diff --git a/lib/ceilometer b/lib/ceilometer index 242ff6cbbb..00fc0d3f68 100644 --- a/lib/ceilometer +++ b/lib/ceilometer @@ -146,11 +146,7 @@ function configure_ceilometer { iniset $CEILOMETER_CONF service_credentials os_password $SERVICE_PASSWORD iniset $CEILOMETER_CONF service_credentials os_tenant_name $SERVICE_TENANT_NAME - iniset $CEILOMETER_CONF keystone_authtoken identity_uri $KEYSTONE_AUTH_URI - iniset $CEILOMETER_CONF keystone_authtoken admin_user ceilometer - iniset $CEILOMETER_CONF keystone_authtoken admin_password $SERVICE_PASSWORD - iniset $CEILOMETER_CONF keystone_authtoken admin_tenant_name $SERVICE_TENANT_NAME - iniset $CEILOMETER_CONF keystone_authtoken signing_dir $CEILOMETER_AUTH_CACHE_DIR + configure_auth_token_middleware $CEILOMETER_CONF ceilometer $CEILOMETER_AUTH_CACHE_DIR if [ "$CEILOMETER_BACKEND" = 'mysql' ] || [ "$CEILOMETER_BACKEND" = 'postgresql' ] ; then iniset $CEILOMETER_CONF database connection `database_connection_url ceilometer` diff --git a/lib/cinder b/lib/cinder index e767fa8218..cbca9c0c1d 100644 --- a/lib/cinder +++ b/lib/cinder @@ -212,12 +212,7 @@ function configure_cinder { inicomment $CINDER_API_PASTE_INI filter:authtoken admin_password inicomment $CINDER_API_PASTE_INI filter:authtoken signing_dir - iniset $CINDER_CONF keystone_authtoken identity_uri $KEYSTONE_AUTH_URI - iniset $CINDER_CONF keystone_authtoken cafile $KEYSTONE_SSL_CA - iniset $CINDER_CONF keystone_authtoken admin_tenant_name $SERVICE_TENANT_NAME - iniset $CINDER_CONF keystone_authtoken admin_user cinder - iniset $CINDER_CONF keystone_authtoken admin_password $SERVICE_PASSWORD - iniset $CINDER_CONF keystone_authtoken signing_dir $CINDER_AUTH_CACHE_DIR + configure_auth_token_middleware $CINDER_CONF cinder $CINDER_AUTH_CACHE_DIR iniset $CINDER_CONF DEFAULT auth_strategy keystone iniset $CINDER_CONF DEFAULT debug $ENABLE_DEBUG_LOG_LEVEL @@ -302,10 +297,6 @@ function configure_cinder { -e 's/snapshot_autoextend_percent =.*/snapshot_autoextend_percent = 20/' \ /etc/lvm/lvm.conf fi - configure_API_version $CINDER_CONF $IDENTITY_API_VERSION - iniset $CINDER_CONF keystone_authtoken admin_user cinder - iniset $CINDER_CONF keystone_authtoken admin_tenant_name $SERVICE_TENANT_NAME - iniset $CINDER_CONF keystone_authtoken admin_password $SERVICE_PASSWORD iniset $CINDER_CONF DEFAULT osapi_volume_workers "$API_WORKERS" } diff --git a/lib/glance b/lib/glance index 054a7afd33..6ca2fb5ca6 100644 --- a/lib/glance +++ b/lib/glance @@ -96,13 +96,7 @@ function configure_glance { iniset $GLANCE_REGISTRY_CONF DEFAULT sql_connection $dburl iniset $GLANCE_REGISTRY_CONF DEFAULT use_syslog $SYSLOG iniset $GLANCE_REGISTRY_CONF paste_deploy flavor keystone - iniset $GLANCE_REGISTRY_CONF keystone_authtoken identity_uri $KEYSTONE_AUTH_URI - iniset $GLANCE_REGISTRY_CONF keystone_authtoken cafile $KEYSTONE_SSL_CA - configure_API_version $GLANCE_REGISTRY_CONF $IDENTITY_API_VERSION - iniset $GLANCE_REGISTRY_CONF keystone_authtoken admin_tenant_name $SERVICE_TENANT_NAME - iniset $GLANCE_REGISTRY_CONF keystone_authtoken admin_user glance - iniset $GLANCE_REGISTRY_CONF keystone_authtoken admin_password $SERVICE_PASSWORD - iniset $GLANCE_REGISTRY_CONF keystone_authtoken signing_dir $GLANCE_AUTH_CACHE_DIR/registry + configure_auth_token_middleware $GLANCE_REGISTRY_CONF glance $GLANCE_AUTH_CACHE_DIR/registry if is_service_enabled qpid || [ -n "$RABBIT_HOST" ] && [ -n "$RABBIT_PASSWORD" ]; then iniset $GLANCE_REGISTRY_CONF DEFAULT notification_driver messaging fi @@ -115,17 +109,11 @@ function configure_glance { iniset $GLANCE_API_CONF DEFAULT use_syslog $SYSLOG iniset $GLANCE_API_CONF DEFAULT image_cache_dir $GLANCE_CACHE_DIR/ iniset $GLANCE_API_CONF paste_deploy flavor keystone+cachemanagement - iniset $GLANCE_API_CONF keystone_authtoken identity_uri $KEYSTONE_AUTH_URI - iniset $GLANCE_API_CONF keystone_authtoken cafile $KEYSTONE_SSL_CA - configure_API_version $GLANCE_API_CONF $IDENTITY_API_VERSION - iniset $GLANCE_API_CONF keystone_authtoken admin_tenant_name $SERVICE_TENANT_NAME - iniset $GLANCE_API_CONF keystone_authtoken admin_user glance - iniset $GLANCE_API_CONF keystone_authtoken admin_password $SERVICE_PASSWORD + configure_auth_token_middleware $GLANCE_API_CONF glance $GLANCE_AUTH_CACHE_DIR/api if is_service_enabled qpid || [ -n "$RABBIT_HOST" ] && [ -n "$RABBIT_PASSWORD" ]; then iniset $GLANCE_API_CONF DEFAULT notification_driver messaging fi iniset_rpc_backend glance $GLANCE_API_CONF DEFAULT - iniset $GLANCE_API_CONF keystone_authtoken signing_dir $GLANCE_AUTH_CACHE_DIR/api if [ "$VIRT_DRIVER" = 'xenserver' ]; then iniset $GLANCE_API_CONF DEFAULT container_formats "ami,ari,aki,bare,ovf,tgz" iniset $GLANCE_API_CONF DEFAULT disk_formats "ami,ari,aki,vhd,raw,iso" diff --git a/lib/heat b/lib/heat index a74d7b51ac..f64cc9041c 100644 --- a/lib/heat +++ b/lib/heat @@ -110,14 +110,7 @@ function configure_heat { setup_colorized_logging $HEAT_CONF DEFAULT tenant user fi - # keystone authtoken - iniset $HEAT_CONF keystone_authtoken identity_uri $KEYSTONE_AUTH_URI - configure_API_version $HEAT_CONF $IDENTITY_API_VERSION - iniset $HEAT_CONF keystone_authtoken cafile $KEYSTONE_SSL_CA - iniset $HEAT_CONF keystone_authtoken admin_tenant_name $SERVICE_TENANT_NAME - iniset $HEAT_CONF keystone_authtoken admin_user heat - iniset $HEAT_CONF keystone_authtoken admin_password $SERVICE_PASSWORD - iniset $HEAT_CONF keystone_authtoken signing_dir $HEAT_AUTH_CACHE_DIR + configure_auth_token_middleware $HEAT_CONF heat $HEAT_AUTH_CACHE_DIR if is_ssl_enabled_service "key"; then iniset $HEAT_CONF clients_keystone ca_file $KEYSTONE_SSL_CA diff --git a/lib/ironic b/lib/ironic index 47cc7dc371..5f3ebcd354 100644 --- a/lib/ironic +++ b/lib/ironic @@ -243,14 +243,8 @@ function configure_ironic { function configure_ironic_api { iniset $IRONIC_CONF_FILE DEFAULT auth_strategy keystone iniset $IRONIC_CONF_FILE DEFAULT policy_file $IRONIC_POLICY_JSON - iniset $IRONIC_CONF_FILE keystone_authtoken identity_uri $KEYSTONE_AUTH_URI - iniset $IRONIC_CONF_FILE keystone_authtoken cafile $KEYSTONE_SSL_CA - iniset $IRONIC_CONF_FILE keystone_authtoken auth_uri $KEYSTONE_SERVICE_URI - iniset $IRONIC_CONF_FILE keystone_authtoken admin_tenant_name $SERVICE_TENANT_NAME - iniset $IRONIC_CONF_FILE keystone_authtoken admin_user ironic - iniset $IRONIC_CONF_FILE keystone_authtoken admin_password $SERVICE_PASSWORD + configure_auth_token_middleware $IRONIC_CONF_FILE ironic $IRONIC_AUTH_CACHE_DIR/api iniset_rpc_backend ironic $IRONIC_CONF_FILE DEFAULT - iniset $IRONIC_CONF_FILE keystone_authtoken signing_dir $IRONIC_AUTH_CACHE_DIR/api cp -p $IRONIC_DIR/etc/ironic/policy.json $IRONIC_POLICY_JSON } diff --git a/lib/keystone b/lib/keystone index b6a4e1097a..2b2f31c773 100644 --- a/lib/keystone +++ b/lib/keystone @@ -386,11 +386,37 @@ function create_keystone_accounts { } # Configure the API version for the OpenStack projects. -# configure_API_version conf_file version +# configure_API_version conf_file version [section] function configure_API_version { local conf_file=$1 local api_version=$2 - iniset $conf_file keystone_authtoken auth_uri $KEYSTONE_SERVICE_PROTOCOL://$KEYSTONE_SERVICE_HOST:$KEYSTONE_SERVICE_PORT/v$api_version + local section=${3:-keystone_authtoken} + iniset $conf_file $section auth_uri $KEYSTONE_SERVICE_PROTOCOL://$KEYSTONE_SERVICE_HOST:$KEYSTONE_SERVICE_PORT/v$api_version +} + +# Configure the service to use the auth token middleware. +# +# configure_auth_token_middleware conf_file admin_user signing_dir [section] +# +# section defaults to keystone_authtoken, which is where auth_token looks in +# the .conf file. If the paste config file is used (api-paste.ini) then +# provide the section name for the auth_token filter. +function configure_auth_token_middleware { + local conf_file=$1 + local admin_user=$2 + local signing_dir=$3 + local section=${4:-keystone_authtoken} + + iniset $conf_file $section auth_host $KEYSTONE_AUTH_HOST + iniset $conf_file $section auth_port $KEYSTONE_AUTH_PORT + iniset $conf_file $section auth_protocol $KEYSTONE_AUTH_PROTOCOL + iniset $conf_file $section identity_uri $KEYSTONE_AUTH_URI + iniset $conf_file $section cafile $KEYSTONE_SSL_CA + configure_API_version $conf_file $IDENTITY_API_VERSION $section + iniset $conf_file $section admin_tenant_name $SERVICE_TENANT_NAME + iniset $conf_file $section admin_user $admin_user + iniset $conf_file $section admin_password $SERVICE_PASSWORD + iniset $conf_file $section signing_dir $signing_dir } # init_keystone() - Initialize databases, etc. diff --git a/lib/neutron b/lib/neutron index 6985bbec01..96cd47bdb6 100644 --- a/lib/neutron +++ b/lib/neutron @@ -794,7 +794,7 @@ function _configure_neutron_metadata_agent { iniset $Q_META_CONF_FILE DEFAULT nova_metadata_ip $Q_META_DATA_IP iniset $Q_META_CONF_FILE DEFAULT root_helper "$Q_RR_COMMAND" - _neutron_setup_keystone $Q_META_CONF_FILE DEFAULT True True + _neutron_setup_keystone $Q_META_CONF_FILE DEFAULT } @@ -936,23 +936,9 @@ function _neutron_setup_rootwrap { function _neutron_setup_keystone { local conf_file=$1 local section=$2 - local use_auth_url=$3 - local skip_auth_cache=$4 - if [[ -n $use_auth_url ]]; then - iniset $conf_file $section auth_url $KEYSTONE_SERVICE_URI/v2.0 - else - iniset $conf_file $section auth_uri $KEYSTONE_SERVICE_URI - iniset $conf_file $section identity_uri $KEYSTONE_AUTH_URI - fi - iniset $conf_file $section admin_tenant_name $SERVICE_TENANT_NAME - iniset $conf_file $section admin_user $Q_ADMIN_USERNAME - iniset $conf_file $section admin_password $SERVICE_PASSWORD - if [[ -z $skip_auth_cache ]]; then - iniset $conf_file $section signing_dir $NEUTRON_AUTH_CACHE_DIR - # Create cache dir - create_neutron_cache_dir - fi + create_neutron_cache_dir + configure_auth_token_middleware $conf_file $Q_ADMIN_USERNAME $NEUTRON_AUTH_CACHE_DIR $section } function _neutron_setup_interface_driver { diff --git a/lib/nova b/lib/nova index 0fed00d769..2a3aae1835 100644 --- a/lib/nova +++ b/lib/nova @@ -438,17 +438,9 @@ function create_nova_conf { iniset $NOVA_CONF DEFAULT osapi_compute_listen_port "$NOVA_SERVICE_PORT_INT" fi - # Add keystone authtoken configuration - - iniset $NOVA_CONF keystone_authtoken identity_uri $KEYSTONE_AUTH_URI - iniset $NOVA_CONF keystone_authtoken admin_tenant_name $SERVICE_TENANT_NAME - iniset $NOVA_CONF keystone_authtoken cafile $KEYSTONE_SSL_CA - iniset $NOVA_CONF keystone_authtoken admin_user nova - iniset $NOVA_CONF keystone_authtoken admin_password $SERVICE_PASSWORD + configure_auth_token_middleware $NOVA_CONF nova $NOVA_AUTH_CACHE_DIR fi - iniset $NOVA_CONF keystone_authtoken signing_dir $NOVA_AUTH_CACHE_DIR - if [ -n "$NOVA_STATE_PATH" ]; then iniset $NOVA_CONF DEFAULT state_path "$NOVA_STATE_PATH" iniset $NOVA_CONF DEFAULT lock_path "$NOVA_STATE_PATH" diff --git a/lib/sahara b/lib/sahara index b50ccdee28..5c7c2534e2 100644 --- a/lib/sahara +++ b/lib/sahara @@ -106,16 +106,7 @@ function configure_sahara { sudo chown $STACK_USER $SAHARA_AUTH_CACHE_DIR rm -rf $SAHARA_AUTH_CACHE_DIR/* - # Set actual keystone auth configs - iniset $SAHARA_CONF_FILE keystone_authtoken auth_uri $KEYSTONE_SERVICE_PROTOCOL://$KEYSTONE_SERVICE_HOST:$KEYSTONE_SERVICE_PORT/ - iniset $SAHARA_CONF_FILE keystone_authtoken auth_host $KEYSTONE_AUTH_HOST - iniset $SAHARA_CONF_FILE keystone_authtoken auth_port $KEYSTONE_AUTH_PORT - iniset $SAHARA_CONF_FILE keystone_authtoken auth_protocol $KEYSTONE_AUTH_PROTOCOL - iniset $SAHARA_CONF_FILE keystone_authtoken admin_tenant_name $SERVICE_TENANT_NAME - iniset $SAHARA_CONF_FILE keystone_authtoken admin_user sahara - iniset $SAHARA_CONF_FILE keystone_authtoken admin_password $SERVICE_PASSWORD - iniset $SAHARA_CONF_FILE keystone_authtoken signing_dir $SAHARA_AUTH_CACHE_DIR - iniset $SAHARA_CONF_FILE keystone_authtoken cafile $KEYSTONE_SSL_CA + configure_auth_token_middleware $SAHARA_CONF_FILE sahara $SAHARA_AUTH_CACHE_DIR # Set configuration to send notifications diff --git a/lib/swift b/lib/swift index a8dfe7777e..3c31dd293a 100644 --- a/lib/swift +++ b/lib/swift @@ -382,15 +382,7 @@ function configure_swift { # Configure Keystone sed -i '/^# \[filter:authtoken\]/,/^# \[filter:keystoneauth\]$/ s/^#[ \t]*//' ${SWIFT_CONFIG_PROXY_SERVER} - iniset ${SWIFT_CONFIG_PROXY_SERVER} filter:authtoken auth_host $KEYSTONE_AUTH_HOST - iniset ${SWIFT_CONFIG_PROXY_SERVER} filter:authtoken auth_port $KEYSTONE_AUTH_PORT - iniset ${SWIFT_CONFIG_PROXY_SERVER} filter:authtoken auth_protocol $KEYSTONE_AUTH_PROTOCOL - iniset ${SWIFT_CONFIG_PROXY_SERVER} filter:authtoken cafile $KEYSTONE_SSL_CA - iniset ${SWIFT_CONFIG_PROXY_SERVER} filter:authtoken auth_uri $KEYSTONE_SERVICE_PROTOCOL://$KEYSTONE_SERVICE_HOST:$KEYSTONE_SERVICE_PORT/ - iniset ${SWIFT_CONFIG_PROXY_SERVER} filter:authtoken admin_tenant_name $SERVICE_TENANT_NAME - iniset ${SWIFT_CONFIG_PROXY_SERVER} filter:authtoken admin_user swift - iniset ${SWIFT_CONFIG_PROXY_SERVER} filter:authtoken admin_password $SERVICE_PASSWORD - iniset ${SWIFT_CONFIG_PROXY_SERVER} filter:authtoken signing_dir $SWIFT_AUTH_CACHE_DIR + configure_auth_token_middleware ${SWIFT_CONFIG_PROXY_SERVER} swift $SWIFT_AUTH_CACHE_DIR filter:authtoken # This causes the authtoken middleware to use the same python logging # adapter provided by the swift proxy-server, so that request transaction # IDs will included in all of its log messages. diff --git a/lib/trove b/lib/trove index cd2bcb02f8..1d1b5f406b 100644 --- a/lib/trove +++ b/lib/trove @@ -128,12 +128,7 @@ function configure_trove { cp $TROVE_LOCAL_CONF_DIR/api-paste.ini $TROVE_CONF_DIR/api-paste.ini TROVE_API_PASTE_INI=$TROVE_CONF_DIR/api-paste.ini - iniset $TROVE_API_PASTE_INI filter:authtoken identity_uri $KEYSTONE_AUTH_URI - iniset $TROVE_API_PASTE_INI filter:authtoken cafile $KEYSTONE_SSL_CA - iniset $TROVE_API_PASTE_INI filter:authtoken admin_tenant_name $SERVICE_TENANT_NAME - iniset $TROVE_API_PASTE_INI filter:authtoken admin_user trove - iniset $TROVE_API_PASTE_INI filter:authtoken admin_password $SERVICE_PASSWORD - iniset $TROVE_API_PASTE_INI filter:authtoken signing_dir $TROVE_AUTH_CACHE_DIR + configure_auth_token_middleware $TROVE_API_PASTE_INI trove $TROVE_AUTH_CACHE_DIR filter:authtoken # (Re)create trove conf files rm -f $TROVE_CONF_DIR/trove.conf diff --git a/lib/zaqar b/lib/zaqar index f5e42e3100..93b727e63b 100644 --- a/lib/zaqar +++ b/lib/zaqar @@ -107,11 +107,7 @@ function configure_zaqar { iniset $ZAQAR_CONF DEFAULT log_file $ZAQAR_API_LOG_FILE iniset $ZAQAR_CONF 'drivers:transport:wsgi' bind $ZAQAR_SERVICE_HOST - iniset $ZAQAR_CONF keystone_authtoken auth_protocol http - iniset $ZAQAR_CONF keystone_authtoken admin_user zaqar - iniset $ZAQAR_CONF keystone_authtoken admin_password $SERVICE_PASSWORD - iniset $ZAQAR_CONF keystone_authtoken admin_tenant_name $SERVICE_TENANT_NAME - iniset $ZAQAR_CONF keystone_authtoken signing_dir $ZAQAR_AUTH_CACHE_DIR + configure_auth_token_middleware $ZAQAR_CONF zaqar $ZAQAR_AUTH_CACHE_DIR if [ "$ZAQAR_BACKEND" = 'mysql' ] || [ "$ZAQAR_BACKEND" = 'postgresql' ] ; then iniset $ZAQAR_CONF drivers storage sqlalchemy