Finish configuring ceilometer authentication

Copy the policy.json file for ceilometer into place
and configure the API service to find it.

Create a service user for ceilometer when the service
is enabled.

Use the service user for the admin_user and admin_password
in the ceilometer config file so the middleware can
verify tokens.

Change-Id: I39be13da0c86704d35e0ce3dc3d27fd38d787058
Signed-off-by: Doug Hellmann <doug.hellmann@dreamhost.com>

files/keystone_data.sh

@@ -11,6 +11,7 @@
 # service              swift      admin        # if enabled
 # service              cinder     admin        # if enabled
 # service              heat       admin        # if enabled
+# service              ceilometer admin        # if enabled
 # demo                 admin      admin
 # demo                 demo       Member, anotherrole
 # invisible_to_admin   demo       Member
@@ -262,7 +263,14 @@ if [[ "$ENABLED_SERVICES" =~ "q-svc" ]]; then
     fi
 fi
 
-if [[ "$ENABLED_SERVICES" =~ "ceilometer-api" ]]; then
+if [[ "$ENABLED_SERVICES" =~ "ceilometer" ]]; then
+    CEILOMETER_USER=$(get_id keystone user-create --name=ceilometer \
+                                              --pass="$SERVICE_PASSWORD" \
+                                              --tenant_id $SERVICE_TENANT \
+                                              --email=ceilometer@example.com)
+    keystone user-role-add --tenant_id $SERVICE_TENANT \
+                           --user_id $CEILOMETER_USER \
+                           --role_id $ADMIN_ROLE
     if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
         CEILOMETER_SERVICE=$(get_id keystone service-create \
             --name=ceilometer \
@@ -345,4 +353,3 @@ if [[ "$ENABLED_SERVICES" =~ "c-api" ]]; then
             --internalurl "http://$SERVICE_HOST:8776/v1/\$(tenant_id)s"
     fi
 fi
-

lib/ceilometer

@@ -6,8 +6,9 @@
 
 # Dependencies:
 # - functions
-# - OS_USERNAME, OS_PASSWORD, OS_TENANT_NAME, OS_AUTH_URL set for admin credentials
+# - OS_AUTH_URL for auth in api
 # - DEST set to the destination directory
+# - SERVICE_PASSWORD, SERVICE_TENANT_NAME for auth in api
 
 # stack.sh
 # ---------
@@ -61,7 +62,15 @@ function configure_ceilometer() {
     iniset $CEILOMETER_CONF DEFAULT rabbit_password $RABBIT_PASSWORD
     iniset $CEILOMETER_CONF DEFAULT sql_connection $BASE_SQL_CONN/nova?charset=utf8
 
+    # Install the policy file for the API server
+    cp $CEILOMETER_DIR/etc/ceilometer/policy.json $CEILOMETER_CONF_DIR
+    iniset $CEILOMETER_CONF DEFAULT policy_file $CEILOMETER_CONF_DIR/policy.json
+
     iniset $CEILOMETER_CONF keystone_authtoken auth_protocol http
+    iniset $CEILOMETER_CONF keystone_authtoken admin_user ceilometer
+    iniset $CEILOMETER_CONF keystone_authtoken admin_password $SERVICE_PASSWORD
+    iniset $CEILOMETER_CONF keystone_authtoken admin_tenant_name $SERVICE_TENANT_NAME
+
     cleanup_ceilometer
 }
 
@@ -73,7 +82,7 @@ function install_ceilometer() {
 # start_ceilometer() - Start running processes, including screen
 function start_ceilometer() {
     screen_it ceilometer-acompute "cd $CEILOMETER_DIR && sg libvirtd \"$CEILOMETER_BIN_DIR/ceilometer-agent-compute --config-file $CEILOMETER_CONF\""
-    screen_it ceilometer-acentral "export OS_USERNAME=$OS_USERNAME OS_PASSWORD=$OS_PASSWORD OS_TENANT_NAME=$OS_TENANT_NAME OS_AUTH_URL=$OS_AUTH_URL && cd $CEILOMETER_DIR && $CEILOMETER_BIN_DIR/ceilometer-agent-central --config-file $CEILOMETER_CONF"
+    screen_it ceilometer-acentral "export OS_USERNAME=ceilometer OS_PASSWORD=$SERVICE_PASSWORD OS_TENANT_NAME=$SERVICE_TENANT_NAME OS_AUTH_URL=$OS_AUTH_URL && cd $CEILOMETER_DIR && $CEILOMETER_BIN_DIR/ceilometer-agent-central --config-file $CEILOMETER_CONF"
     screen_it ceilometer-collector "cd $CEILOMETER_DIR && $CEILOMETER_BIN_DIR/ceilometer-collector --config-file $CEILOMETER_CONF"
     screen_it ceilometer-api "cd $CEILOMETER_DIR && $CEILOMETER_BIN_DIR/ceilometer-api -d -v --log-dir=$CEILOMETER_API_LOG_DIR --config-file $CEILOMETER_CONF"
 }