2012-08-31 18:04:55 -05:00
# lib/keystone
# Functions to control the configuration and operation of **Keystone**
# Dependencies:
2013-10-24 11:27:02 +01:00
#
# - ``functions`` file
2013-09-20 16:26:42 +10:00
# - ``tls`` file
2013-10-24 11:27:02 +01:00
# - ``DEST``, ``STACK_USER``
# - ``IDENTITY_API_VERSION``
# - ``BASE_SQL_CONN``
# - ``SERVICE_HOST``, ``SERVICE_PROTOCOL``
# - ``SERVICE_TOKEN``
# - ``S3_SERVICE_PORT`` (template backend only)
2012-08-31 18:04:55 -05:00
# ``stack.sh`` calls the entry points in this order:
#
2013-10-24 11:27:02 +01:00
# - install_keystone
# - configure_keystone
# - _config_keystone_apache_wsgi
# - init_keystone
# - start_keystone
# - create_keystone_accounts
# - stop_keystone
# - cleanup_keystone
# - _cleanup_keystone_apache_wsgi
2012-08-31 18:04:55 -05:00
2012-09-13 17:16:12 -05:00
# Save trace setting
XTRACE=$(set +o | grep xtrace)
set +o xtrace
2012-08-31 18:04:55 -05:00
# Defaults
# --------
# Set up default directories
KEYSTONE_DIR=$DEST/keystone
KEYSTONE_CONF_DIR=${KEYSTONE_CONF_DIR:-/etc/keystone}
KEYSTONE_CONF=$KEYSTONE_CONF_DIR/keystone.conf
2013-03-12 11:10:52 +01:00
KEYSTONE_PASTE_INI=${KEYSTONE_PASTE_INI:-$KEYSTONE_CONF_DIR/keystone-paste.ini}
2012-10-01 14:06:44 -05:00
KEYSTONE_AUTH_CACHE_DIR=${KEYSTONE_AUTH_CACHE_DIR:-/var/cache/keystone}
2013-09-17 12:47:03 +10:00
KEYSTONE_WSGI_DIR=${KEYSTONE_WSGI_DIR:-/var/www/keystone}
2012-08-31 18:04:55 -05:00
KEYSTONECLIENT_DIR=$DEST/python-keystoneclient
2014-05-27 15:51:49 +02:00
# Set up additional extensions, such as oauth1, federation
# Example of KEYSTONE_EXTENSIONS=oauth1,federation
KEYSTONE_EXTENSIONS=${KEYSTONE_EXTENSIONS:-}
2012-10-01 14:06:44 -05:00
# Select the backend for Keystone's service catalog
2012-09-10 18:30:37 -05:00
KEYSTONE_CATALOG_BACKEND=${KEYSTONE_CATALOG_BACKEND:-sql}
2012-08-31 18:04:55 -05:00
KEYSTONE_CATALOG=$KEYSTONE_CONF_DIR/default_catalog.templates
2013-01-29 15:12:20 -05:00
# Select the backend for Tokens
KEYSTONE_TOKEN_BACKEND=${KEYSTONE_TOKEN_BACKEND:-sql}
2013-09-01 16:26:03 +02:00
# Select the backend for Identity
KEYSTONE_IDENTITY_BACKEND=${KEYSTONE_IDENTITY_BACKEND:-sql}
# Select the backend for Assignment
KEYSTONE_ASSIGNMENT_BACKEND=${KEYSTONE_ASSIGNMENT_BACKEND:-sql}
2012-10-01 14:06:44 -05:00
# Select Keystone's token format
2014-06-04 09:06:01 -05:00
# Choose from 'UUID', 'PKI', or 'PKIZ'
2014-06-19 16:55:45 -05:00
KEYSTONE_TOKEN_FORMAT=$(echo ${KEYSTONE_TOKEN_FORMAT} | tr '[:upper:]' '[:lower:]')
2012-10-01 14:06:44 -05:00
2012-08-31 18:04:55 -05:00
# Set Keystone interface configuration
KEYSTONE_AUTH_HOST=${KEYSTONE_AUTH_HOST:-$SERVICE_HOST}
KEYSTONE_AUTH_PORT=${KEYSTONE_AUTH_PORT:-35357}
2012-11-29 11:47:58 -06:00
KEYSTONE_AUTH_PORT_INT=${KEYSTONE_AUTH_PORT_INT:-35358}
KEYSTONE_AUTH_PROTOCOL=${KEYSTONE_AUTH_PROTOCOL:-$SERVICE_PROTOCOL}
# Public facing bits
2012-08-31 18:04:55 -05:00
KEYSTONE_SERVICE_HOST=${KEYSTONE_SERVICE_HOST:-$SERVICE_HOST}
KEYSTONE_SERVICE_PORT=${KEYSTONE_SERVICE_PORT:-5000}
2012-11-29 11:47:58 -06:00
KEYSTONE_SERVICE_PORT_INT=${KEYSTONE_SERVICE_PORT_INT:-5001}
KEYSTONE_SERVICE_PROTOCOL=${KEYSTONE_SERVICE_PROTOCOL:-$SERVICE_PROTOCOL}
2012-08-31 18:04:55 -05:00
2014-02-24 13:30:59 -05:00
# Bind hosts
KEYSTONE_ADMIN_BIND_HOST=${KEYSTONE_ADMIN_BIND_HOST:-$KEYSTONE_SERVICE_HOST}
2013-03-18 16:07:56 -05:00
# Set the tenant for service accounts in Keystone
SERVICE_TENANT_NAME=${SERVICE_TENANT_NAME:-service}
2013-09-01 16:26:03 +02:00
# valid identity backends as per dir keystone/identity/backends
KEYSTONE_VALID_IDENTITY_BACKENDS=kvs,ldap,pam,sql
# valid assignment backends as per dir keystone/identity/backends
KEYSTONE_VALID_ASSIGNMENT_BACKENDS=kvs,ldap,sql
2012-08-31 18:04:55 -05:00
2013-09-20 16:26:42 +10:00
# if we are running with SSL use https protocols
if is_ssl_enabled_service "key"; then
KEYSTONE_AUTH_PROTOCOL="https"
KEYSTONE_SERVICE_PROTOCOL="https"
fi
2014-05-21 17:18:43 +10:00
# complete URIs
KEYSTONE_AUTH_URI=${KEYSTONE_AUTH_PROTOCOL}://${KEYSTONE_AUTH_HOST}:${KEYSTONE_AUTH_PORT}
KEYSTONE_SERVICE_URI=${KEYSTONE_SERVICE_PROTOCOL}://${KEYSTONE_SERVICE_HOST}:${KEYSTONE_SERVICE_PORT}
2013-04-08 15:38:03 -05:00
# Functions
# ---------
2012-08-31 18:04:55 -05:00
# cleanup_keystone() - Remove residual data files, anything left over from previous
# runs that a clean run would need to clean up
2014-02-21 15:35:08 +11:00
function cleanup_keystone {
2012-08-31 18:04:55 -05:00
# kill instances (nova)
# delete image files (glance)
# This function intentionally left blank
:
}
2013-09-17 12:47:03 +10:00
# _cleanup_keystone_apache_wsgi() - Remove wsgi files, disable and remove apache vhost file
2014-02-21 15:35:08 +11:00
function _cleanup_keystone_apache_wsgi {
2013-09-17 12:47:03 +10:00
sudo rm -f $KEYSTONE_WSGI_DIR/*.wsgi
disable_apache_site keystone
2014-06-09 12:07:29 -07:00
sudo rm -f $(apache_site_config_for keystone)
2013-09-17 12:47:03 +10:00
}
# _config_keystone_apache_wsgi() - Set WSGI config files of Keystone
2014-02-21 15:35:08 +11:00
function _config_keystone_apache_wsgi {
2013-09-17 12:47:03 +10:00
sudo mkdir -p $KEYSTONE_WSGI_DIR
2014-06-09 12:07:29 -07:00
local keystone_apache_conf=$(apache_site_config_for keystone)
2013-09-17 12:47:03 +10:00
# copy proxy vhost and wsgi file
sudo cp $KEYSTONE_DIR/httpd/keystone.py $KEYSTONE_WSGI_DIR/main
sudo cp $KEYSTONE_DIR/httpd/keystone.py $KEYSTONE_WSGI_DIR/admin
2014-06-09 12:07:29 -07:00
sudo cp $FILES/apache-keystone.template $keystone_apache_conf
2013-09-17 12:47:03 +10:00
sudo sed -e "
s|%PUBLICPORT%|$KEYSTONE_SERVICE_PORT|g;
s|%ADMINPORT%|$KEYSTONE_AUTH_PORT|g;
s|%APACHE_NAME%|$APACHE_NAME|g;
s|%PUBLICWSGI%|$KEYSTONE_WSGI_DIR/main|g;
s|%ADMINWSGI%|$KEYSTONE_WSGI_DIR/admin|g;
s|%USER%|$STACK_USER|g
2014-06-09 12:07:29 -07:00
" -i $keystone_apache_conf
2013-09-17 12:47:03 +10:00
enable_apache_site keystone
}
2012-08-31 18:04:55 -05:00
# configure_keystone() - Set config files, create data dirs, etc
2014-02-21 15:35:08 +11:00
function configure_keystone {
2012-08-31 18:04:55 -05:00
if [[ ! -d $KEYSTONE_CONF_DIR ]]; then
sudo mkdir -p $KEYSTONE_CONF_DIR
fi
2013-01-06 22:40:09 +01:00
sudo chown $STACK_USER $KEYSTONE_CONF_DIR
2012-08-31 18:04:55 -05:00
if [[ "$KEYSTONE_CONF_DIR" != "$KEYSTONE_DIR/etc" ]]; then
cp -p $KEYSTONE_DIR/etc/keystone.conf.sample $KEYSTONE_CONF
2013-10-22 17:46:00 -05:00
chmod 600 $KEYSTONE_CONF
2012-08-31 18:04:55 -05:00
cp -p $KEYSTONE_DIR/etc/policy.json $KEYSTONE_CONF_DIR
2013-03-12 11:10:52 +01:00
if [[ -f "$KEYSTONE_DIR/etc/keystone-paste.ini" ]]; then
cp -p "$KEYSTONE_DIR/etc/keystone-paste.ini" "$KEYSTONE_PASTE_INI"
fi
fi
if [[ -f "$KEYSTONE_PASTE_INI" ]]; then
iniset "$KEYSTONE_CONF" paste_deploy config_file "$KEYSTONE_PASTE_INI"
else
# compatibility with mixed cfg and paste.deploy configuration
KEYSTONE_PASTE_INI="$KEYSTONE_CONF"
2012-08-31 18:04:55 -05:00
fi
2014-05-27 15:51:49 +02:00
configure_keystone_extensions
2012-08-31 18:04:55 -05:00
# Rewrite stock ``keystone.conf``
2012-11-29 11:47:58 -06:00
2013-01-22 10:17:50 -06:00
if is_service_enabled ldap; then
#Set all needed ldap values
2013-10-01 14:45:04 -05:00
iniset $KEYSTONE_CONF ldap password $LDAP_PASSWORD
iniset $KEYSTONE_CONF ldap user $LDAP_MANAGER_DN
iniset $KEYSTONE_CONF ldap suffix $LDAP_BASE_DN
2013-02-19 15:36:41 -06:00
iniset $KEYSTONE_CONF ldap use_dumb_member "True"
2013-09-24 23:43:08 -07:00
iniset $KEYSTONE_CONF ldap user_attribute_ignore "enabled,email,tenants,default_project_id"
2013-02-19 15:36:41 -06:00
iniset $KEYSTONE_CONF ldap tenant_attribute_ignore "enabled"
iniset $KEYSTONE_CONF ldap tenant_domain_id_attribute "businessCategory"
iniset $KEYSTONE_CONF ldap tenant_desc_attribute "description"
2013-10-01 14:45:04 -05:00
iniset $KEYSTONE_CONF ldap tenant_tree_dn "ou=Projects,$LDAP_BASE_DN"
2013-02-19 15:36:41 -06:00
iniset $KEYSTONE_CONF ldap user_domain_id_attribute "businessCategory"
2013-10-01 14:45:04 -05:00
iniset $KEYSTONE_CONF ldap user_tree_dn "ou=Users,$LDAP_BASE_DN"
2013-02-19 15:36:41 -06:00
iniset $KEYSTONE_CONF DEFAULT member_role_id "9fe2ff9ee4384b1894a90878d3e92bab"
iniset $KEYSTONE_CONF DEFAULT member_role_name "_member_"
2013-01-22 10:17:50 -06:00
fi
2013-09-01 16:26:03 +02:00
# check if identity backend is valid
if [[ "$KEYSTONE_VALID_IDENTITY_BACKENDS" =~ "$KEYSTONE_IDENTITY_BACKEND" ]]; then
iniset $KEYSTONE_CONF identity driver "keystone.identity.backends.$KEYSTONE_IDENTITY_BACKEND.Identity"
fi
# check if assignment backend is valid
if [[ "$KEYSTONE_VALID_ASSIGNMENT_BACKENDS" =~ "$KEYSTONE_ASSIGNMENT_BACKEND" ]]; then
iniset $KEYSTONE_CONF assignment driver "keystone.assignment.backends.$KEYSTONE_ASSIGNMENT_BACKEND.Assignment"
2013-01-22 10:17:50 -06:00
fi
2013-06-28 09:16:08 -05:00
# Set the URL advertised in the ``versions`` structure returned by the '/' route
iniset $KEYSTONE_CONF DEFAULT public_endpoint "$KEYSTONE_SERVICE_PROTOCOL://$KEYSTONE_SERVICE_HOST:%(public_port)s/"
iniset $KEYSTONE_CONF DEFAULT admin_endpoint "$KEYSTONE_SERVICE_PROTOCOL://$KEYSTONE_SERVICE_HOST:%(admin_port)s/"
2014-02-24 13:30:59 -05:00
iniset $KEYSTONE_CONF DEFAULT admin_bind_host "$KEYSTONE_ADMIN_BIND_HOST"
2013-06-28 09:16:08 -05:00
2013-09-20 16:26:42 +10:00
# Register SSL certificates if provided
if is_ssl_enabled_service key; then
ensure_certificates KEYSTONE
iniset $KEYSTONE_CONF ssl enable True
iniset $KEYSTONE_CONF ssl certfile $KEYSTONE_SSL_CERT
iniset $KEYSTONE_CONF ssl keyfile $KEYSTONE_SSL_KEY
fi
2012-11-29 11:47:58 -06:00
if is_service_enabled tls-proxy; then
# Set the service ports for a proxy to take the originals
iniset $KEYSTONE_CONF DEFAULT public_port $KEYSTONE_SERVICE_PORT_INT
iniset $KEYSTONE_CONF DEFAULT admin_port $KEYSTONE_AUTH_PORT_INT
fi
2012-08-31 18:04:55 -05:00
iniset $KEYSTONE_CONF DEFAULT admin_token "$SERVICE_TOKEN"
2013-07-16 00:47:54 +00:00
2014-06-19 16:55:45 -05:00
if [[ "$KEYSTONE_TOKEN_FORMAT" != "" ]]; then
iniset $KEYSTONE_CONF token provider keystone.token.providers.$KEYSTONE_TOKEN_FORMAT.Provider
2013-07-16 00:47:54 +00:00
fi
2014-02-13 18:59:50 -06:00
iniset $KEYSTONE_CONF database connection `database_connection_url keystone`
2012-08-31 18:04:55 -05:00
iniset $KEYSTONE_CONF ec2 driver "keystone.contrib.ec2.backends.sql.Ec2"
2013-01-29 15:12:20 -05:00
if [[ "$KEYSTONE_TOKEN_BACKEND" = "sql" ]]; then
iniset $KEYSTONE_CONF token driver keystone.token.backends.sql.Token
2013-11-15 10:42:30 -05:00
elif [[ "$KEYSTONE_TOKEN_BACKEND" = "memcache" ]]; then
iniset $KEYSTONE_CONF token driver keystone.token.backends.memcache.Token
2013-01-29 15:12:20 -05:00
else
iniset $KEYSTONE_CONF token driver keystone.token.backends.kvs.Token
fi
2012-08-31 18:04:55 -05:00
if [[ "$KEYSTONE_CATALOG_BACKEND" = "sql" ]]; then
# Configure ``keystone.conf`` to use sql
iniset $KEYSTONE_CONF catalog driver keystone.catalog.backends.sql.Catalog
inicomment $KEYSTONE_CONF catalog template_file
else
cp -p $FILES/default_catalog.templates $KEYSTONE_CATALOG
# Add swift endpoints to service catalog if swift is enabled
2013-03-06 10:58:33 +01:00
if is_service_enabled s-proxy; then
2012-08-31 18:04:55 -05:00
echo "catalog.RegionOne.object_store.publicURL = http://%SERVICE_HOST%:8080/v1/AUTH_\$(tenant_id)s" >> $KEYSTONE_CATALOG
echo "catalog.RegionOne.object_store.adminURL = http://%SERVICE_HOST%:8080/" >> $KEYSTONE_CATALOG
echo "catalog.RegionOne.object_store.internalURL = http://%SERVICE_HOST%:8080/v1/AUTH_\$(tenant_id)s" >> $KEYSTONE_CATALOG
echo "catalog.RegionOne.object_store.name = Swift Service" >> $KEYSTONE_CATALOG
fi
2013-07-06 23:29:39 -04:00
# Add neutron endpoints to service catalog if neutron is enabled
if is_service_enabled neutron; then
2012-08-31 18:04:55 -05:00
echo "catalog.RegionOne.network.publicURL = http://%SERVICE_HOST%:$Q_PORT/" >> $KEYSTONE_CATALOG
echo "catalog.RegionOne.network.adminURL = http://%SERVICE_HOST%:$Q_PORT/" >> $KEYSTONE_CATALOG
echo "catalog.RegionOne.network.internalURL = http://%SERVICE_HOST%:$Q_PORT/" >> $KEYSTONE_CATALOG
2013-07-06 23:29:39 -04:00
echo "catalog.RegionOne.network.name = Neutron Service" >> $KEYSTONE_CATALOG
2012-08-31 18:04:55 -05:00
fi
2012-12-13 08:50:37 +01:00
sed -e "
2012-08-31 18:04:55 -05:00
s,%SERVICE_HOST%,$SERVICE_HOST,g;
s,%S3_SERVICE_PORT%,$S3_SERVICE_PORT,g;
" -i $KEYSTONE_CATALOG
# Configure ``keystone.conf`` to use templates
iniset $KEYSTONE_CONF catalog driver "keystone.catalog.backends.templated.TemplatedCatalog"
iniset $KEYSTONE_CONF catalog template_file "$KEYSTONE_CATALOG"
fi
# Set up logging
if [ "$SYSLOG" != "False" ]; then
2014-01-22 19:06:44 -06:00
iniset $KEYSTONE_CONF DEFAULT use_syslog "True"
fi
# Format logging
2014-05-01 22:05:41 -07:00
if [ "$LOG_COLOR" == "True" ] && [ "$SYSLOG" == "False" ] && ! is_apache_enabled_service key ; then
2014-01-22 19:06:44 -06:00
setup_colorized_logging $KEYSTONE_CONF DEFAULT
2012-08-31 18:04:55 -05:00
fi
2013-09-17 12:47:03 +10:00
if is_apache_enabled_service key; then
2014-05-01 22:05:41 -07:00
iniset $KEYSTONE_CONF DEFAULT debug "True"
# Eliminate the %(asctime)s.%(msecs)03d from the log format strings
iniset $KEYSTONE_CONF DEFAULT logging_context_format_string "%(process)d %(levelname)s %(name)s [%(request_id)s %(user_identity)s] %(instance)s%(message)s"
iniset $KEYSTONE_CONF DEFAULT logging_default_format_string "%(process)d %(levelname)s %(name)s [-] %(instance)s%(message)s"
iniset $KEYSTONE_CONF DEFAULT logging_debug_format_suffix "%(funcName)s %(pathname)s:%(lineno)d"
iniset $KEYSTONE_CONF DEFAULT logging_exception_prefix "%(process)d TRACE %(name)s %(instance)s"
2013-09-17 12:47:03 +10:00
_config_keystone_apache_wsgi
fi
2012-08-31 18:04:55 -05:00
}
2014-05-27 15:51:49 +02:00
function configure_keystone_extensions {
# Add keystone extension into keystone v3 application pipeline
local extension_value
local api_v3
local extension
local api_v3_extension
for extension_value in ${KEYSTONE_EXTENSIONS//,/ }; do
if [[ -z "${extension_value}" ]]; then
continue
fi
api_v3=$(iniget $KEYSTONE_PASTE_INI pipeline:api_v3 pipeline)
extension=$(echo $api_v3 | sed -ne "/${extension_value}/ p;" )
if [[ -z $extension ]]; then
api_v3_extension=$(echo $api_v3 | sed -ne "s/service_v3/${extension_value}_extension service_v3/p;" )
iniset $KEYSTONE_PASTE_INI pipeline:api_v3 pipeline "$api_v3_extension"
fi
done
}
2012-11-29 17:11:35 -06:00
# create_keystone_accounts() - Sets up common required keystone accounts
# Tenant User Roles
# ------------------------------------------------------------------
2014-03-03 14:31:29 -06:00
# admin admin admin
2012-11-29 17:11:35 -06:00
# service -- --
2014-03-03 14:31:29 -06:00
# -- -- service
# -- -- ResellerAdmin
2012-11-29 17:11:35 -06:00
# -- -- Member
# demo admin admin
# demo demo Member, anotherrole
# invisible_to_admin demo Member
# Migrated from keystone_data.sh
2014-02-21 15:35:08 +11:00
function create_keystone_accounts {
2012-11-29 17:11:35 -06:00
# admin
2014-01-24 13:02:26 -06:00
ADMIN_TENANT=$(openstack project create \
admin \
2012-11-29 17:11:35 -06:00
| grep " id " | get_field 2)
2014-01-24 13:02:26 -06:00
ADMIN_USER=$(openstack user create \
admin \
--project "$ADMIN_TENANT" \
2012-11-29 17:11:35 -06:00
--email admin@example.com \
2014-01-24 13:02:26 -06:00
--password "$ADMIN_PASSWORD" \
2012-11-29 17:11:35 -06:00
| grep " id " | get_field 2)
2014-01-24 13:02:26 -06:00
ADMIN_ROLE=$(openstack role create \
admin \
2012-11-29 17:11:35 -06:00
| grep " id " | get_field 2)
2014-01-24 13:02:26 -06:00
openstack role add \
$ADMIN_ROLE \
--project $ADMIN_TENANT \
--user $ADMIN_USER
2012-11-29 17:11:35 -06:00
2014-03-03 14:31:29 -06:00
# Create service project/role
openstack project create $SERVICE_TENANT_NAME
# Service role, so service users do not have to be admins
openstack role create service
# The ResellerAdmin role is used by Nova and Ceilometer so we need to keep it.
# The admin role in swift allows a user to act as an admin for their tenant,
# but ResellerAdmin is needed for a user to act as any tenant. The name of this
# role is also configurable in swift-proxy.conf
openstack role create ResellerAdmin
2012-11-29 17:11:35 -06:00
# The Member role is used by Horizon and Swift so we need to keep it:
2014-01-24 13:02:26 -06:00
MEMBER_ROLE=$(openstack role create \
Member \
| grep " id " | get_field 2)
2012-11-29 17:11:35 -06:00
# ANOTHER_ROLE demonstrates that an arbitrary role may be created and used
# TODO(sleepsonthefloor): show how this can be used for rbac in the future!
2014-01-24 13:02:26 -06:00
ANOTHER_ROLE=$(openstack role create \
anotherrole \
| grep " id " | get_field 2)
2012-11-29 17:11:35 -06:00
# invisible tenant - admin can't see this one
2014-01-24 13:02:26 -06:00
INVIS_TENANT=$(openstack project create \
invisible_to_admin \
| grep " id " | get_field 2)
2012-11-29 17:11:35 -06:00
# demo
2014-01-24 13:02:26 -06:00
DEMO_TENANT=$(openstack project create \
demo \
2012-11-29 17:11:35 -06:00
| grep " id " | get_field 2)
2014-01-24 13:02:26 -06:00
DEMO_USER=$(openstack user create \
demo \
--project $DEMO_TENANT \
2012-11-29 17:11:35 -06:00
--email demo@example.com \
2014-01-24 13:02:26 -06:00
--password "$ADMIN_PASSWORD" \
2012-11-29 17:11:35 -06:00
| grep " id " | get_field 2)
2014-01-24 13:02:26 -06:00
openstack role add --project $DEMO_TENANT --user $DEMO_USER $MEMBER_ROLE
openstack role add --project $DEMO_TENANT --user $ADMIN_USER $ADMIN_ROLE
openstack role add --project $DEMO_TENANT --user $DEMO_USER $ANOTHER_ROLE
openstack role add --project $INVIS_TENANT --user $DEMO_USER $MEMBER_ROLE
2012-11-29 17:11:35 -06:00
# Keystone
if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
2014-01-24 13:02:26 -06:00
KEYSTONE_SERVICE=$(openstack service create \
keystone \
2012-11-29 17:11:35 -06:00
--type identity \
--description "Keystone Identity Service" \
| grep " id " | get_field 2)
2014-01-24 13:02:26 -06:00
openstack endpoint create \
$KEYSTONE_SERVICE \
2012-11-29 17:11:35 -06:00
--region RegionOne \
2013-01-24 14:14:28 -06:00
--publicurl "$KEYSTONE_SERVICE_PROTOCOL://$KEYSTONE_SERVICE_HOST:$KEYSTONE_SERVICE_PORT/v$IDENTITY_API_VERSION" \
--adminurl "$KEYSTONE_AUTH_PROTOCOL://$KEYSTONE_AUTH_HOST:$KEYSTONE_AUTH_PORT/v$IDENTITY_API_VERSION" \
--internalurl "$KEYSTONE_SERVICE_PROTOCOL://$KEYSTONE_SERVICE_HOST:$KEYSTONE_SERVICE_PORT/v$IDENTITY_API_VERSION"
2012-11-29 17:11:35 -06:00
fi
}
2013-11-21 03:10:27 -05:00
# Configure the API version for the OpenStack projects.
# configure_API_version conf_file version
2014-02-21 15:35:08 +11:00
function configure_API_version {
2013-11-21 03:10:27 -05:00
local conf_file=$1
local api_version=$2
iniset $conf_file keystone_authtoken auth_uri $KEYSTONE_SERVICE_PROTOCOL://$KEYSTONE_SERVICE_HOST:$KEYSTONE_SERVICE_PORT/v$api_version
}
2012-08-31 18:04:55 -05:00
# init_keystone() - Initialize databases, etc.
2014-02-21 15:35:08 +11:00
function init_keystone {
2013-10-01 14:45:04 -05:00
if is_service_enabled ldap; then
init_ldap
fi
2012-08-31 18:04:55 -05:00
# (Re)create keystone database
2012-11-01 16:12:39 -04:00
recreate_database keystone utf8
2012-08-31 18:04:55 -05:00
# Initialize keystone database
$KEYSTONE_DIR/bin/keystone-manage db_sync
2014-05-27 15:51:49 +02:00
local extension_value
for extension_value in ${KEYSTONE_EXTENSIONS//,/ }; do
if [[ -z "${extension_value}" ]]; then
continue
fi
$KEYSTONE_DIR/bin/keystone-manage db_sync --extension "${extension_value}"
done
2014-06-19 16:55:45 -05:00
if [[ "$KEYSTONE_TOKEN_FORMAT" != "uuid" ]]; then
2012-10-01 14:06:44 -05:00
# Set up certificates
2012-12-12 15:57:33 -08:00
rm -rf $KEYSTONE_CONF_DIR/ssl
2012-10-01 14:06:44 -05:00
$KEYSTONE_DIR/bin/keystone-manage pki_setup
# Create cache dir
sudo mkdir -p $KEYSTONE_AUTH_CACHE_DIR
2013-01-06 22:40:09 +01:00
sudo chown $STACK_USER $KEYSTONE_AUTH_CACHE_DIR
2012-12-12 15:57:33 -08:00
rm -f $KEYSTONE_AUTH_CACHE_DIR/*
2012-10-01 14:06:44 -05:00
fi
2012-08-31 18:04:55 -05:00
}
# install_keystoneclient() - Collect source and prepare
2014-02-21 15:35:08 +11:00
function install_keystoneclient {
2012-08-31 18:04:55 -05:00
git_clone $KEYSTONECLIENT_REPO $KEYSTONECLIENT_DIR $KEYSTONECLIENT_BRANCH
2013-04-01 16:44:31 -04:00
setup_develop $KEYSTONECLIENT_DIR
2013-08-14 16:04:01 +02:00
sudo install -D -m 0644 -o $STACK_USER {$KEYSTONECLIENT_DIR/tools/,/etc/bash_completion.d/}keystone.bash_completion
2012-08-31 18:04:55 -05:00
}
# install_keystone() - Collect source and prepare
2014-02-21 15:35:08 +11:00
function install_keystone {
2013-01-22 10:17:50 -06:00
# only install ldap if the service has been enabled
if is_service_enabled ldap; then
install_ldap
fi
2013-11-15 10:42:30 -05:00
if [[ "$KEYSTONE_TOKEN_BACKEND" = "memcache" ]]; then
# Install memcached and the memcache Python library that keystone uses.
# Unfortunately the Python library goes by different names in the .deb
# and .rpm circles.
install_package memcached
if is_ubuntu; then
install_package python-memcache
else
install_package python-memcached
fi
fi
2012-08-31 18:04:55 -05:00
git_clone $KEYSTONE_REPO $KEYSTONE_DIR $KEYSTONE_BRANCH
2013-04-01 16:44:31 -04:00
setup_develop $KEYSTONE_DIR
2013-09-17 12:47:03 +10:00
if is_apache_enabled_service key; then
install_apache_wsgi
fi
2012-08-31 18:04:55 -05:00
}
# start_keystone() - Start running processes, including screen
2014-02-21 15:35:08 +11:00
function start_keystone {
2012-11-29 11:47:58 -06:00
# Get right service port for testing
local service_port=$KEYSTONE_SERVICE_PORT
if is_service_enabled tls-proxy; then
service_port=$KEYSTONE_SERVICE_PORT_INT
fi
2013-09-17 12:47:03 +10:00
if is_apache_enabled_service key; then
restart_apache_server
screen_it key "cd $KEYSTONE_DIR && sudo tail -f /var/log/$APACHE_NAME/keystone"
else
# Start Keystone in a screen window
2014-01-22 19:06:44 -06:00
screen_it key "cd $KEYSTONE_DIR && $KEYSTONE_DIR/bin/keystone-all --config-file $KEYSTONE_CONF --debug"
2013-09-17 12:47:03 +10:00
fi
2012-11-29 17:11:35 -06:00
echo "Waiting for keystone to start..."
2014-02-26 13:46:56 +10:00
if ! timeout $SERVICE_TIMEOUT sh -c "while ! curl --noproxy '*' -k -s $KEYSTONE_AUTH_PROTOCOL://$SERVICE_HOST:$service_port/v$IDENTITY_API_VERSION/ >/dev/null; do sleep 1; done"; then
2013-10-22 08:47:11 -04:00
die $LINENO "keystone did not start"
2012-11-29 17:11:35 -06:00
fi
2012-11-29 11:47:58 -06:00
# Start proxies if enabled
if is_service_enabled tls-proxy; then
start_tls_proxy '*' $KEYSTONE_SERVICE_PORT $KEYSTONE_SERVICE_HOST $KEYSTONE_SERVICE_PORT_INT &
start_tls_proxy '*' $KEYSTONE_AUTH_PORT $KEYSTONE_AUTH_HOST $KEYSTONE_AUTH_PORT_INT &
fi
2012-08-31 18:04:55 -05:00
}
# stop_keystone() - Stop running processes
2014-02-21 15:35:08 +11:00
function stop_keystone {
2012-08-31 18:04:55 -05:00
# Kill the Keystone screen window
2013-05-22 17:19:06 -05:00
screen_stop key
2014-05-01 22:57:06 -07:00
# Cleanup the WSGI files and VHOST
_cleanup_keystone_apache_wsgi
2012-08-31 18:04:55 -05:00
}
2012-09-13 17:16:12 -05:00
2013-06-03 16:47:36 -05:00
2012-09-13 17:16:12 -05:00
# Restore xtrace
$XTRACE
2013-03-29 14:34:53 -04:00
2013-10-24 11:27:02 +01:00
# Tell emacs to use shell-script-mode
## Local variables:
## mode: shell-script
## End: