile for SSL.
default['openstack']['identity']['ssl']['keyfile'] = "#{node['openstack']['identity']['ssl']['basedir']}/private/sslkey.pem"
# Path of the CA cert file for SSL.
default['openstack']['identity']['ssl']['ca_certs'] = "#{node['openstack']['identity']['ssl']['basedir']}/certs/sslca.pem"
# Path of the CA cert files for SSL (Apache)
default['openstack']['identity']['ssl']['ca_certs_path'] = "#{node['openstack']['identity']['ssl']['basedir']}/certs/"
# Protocol for SSL (Apache)
default['openstack']['identity']['ssl']['protocol'] = 'All -SSLv2 -SSLv3'
# Which ciphers to use with the SSL/TLS protocol (Apache)
# Example: 'RSA:HIGH:MEDIUM:!LOW:!kEDH:!aNULL:!ADH:!eNULL:!EXP:!SSLv2:!SEED:!CAMELLIA:!PSK!RC4:!RC4-MD5:!RC4-SHA'
default['openstack']['identity']['ssl']['ciphers'] = nil
# keystone service user name
default['openstack']['identity']['user'] = 'keystone'
# keystone service user group
default['openstack']['identity']['group'] = 'keystone'
# platform defaults
case platform_family
when 'fedora', 'rhel' # :pragma-foodcritic: ~FC024 - won't fix this
default['openstack']['identity']['user'] = 'keystone'
default['openstack']['identity']['group'] = 'keystone'
# platform specific package and service name options
default['openstack']['identity']['platform'] = {
'memcache_python_packages' => ['python-memcached'],
'keystone_packages' => ['openstack-keystone'],
@@ -193,8 +189,7 @@ when 'fedora', 'rhel' # :pragma-foodcritic: ~FC024 - won't fix this
'package_options' => ''
}
when 'debian'
default['openstack']['identity']['user'] = 'keystone'
default['openstack']['identity']['group'] = 'keystone'
# platform specific package and service name options
default['openstack']['identity']['platform'] = {
'memcache_python_packages' => ['python-memcache'],
'keystone_packages' => ['keystone'],
@@ -206,13 +201,18 @@ when 'debian'
}
end
# Array of bare options for openrc (e.g. 'option=value')
# array of bare options for openrc (e.g. 'option=value')
default['openstack']['misc_openrc'] = nil
# openrc location and owner
# openrc path
default['openstack']['openrc']['path'] = '/root'
default['openstack']['openrc']['file'] = 'openrc'
default['openstack']['openrc']['user'] = 'root'
default['openstack']['openrc']['group'] = 'root'
default['openstack']['openrc']['file_mode'] = '0600'
# openrc path mode
default['openstack']['openrc']['path_mode'] = '0700'
# openrc file name
default['openstack']['openrc']['file'] = 'openrc'
# openrc file mode
default['openstack']['openrc']['file_mode'] = '0600'
# openrc file owner
default['openstack']['openrc']['user'] = 'root'
# openrc file group
default['openstack']['openrc']['group'] = 'root'

16
attributes/keystone_conf.rb
View File

@@ -1,29 +1,35 @@
# options to add to the keystone.conf as secrets (will not be saved in node
# attribute)
default['openstack']['identity']['conf_secrets'] = {}
default['openstack']['identity']['conf'].tap do |conf|
# [DEFAULT]
if node['openstack']['identity']['syslog']['use']
# [DEFAULT] option in keystone.conf to read additional logging.conf
conf['DEFAULT']['log_config_append'] = '/etc/openstack/logging.conf'
else
# [DEFAULT] option in keystone.conf to set keystone log dir
conf['DEFAULT']['log_dir'] = '/var/log/keystone'
end
if node['openstack']['identity']['notification_driver'] == 'messaging'
# [DEFAULT] option in keystone.conf to define mq notification topics
conf['DEFAULT']['notification_topics'] = 'notifications'
end
conf['DEFAULT']['rpc_backend'] = node['openstack']['mq']['service_type']
# [assignment]
# [assignment] option in keystone.conf to set driver
conf['assignment']['driver'] = 'keystone.assignment.backends.sql.Assignment'
# [auth]
# [auth] option in keystone.conf to set auth plugins
conf['auth']['external'] = 'keystone.auth.plugins.external.DefaultDomain'
# [auth] option in keystone.conf to set auth methods
conf['auth']['methods'] = 'external, password, token, oauth1'
# [catalog]
# [catalog] option in keystone.conf to set catalog driver
conf['catalog']['driver'] = 'keystone.catalog.backends.sql.Catalog'
# [identity]
# [identity] option in keystone.conf to enable domain_specific drivers
conf['identity']['domain_specific_drivers_enabled'] = false
# [policy]
# [policy] option in keystone.conf to set policy backend driver
conf['policy']['driver'] = 'keystone.policy.backends.sql.Policy'
end

5
metadata.rb
View File

@@ -6,11 +6,6 @@ description 'The OpenStack Identity service Keystone.'
long_description IO.read(File.join(File.dirname(__FILE__), 'README.md'))
version '13.0.0'
recipe 'openstack-identity::client', 'Install packages required for keystone client'
recipe 'openstack-identity::server-apache', 'Installs and Configures Keystone Service under Apache'
recipe 'openstack-identity::registration', 'Adds user, tenant, role and endpoint records to Keystone'
recipe 'openstack-identity::openrc', 'Creates openrc file'
%w(ubuntu redhat centos).each do |os|
supports os
end

8
providers/register.rb
View File

@@ -19,12 +19,12 @@
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
require 'chef/mixin/shell_out'
include Chef::Mixin::ShellOut
include ::Openstack
# creates the defined service as new service for keystone
action :create_service do
new_resource.updated_by_last_action(false)
if node['openstack']['identity']['catalog']['backend'] == 'templated'
@@ -57,6 +57,7 @@ action :create_service do
end
end
# registers all endpoints for the defined service in keystone
action :create_endpoint do
new_resource.updated_by_last_action(false)
if node['openstack']['identity']['catalog']['backend'] == 'templated'
@@ -93,6 +94,7 @@ action :create_endpoint do
end
end
# creates the defined tenant in keystone
action :create_tenant do
begin
new_resource.updated_by_last_action(false)
@@ -114,6 +116,7 @@ action :create_tenant do
end
end
# creates the defined role in keystone
action :create_role do
begin
new_resource.updated_by_last_action(false)
@@ -133,6 +136,7 @@ action :create_role do
end
end
# creates the defined user in keystone
action :create_user do
begin
new_resource.updated_by_last_action(false)
@@ -172,6 +176,7 @@ action :create_user do
end
end
# grants the defined role to a given user in a given tenant
action :grant_role do
begin
new_resource.updated_by_last_action(false)
@@ -198,6 +203,7 @@ action :grant_role do
end
end
# creates ec2_credentials for a given user in a given tenant
action :create_ec2_credentials do
begin
new_resource.updated_by_last_action(false)

9
recipes/_fernet_tokens.rb
View File

@@ -14,7 +14,11 @@
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
# This recipe is automatically included in openstack-identiy::service-apache
# when node['openstack']['auth']['strategy'] is set to 'fernet'. It will add the
# needed configuration options to the keystone.conf and create the needed fernet
# tokens from predefined secrets (e.g. encrypted data bags or vaults).
class ::Chef::Recipe
include ::Openstack
@@ -24,7 +28,8 @@ node.default['openstack']['identity']['conf']['fernet_tokens']['key_repository']
'/etc/keystone/fernet-tokens'
node.default['openstack']['identity']['conf']['token']['provider'] = 'fernet'
key_repository = node['openstack']['identity']['conf']['fernet_tokens']['key_repository']
key_repository =
node['openstack']['identity']['conf']['fernet_tokens']['key_repository']
directory key_repository do
owner node['openstack']['identity']['user']

8
recipes/_pki_tokens.rb
View File

@@ -14,7 +14,13 @@
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
# This recipe is automatically included in openstack-identiy::service-apache
# when node['openstack']['auth']['strategy'] is set to 'pki'. It will either
# create the needed pki secrets or load them as remote files. The usage of
# keystone pki tokens is deprecated in favor of fernet tokens and this recipe
# might be removed in future releases when the support for pki is removed from
# keystone.
certfile_url = node['openstack']['identity']['signing']['certfile_url']
keyfile_url = node['openstack']['identity']['signing']['keyfile_url']

3
recipes/client.rb
View File

@@ -16,7 +16,8 @@
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
# This recipe installs the packages require to use keystone client.
class ::Chef::Recipe
include ::Openstack

5
recipes/openrc.rb
View File

@@ -16,9 +16,10 @@
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
# Chef
# This recipe create a fully usable openrc file to export the needed environment
# variables to use the openstack client.
class ::Chef::Recipe
include ::Openstack
end

16
recipes/registration.rb
View File

@@ -17,26 +17,31 @@
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
# This recipe registers the initial keystone endpoint as well as users, tenants
# and roles needed for the initial configuration utilizing the LWRP provided
# inside of this cookbook. The recipe is documented in detail with inline
# comments inside the recipe.
require 'uri'
class ::Chef::Recipe
include ::Openstack
end
# define the endpoints to register for the keystone identity service
identity_admin_endpoint = admin_endpoint 'identity'
identity_internal_endpoint = internal_endpoint 'identity'
identity_public_endpoint = public_endpoint 'identity'
auth_uri = ::URI.decode identity_admin_endpoint.to_s
# define the credentials to use for the initial admin user
admin_tenant_name = node['openstack']['identity']['admin_tenant_name']
admin_user = node['openstack']['identity']['admin_user']
admin_pass = get_password 'user', node['openstack']['identity']['admin_user']
bootstrap_token = get_password 'token', 'openstack_identity_bootstrap_token'
# Register all the tenants specified in the users hash
# register all the tenants specified in the users hash
identity_tenants = node['openstack']['identity']['users'].values.map do |user_info|
user_info['roles'].values.push(user_info['default_tenant'])
end
@@ -52,7 +57,7 @@ identity_tenants.flatten.uniq.each do |tenant_name|
end
end
# Register all the roles from the users hash
# register all the roles and users from the users hash
identity_roles = node['openstack']['identity']['users'].values.map do |user_info|
user_info['roles'].keys
end
@@ -95,6 +100,7 @@ node['openstack']['identity']['users'].each do |username, user_info|
end
end
# register the identity service itself
openstack_identity_register 'Register Identity Service' do
auth_uri auth_uri
bootstrap_token bootstrap_token
@@ -114,6 +120,7 @@ Chef::Log.info "Keystone AdminURL: #{identity_admin_endpoint}"
Chef::Log.info "Keystone InternalURL: #{identity_internal_endpoint}"
Chef::Log.info "Keystone PublicURL: #{identity_public_endpoint}"
# register the identity service endpoints
openstack_identity_register 'Register Identity Endpoint' do
auth_uri auth_uri
bootstrap_token bootstrap_token
@@ -127,6 +134,7 @@ openstack_identity_register 'Register Identity Endpoint' do
not_if { node['openstack']['identity']['catalog']['backend'] == 'templated' }
end
# create ec2 creadentials for the users from the users hash
node['openstack']['identity']['users'].each do |username, user_info|
openstack_identity_register "Create EC2 credentials for '#{username}' user" do
auth_uri auth_uri

58
recipes/server-apache.rb
View File

@@ -16,20 +16,27 @@
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
# This recipe installs and configures the OpenStack Identity Service running
# inside of an apache webserver. The recipe is documented in detail with inline
# comments inside the recipe.
require 'uri'
# load the methods defined in cookbook-openstack-common libraries
class ::Chef::Recipe
include ::Openstack
end
# include the logging recipe from openstack-common if syslog usage is enbaled
if node['openstack']['identity']['syslog']['use']
include_recipe 'openstack-common::logging'
end
platform_options = node['openstack']['identity']['platform']
# install the database python adapter packages for the selected database
# service_type
db_type = node['openstack']['db']['identity']['service_type']
unless db_type == 'sqlite'
node['openstack']['db']['python_packages'][db_type].each do |pkg|
@@ -41,6 +48,7 @@ unless db_type == 'sqlite'
end
end
# install the python memcache adapter packages
platform_options['memcache_python_packages'].each do |pkg|
package "identity cookbook package #{pkg}" do
package_name pkg
@@ -49,6 +57,7 @@ platform_options['memcache_python_packages'].each do |pkg|
end
end
# install the keystone packages
platform_options['keystone_packages'].each do |pkg|
package "identity cookbook package #{pkg}" do
package_name pkg
@@ -57,17 +66,21 @@ platform_options['keystone_packages'].each do |pkg|
end
end
# stop and disable the service keystone itself, since it should be run inside
# of apache
service 'keystone' do
service_name platform_options['keystone_service']
action [:stop, :disable]
end
# create the keystone config directory and set correct permissions
directory '/etc/keystone' do
owner node['openstack']['identity']['user']
group node['openstack']['identity']['group']
mode 00700
end
# create keystone domain config dir if needed
directory node['openstack']['identity']['identity']['domain_config_dir'] do
owner node['openstack']['identity']['user']
group node['openstack']['identity']['group']
@@ -75,11 +88,14 @@ directory node['openstack']['identity']['identity']['domain_config_dir'] do
only_if { node['openstack']['identity']['identity']['domain_specific_drivers_enabled'] }
end
# delete the keystone.db sqlite file if another db backend is used
file '/var/lib/keystone/keystone.db' do
action :delete
not_if { node['openstack']['db']['identity']['service_type'] == 'sqlite' }
end
# include the recipe to setup the selected keystone auth strategy (pki or
# fernet)
case node['openstack']['auth']['strategy']
when 'pki'
include_recipe 'openstack-identity::_pki_tokens'
@@ -87,33 +103,36 @@ when 'fernet'
include_recipe 'openstack-identity::_fernet_tokens'
end
# define the address to bind the keystone apache main service to
main_bind_service = node['openstack']['bind_service']['main']['identity']
main_bind_address = bind_address main_bind_service
# define the address to bind the keystone apache admin service to
admin_bind_service = node['openstack']['bind_service']['admin']['identity']
admin_bind_address = bind_address admin_bind_service
# define the address where the keystone admin endpoint will be reachable
identity_admin_endpoint = admin_endpoint 'identity'
# set the keystone database credentials
db_user = node['openstack']['db']['identity']['username']
db_pass = get_password 'db', 'keystone'
node.default['openstack']['identity']['conf_secrets']
.[]('database')['connection'] =
db_uri('identity', db_user, db_pass)
# define the admin keystone bootstrap token
bootstrap_token = get_password 'token', 'openstack_identity_bootstrap_token'
# If the search role is set, we search for memcache
# servers via a Chef search. If not, we look at the
# memcache.servers attribute.
memcache_servers = memcached_servers.join ',' # from openstack-common lib
# search for memcache servers using the method from cookbook-openstack-common
memcache_servers = memcached_servers.join ','
# These configuration endpoints must not have the path (v2.0, etc)
# added to them, as these values are used in returning the version
# listing information from the root / endpoint.
# define the address where the keystone public endpoint will be reachable
identity_public_endpoint = public_endpoint 'identity'
ie = identity_public_endpoint
# define the keystone public endpoint full path
public_endpoint = "#{ie.scheme}://#{ie.host}:#{ie.port}/"
ae = identity_admin_endpoint
# define the keystone admin endpoint full path
admin_endpoint = "#{ae.scheme}://#{ae.host}:#{ae.port}/"
# If a keystone-paste.ini is specified use it.
@@ -137,6 +156,7 @@ else
end
end
# set keystone config parameter for rabbitmq if rabbit is the rpc_backend
if node['openstack']['identity']['conf']['DEFAULT']['rpc_backend'] == 'rabbit'
user = node['openstack']['mq']['identity']['rabbit']['userid']
node.default['openstack']['identity']['conf_secrets']
@@ -146,18 +166,18 @@ if node['openstack']['identity']['conf']['DEFAULT']['rpc_backend'] == 'rabbit'
get_password 'user', user
end
# set keystone config parameters for admin_token, endpoints and memcache
node.default['openstack']['identity']['conf'].tap do |conf|
# [DEFAULT] section
conf['DEFAULT']['admin_token'] = bootstrap_token
conf['DEFAULT']['public_endpoint'] = public_endpoint
conf['DEFAULT']['admin_endpoint'] = admin_endpoint
# [memcache] section
conf['memcache']['servers'] = memcache_servers if memcache_servers
end
# merge all config options and secrets to be used in the nova.conf.erb
keystone_conf_options = merge_config_options 'identity'
# create the keystone.conf from attributes
template '/etc/keystone/keystone.conf' do
source 'openstack-service.conf.erb'
cookbook 'openstack-common'
@@ -179,6 +199,9 @@ end
# TODO: (jklare) needs to be refactored and filled by the service cookbooks, to
# avoid dependencies on unused cookbooks
# configure the endpoints in keystone_catalog.templates if the catalog backend
# is templated
if node['openstack']['identity']['catalog']['backend'] == 'templated'
# These values are going into the templated catalog and
# since they're the endpoints being used by the clients,
@@ -189,7 +212,7 @@ if node['openstack']['identity']['catalog']['backend'] == 'templated'
network_public_endpoint = public_endpoint 'network'
volume_public_endpoint = public_endpoint 'block-storage'
# populate the templated catlog, if you're using the templated catalog backend
# populate the templated catlog
# TODO: (jklare) this should be done in a helper method
uris = {
'identity-admin' => identity_admin_endpoint.to_s.gsub('%25', '%'),
@@ -220,7 +243,7 @@ execute 'keystone-manage db_sync' do
only_if { node['openstack']['db']['identity']['migrate'] }
end
# Configure the flush tokens cronjob
# configure the flush tokens cronjob
should_run_cron = node['openstack']['identity']['token_flush_cron']['enabled'] && node['openstack']['identity']['token']['backend'] == 'sql'
log_file = node['openstack']['identity']['token_flush_cron']['log_file']
@@ -237,20 +260,22 @@ end
#### Start of Apache specific work
# configure attributes for apache2 cookbook to align with openstack settings
apache_listen = Array(node['apache']['listen']) # include already defined listen attributes
# Remove the default apache2 cookbook port, as that is also the default for horizon, but with
# a different address syntax. *:80 vs 0.0.0.0:80
apache_listen -= ['*:80']
apache_listen += ["#{main_bind_address}:#{main_bind_service.port}"]
apache_listen += ["#{admin_bind_address}:#{admin_bind_service.port}"]
node.normal['apache']['listen'] = apache_listen.uniq
# include the apache2 default recipe and the recipes for mod_wsgi
include_recipe 'apache2'
include_recipe 'apache2::mod_wsgi'
# include the apache2 mod_ssl recipe if ssl is enabled for identity
include_recipe 'apache2::mod_ssl' if node['openstack']['identity']['ssl']['enabled']
# create the keystone apache directory
keystone_apache_dir = "#{node['apache']['docroot_dir']}/keystone"
directory keystone_apache_dir do
owner 'root'
@@ -285,6 +310,8 @@ wsgi_apps = {
}
}
# create the keystone apache config using the web_app resource from the apache2
# cookbook
wsgi_apps.each do |app, opt|
web_app "keystone-#{app}" do
template 'wsgi-keystone.conf.erb'
@@ -306,12 +333,15 @@ wsgi_apps.each do |app, opt|
end
end
# wait for apache2 to be fully reloaded and the keystone endpoint to become
# available
execute 'Keystone: sleep' do
command "sleep #{node['openstack']['identity']['start_delay']}"
action :nothing
end
# Hack until Apache cookbook has lwrp's for proper use of notify
# restart apache2 after keystone if completely configured
execute 'Keystone apache restart' do
command 'uname'
notifies :restart, 'service[apache2]', :immediately

50
resources/register.rb
View File

@@ -16,7 +16,10 @@
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
# These resources provide an abstraction layer for interacting with the keystone
# server's API, allowin for other nodes to register any required users, tenants,
# roles, services, or endpoints.
actions :create_service, :create_endpoint, :create_tenant, :create_user, :create_role, :grant_role, :create_ec2_credentials
@@ -29,43 +32,48 @@ end
BOOLEAN = [TrueClass, FalseClass]
# The uri used to as authentication endpoint for requests
attribute :auth_uri, kind_of: String
# The admin bootstrap_token used for authentication
attribute :bootstrap_token, kind_of: String
# Used by both :create_service and :create_endpoint
# The type of service to create (e.g. 'identity' or 'volume')
attribute :service_type, kind_of: String
# :create_service specific attributes
# The name of the service to create (only for action :create_service)
attribute :service_name, kind_of: String
# The description for the service to create (only for action :create_service)
attribute :service_description, kind_of: String
# :create_endpoint specific attributes
# The region to create the endpoint in (only for action :create_endpoint)
attribute :endpoint_region, kind_of: String, default: 'RegionOne'
# The admin url to register for the endpoint (only for action :create_endpoint)
attribute :endpoint_adminurl, kind_of: String
# The internal url to register for the endpoint (only for action
# :create_endpoint)
attribute :endpoint_internalurl, kind_of: String
# The public url to register for the endpoint (only for action :create_endpoint)
attribute :endpoint_publicurl, kind_of: String
# Used by both :create_tenant and :create_user
# The name of the tenant to create or create the user in (only for action
# :create_tenant and :create_user)
attribute :tenant_name, kind_of: String
# :create_tenant specific attributes
# The description of the tenant to create (only for action :create_tenant)
attribute :tenant_description, kind_of: String
# Enable or disable tenant to create (only for action :create_tenant)
attribute :tenant_enabled, kind_of: BOOLEAN, default: true
# :create_user specific attributes
# The name of the user to create (only for action :create_user)
attribute :user_name, kind_of: String
# The passwort of the user to create (only for action :create_user)
attribute :user_pass, kind_of: String
# attribute :user_email, kind_of: String
# Enable or disable user to create (only for action :create_user)
attribute :user_enabled, kind_of: BOOLEAN, default: true
# Used by :create_role and :grant_role specific attributes
# The name of the role to create or grant to the user (only for :create_role and
# :grant_role)
attribute :role_name, kind_of: String
# Used by create_ec2_credentials
# The name of the admin tenant (only for :create_ec2_credentials)
attribute :admin_tenant_name, kind_of: String
# The name of the admin user (only for :create_ec2_credentials)
attribute :admin_user, kind_of: String
# The password of the admin user (only for :create_ec2_credentials)
attribute :admin_pass, kind_of: String
# Used by create_ec2_credentials and create_user
# If not specified, default endpoint will be used.
# The identity endpoint to use for user and ec2 creation. If not specified,
# default endpoint will be used. (only for create_ec2_credentials and
# create_user)
attribute :identity_endpoint, kind_of: String