Merge "Support sql service catalog backend"

files/keystone_data.sh

@@ -20,8 +20,13 @@
 # SERVICE_TOKEN - aka admin_token in keystone.conf
 # SERVICE_ENDPOINT - local Keystone admin endpoint
 # SERVICE_TENANT_NAME - name of tenant containing service accounts
+# SERVICE_HOST - host used for endpoint creation
 # ENABLED_SERVICES - stack.sh's list of services to start
 # DEVSTACK_DIR - Top-level DevStack directory
+# KEYSTONE_CATALOG_BACKEND - used to determine service catalog creation
+
+# Defaults
+# --------
 
 ADMIN_PASSWORD=${ADMIN_PASSWORD:-secrete}
 SERVICE_PASSWORD=${SERVICE_PASSWORD:-$ADMIN_PASSWORD}
@@ -30,10 +35,13 @@ export SERVICE_ENDPOINT=$SERVICE_ENDPOINT
 SERVICE_TENANT_NAME=${SERVICE_TENANT_NAME:-service}
 
 function get_id () {
-    echo `$@ | awk '/ id / { print $4 }'`
+    echo `"$@" | awk '/ id / { print $4 }'`
 }
 
+
 # Tenants
+# -------
+
 ADMIN_TENANT=$(get_id keystone tenant-create --name=admin)
 SERVICE_TENANT=$(get_id keystone tenant-create --name=$SERVICE_TENANT_NAME)
 DEMO_TENANT=$(get_id keystone tenant-create --name=demo)
@@ -41,6 +49,8 @@ INVIS_TENANT=$(get_id keystone tenant-create --name=invisible_to_admin)
 
 
 # Users
+# -----
+
 ADMIN_USER=$(get_id keystone user-create --name=admin \
                                          --pass="$ADMIN_PASSWORD" \
                                          --email=admin@example.com)
@@ -50,6 +60,8 @@ DEMO_USER=$(get_id keystone user-create --name=demo \
 
 
 # Roles
+# -----
+
 ADMIN_ROLE=$(get_id keystone role-create --name=admin)
 KEYSTONEADMIN_ROLE=$(get_id keystone role-create --name=KeystoneAdmin)
 KEYSTONESERVICE_ROLE=$(get_id keystone role-create --name=KeystoneServiceAdmin)
@@ -74,60 +86,193 @@ keystone user-role-add --user_id $DEMO_USER --role_id $MEMBER_ROLE --tenant_id $
 keystone user-role-add --user_id $DEMO_USER --role_id $MEMBER_ROLE --tenant_id $INVIS_TENANT
 
 
-# Configure service users/roles
+# Services
-NOVA_USER=$(get_id keystone user-create --name=nova \
+# --------
-                                        --pass="$SERVICE_PASSWORD" \
-                                        --tenant_id $SERVICE_TENANT \
-                                        --email=nova@example.com)
-keystone user-role-add --tenant_id $SERVICE_TENANT \
-                       --user_id $NOVA_USER \
-                       --role_id $ADMIN_ROLE
 
-GLANCE_USER=$(get_id keystone user-create --name=glance \
+# Keystone
-                                          --pass="$SERVICE_PASSWORD" \
+if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
-                                          --tenant_id $SERVICE_TENANT \
+	KEYSTONE_SERVICE=$(get_id keystone service-create \
-                                          --email=glance@example.com)
+		--name=keystone \
-keystone user-role-add --tenant_id $SERVICE_TENANT \
+		--type=identity \
-                       --user_id $GLANCE_USER \
+		--description="Keystone Identity Service")
-                       --role_id $ADMIN_ROLE
+	keystone endpoint-create \
+	    --region RegionOne \
+		--service_id $KEYSTONE_SERVICE \
+		--publicurl "http://$SERVICE_HOST:\$(public_port)s/v2.0" \
+		--adminurl "http://$SERVICE_HOST:\$(admin_port)s/v2.0" \
+		--internalurl "http://$SERVICE_HOST:\$(admin_port)s/v2.0"
+fi
 
-if [[ "$ENABLED_SERVICES" =~ "swift" ]]; then
+# Nova
-    SWIFT_USER=$(get_id keystone user-create --name=swift \
+if [[ "$ENABLED_SERVICES" =~ "n-cpu" ]]; then
-                                             --pass="$SERVICE_PASSWORD" \
+    NOVA_USER=$(get_id keystone user-create \
-                                             --tenant_id $SERVICE_TENANT \
+        --name=nova \
-                                             --email=swift@example.com)
+        --pass="$SERVICE_PASSWORD" \
-    keystone user-role-add --tenant_id $SERVICE_TENANT \
+        --tenant_id $SERVICE_TENANT \
-                           --user_id $SWIFT_USER \
+        --email=nova@example.com)
-                           --role_id $ADMIN_ROLE
+    keystone user-role-add \
+        --tenant_id $SERVICE_TENANT \
+        --user_id $NOVA_USER \
+        --role_id $ADMIN_ROLE
+    if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
+        NOVA_SERVICE=$(get_id keystone service-create \
+            --name=nova \
+            --type=compute \
+            --description="Nova Compute Service")
+        keystone endpoint-create \
+            --region RegionOne \
+            --service_id $NOVA_SERVICE \
+            --publicurl "http://$SERVICE_HOST:\$(compute_port)s/v1.1/\$(tenant_id)s" \
+            --adminurl "http://$SERVICE_HOST:\$(compute_port)s/v1.1/\$(tenant_id)s" \
+            --internalurl "http://$SERVICE_HOST:\$(compute_port)s/v1.1/\$(tenant_id)s"
+    fi
     # Nova needs ResellerAdmin role to download images when accessing
     # swift through the s3 api. The admin role in swift allows a user
     # to act as an admin for their tenant, but ResellerAdmin is needed
     # for a user to act as any tenant. The name of this role is also
     # configurable in swift-proxy.conf
     RESELLER_ROLE=$(get_id keystone role-create --name=ResellerAdmin)
-    keystone user-role-add --tenant_id $SERVICE_TENANT \
+    keystone user-role-add \
-                           --user_id $NOVA_USER \
+        --tenant_id $SERVICE_TENANT \
-                           --role_id $RESELLER_ROLE
+        --user_id $NOVA_USER \
+        --role_id $RESELLER_ROLE
 fi
 
-if [[ "$ENABLED_SERVICES" =~ "quantum" ]]; then
+# Volume
-    QUANTUM_USER=$(get_id keystone user-create --name=quantum \
+if [[ "$ENABLED_SERVICES" =~ "n-vol" ]]; then
-                                               --pass="$SERVICE_PASSWORD" \
+    if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
-                                               --tenant_id $SERVICE_TENANT \
+        VOLUME_SERVICE=$(get_id keystone service-create \
-                                               --email=quantum@example.com)
+            --name=volume \
-    keystone user-role-add --tenant_id $SERVICE_TENANT \
+            --type=volume \
-                           --user_id $QUANTUM_USER \
+            --description="Volume Service")
-                           --role_id $ADMIN_ROLE
+        keystone endpoint-create \
+            --region RegionOne \
+            --service_id $VOLUME_SERVICE \
+            --publicurl "http://$SERVICE_HOST:8776/v1/\$(tenant_id)s" \
+            --adminurl "http://$SERVICE_HOST:8776/v1/\$(tenant_id)s" \
+            --internalurl "http://$SERVICE_HOST:8776/v1/\$(tenant_id)s"
+    fi
+fi
+
+# Glance
+if [[ "$ENABLED_SERVICES" =~ "g-api" ]]; then
+    GLANCE_USER=$(get_id keystone user-create \
+        --name=glance \
+        --pass="$SERVICE_PASSWORD" \
+        --tenant_id $SERVICE_TENANT \
+        --email=glance@example.com)
+    keystone user-role-add \
+        --tenant_id $SERVICE_TENANT \
+        --user_id $GLANCE_USER \
+        --role_id $ADMIN_ROLE
+    if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
+        GLANCE_SERVICE=$(get_id keystone service-create \
+            --name=glance \
+            --type=image \
+            --description="Glance Image Service")
+        keystone endpoint-create \
+            --region RegionOne \
+            --service_id $GLANCE_SERVICE \
+            --publicurl "http://$SERVICE_HOST:9292/v1" \
+            --adminurl "http://$SERVICE_HOST:9292/v1" \
+            --internalurl "http://$SERVICE_HOST:9292/v1"
+    fi
+fi
+
+# Swift
+if [[ "$ENABLED_SERVICES" =~ "swift" ]]; then
+    SWIFT_USER=$(get_id keystone user-create \
+        --name=swift \
+        --pass="$SERVICE_PASSWORD" \
+        --tenant_id $SERVICE_TENANT \
+        --email=swift@example.com)
+    keystone user-role-add \
+        --tenant_id $SERVICE_TENANT \
+        --user_id $SWIFT_USER \
+        --role_id $ADMIN_ROLE
+    if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
+        SWIFT_SERVICE=$(get_id keystone service-create \
+            --name=swift \
+            --type="object-store" \
+            --description="Swift Service")
+        keystone endpoint-create \
+            --region RegionOne \
+            --service_id $SWIFT_SERVICE \
+            --publicurl "http://$SERVICE_HOST:8080/v1/AUTH_\$(tenant_id)s" \
+            --adminurl "http://$SERVICE_HOST:8080/v1" \
+            --internalurl "http://$SERVICE_HOST:8080/v1/AUTH_\$(tenant_id)s"
+    fi
+fi
+
+if [[ "$ENABLED_SERVICES" =~ "q-svc" ]]; then
+    QUANTUM_USER=$(get_id keystone user-create \
+        --name=quantum \
+        --pass="$SERVICE_PASSWORD" \
+        --tenant_id $SERVICE_TENANT \
+        --email=quantum@example.com)
+    keystone user-role-add \
+        --tenant_id $SERVICE_TENANT \
+        --user_id $QUANTUM_USER \
+        --role_id $ADMIN_ROLE
+    if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
+        QUANTUM_SERVICE=$(get_id keystone service-create \
+            --name=quantum \
+            --type=network \
+            --description="Quantum Service")
+        keystone endpoint-create \
+            --region RegionOne \
+            --service_id $QUANTUM_SERVICE \
+            --publicurl "http://$SERVICE_HOST:9696/" \
+            --adminurl "http://$SERVICE_HOST:9696/" \
+            --internalurl "http://$SERVICE_HOST:9696/"
+    fi
+fi
+
+# EC2
+if [[ "$ENABLED_SERVICES" =~ "n-api" ]]; then
+    if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
+        EC2_SERVICE=$(get_id keystone service-create \
+            --name=ec2 \
+            --type=ec2 \
+            --description="EC2 Compatibility Layer")
+        keystone endpoint-create \
+            --region RegionOne \
+            --service_id $EC2_SERVICE \
+            --publicurl "http://$SERVICE_HOST:8773/services/Cloud" \
+            --adminurl "http://$SERVICE_HOST:8773/services/Admin" \
+            --internalurl "http://$SERVICE_HOST:8773/services/Cloud"
+    fi
+fi
+
+# S3
+if [[ "$ENABLED_SERVICES" =~ "n-obj" || "$ENABLED_SERVICES" =~ "swift" ]]; then
+    if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
+        S3_SERVICE=$(get_id keystone service-create \
+            --name=s3 \
+            --type=s3 \
+            --description="S3")
+        keystone endpoint-create \
+            --region RegionOne \
+            --service_id $S3_SERVICE \
+            --publicurl "http://$SERVICE_HOST:$S3_SERVICE_PORT" \
+            --adminurl "http://$SERVICE_HOST:$S3_SERVICE_PORT" \
+            --internalurl "http://$SERVICE_HOST:$S3_SERVICE_PORT"
+    fi
 fi
 
 if [[ "$ENABLED_SERVICES" =~ "tempest" ]]; then
     # Tempest has some tests that validate various authorization checks
     # between two regular users in separate tenants
-    ALT_DEMO_TENANT=$(get_id keystone tenant-create --name=alt_demo)
+    ALT_DEMO_TENANT=$(get_id keystone tenant-create \
-    ALT_DEMO_USER=$(get_id keystone user-create --name=alt_demo \
+        --name=alt_demo)
-                                        --pass="$ADMIN_PASSWORD" \
+    ALT_DEMO_USER=$(get_id keystone user-create \
-                                        --email=alt_demo@example.com)
+        --name=alt_demo \
-    keystone user-role-add --user $ALT_DEMO_USER --role $MEMBER_ROLE --tenant_id $ALT_DEMO_TENANT
+        --pass="$ADMIN_PASSWORD" \
+        --email=alt_demo@example.com)
+    keystone user-role-add \
+        --tenant_id $ALT_DEMO_TENANT \
+        --user_id $ALT_DEMO_USER \
+        --role_id $MEMBER_ROLE
 fi
 
 if [[ "$ENABLED_SERVICES" =~ "cinder" ]]; then

stack.sh

@@ -1931,7 +1931,7 @@ if is_service_enabled key; then
 
     KEYSTONE_CONF_DIR=${KEYSTONE_CONF_DIR:-/etc/keystone}
     KEYSTONE_CONF=$KEYSTONE_CONF_DIR/keystone.conf
-    KEYSTONE_CATALOG=$KEYSTONE_CONF_DIR/default_catalog.templates
+    KEYSTONE_CATALOG_BACKEND=${KEYSTONE_CATALOG_BACKEND:-template}
 
     if [[ ! -d $KEYSTONE_CONF_DIR ]]; then
         sudo mkdir -p $KEYSTONE_CONF_DIR
@@ -1942,41 +1942,49 @@ if is_service_enabled key; then
         cp -p $KEYSTONE_DIR/etc/keystone.conf.sample $KEYSTONE_CONF
         cp -p $KEYSTONE_DIR/etc/policy.json $KEYSTONE_CONF_DIR
     fi
-    cp -p $FILES/default_catalog.templates $KEYSTONE_CATALOG
 
     # Rewrite stock keystone.conf:
     iniset $KEYSTONE_CONF DEFAULT admin_token "$SERVICE_TOKEN"
     iniset $KEYSTONE_CONF sql connection "$BASE_SQL_CONN/keystone?charset=utf8"
     iniset $KEYSTONE_CONF ec2 driver "keystone.contrib.ec2.backends.sql.Ec2"
-    # Configure keystone.conf to use templates
-    iniset $KEYSTONE_CONF catalog driver "keystone.catalog.backends.templated.TemplatedCatalog"
-    iniset $KEYSTONE_CONF catalog template_file "$KEYSTONE_CATALOG"
     sed -e "
         /^pipeline.*ec2_extension crud_/s|ec2_extension crud_extension|ec2_extension s3_extension crud_extension|;
     " -i $KEYSTONE_CONF
     # Append the S3 bits
     iniset $KEYSTONE_CONF filter:s3_extension paste.filter_factory "keystone.contrib.s3:S3Extension.factory"
 
-    # Add swift endpoints to service catalog if swift is enabled
+    if [[ "$KEYSTONE_CATALOG_BACKEND" = "sql" ]]; then
-    if is_service_enabled swift; then
+        # Configure keystone.conf to use sql
-        echo "catalog.RegionOne.object_store.publicURL = http://%SERVICE_HOST%:8080/v1/AUTH_\$(tenant_id)s" >> $KEYSTONE_CATALOG
+        iniset $KEYSTONE_CONF catalog driver keystone.catalog.backends.sql.Catalog
-        echo "catalog.RegionOne.object_store.adminURL = http://%SERVICE_HOST%:8080/" >> $KEYSTONE_CATALOG
+        inicomment $KEYSTONE_CONF catalog template_file
-        echo "catalog.RegionOne.object_store.internalURL = http://%SERVICE_HOST%:8080/v1/AUTH_\$(tenant_id)s" >> $KEYSTONE_CATALOG
+    else
-        echo "catalog.RegionOne.object_store.name = Swift Service" >> $KEYSTONE_CATALOG
+        KEYSTONE_CATALOG=$KEYSTONE_CONF_DIR/default_catalog.templates
-    fi
+        cp -p $FILES/default_catalog.templates $KEYSTONE_CATALOG
+        # Add swift endpoints to service catalog if swift is enabled
+        if is_service_enabled swift; then
+            echo "catalog.RegionOne.object_store.publicURL = http://%SERVICE_HOST%:8080/v1/AUTH_\$(tenant_id)s" >> $KEYSTONE_CATALOG
+            echo "catalog.RegionOne.object_store.adminURL = http://%SERVICE_HOST%:8080/" >> $KEYSTONE_CATALOG
+            echo "catalog.RegionOne.object_store.internalURL = http://%SERVICE_HOST%:8080/v1/AUTH_\$(tenant_id)s" >> $KEYSTONE_CATALOG
+            echo "catalog.RegionOne.object_store.name = Swift Service" >> $KEYSTONE_CATALOG
+        fi
 
-    # Add quantum endpoints to service catalog if quantum is enabled
+        # Add quantum endpoints to service catalog if quantum is enabled
-    if is_service_enabled quantum; then
+        if is_service_enabled quantum; then
-        echo "catalog.RegionOne.network.publicURL = http://%SERVICE_HOST%:9696/" >> $KEYSTONE_CATALOG
+            echo "catalog.RegionOne.network.publicURL = http://%SERVICE_HOST%:9696/" >> $KEYSTONE_CATALOG
-        echo "catalog.RegionOne.network.adminURL = http://%SERVICE_HOST%:9696/" >> $KEYSTONE_CATALOG
+            echo "catalog.RegionOne.network.adminURL = http://%SERVICE_HOST%:9696/" >> $KEYSTONE_CATALOG
-        echo "catalog.RegionOne.network.internalURL = http://%SERVICE_HOST%:9696/" >> $KEYSTONE_CATALOG
+            echo "catalog.RegionOne.network.internalURL = http://%SERVICE_HOST%:9696/" >> $KEYSTONE_CATALOG
-        echo "catalog.RegionOne.network.name = Quantum Service" >> $KEYSTONE_CATALOG
+            echo "catalog.RegionOne.network.name = Quantum Service" >> $KEYSTONE_CATALOG
-    fi
+        fi
 
-    sudo sed -e "
+        sudo sed -e "
-        s,%SERVICE_HOST%,$SERVICE_HOST,g;
+            s,%SERVICE_HOST%,$SERVICE_HOST,g;
-        s,%S3_SERVICE_PORT%,$S3_SERVICE_PORT,g;
+            s,%S3_SERVICE_PORT%,$S3_SERVICE_PORT,g;
-    " -i $KEYSTONE_CATALOG
+        " -i $KEYSTONE_CATALOG
+
+        # Configure keystone.conf to use templates
+        iniset $KEYSTONE_CONF catalog driver "keystone.catalog.backends.templated.TemplatedCatalog"
+        iniset $KEYSTONE_CONF catalog template_file "$KEYSTONE_CATALOG"
+    fi
 
     # Set up logging
     LOGGING_ROOT="devel"
@@ -1988,25 +1996,31 @@ if is_service_enabled key; then
     iniset $KEYSTONE_CONF_DIR/logging.conf logger_root level "DEBUG"
     iniset $KEYSTONE_CONF_DIR/logging.conf logger_root handlers "devel,production"
 
-    # initialize keystone database
+    # Set up the keystone database
     $KEYSTONE_DIR/bin/keystone-manage db_sync
 
     # launch keystone and wait for it to answer before continuing
     screen_it key "cd $KEYSTONE_DIR && $KEYSTONE_DIR/bin/keystone-all --config-file $KEYSTONE_CONF $KEYSTONE_LOG_CONFIG -d --debug"
     echo "Waiting for keystone to start..."
-    if ! timeout $SERVICE_TIMEOUT sh -c "while ! http_proxy= wget -O- $KEYSTONE_AUTH_PROTOCOL://$SERVICE_HOST:$KEYSTONE_API_PORT/v2.0/ 2>&1 | grep -q '200 OK'; do sleep 1; done"; then
+    if ! timeout $SERVICE_TIMEOUT sh -c "while http_proxy= wget -O- $KEYSTONE_AUTH_PROTOCOL://$SERVICE_HOST:$KEYSTONE_API_PORT/v2.0/ 2>&1 | grep -q 'refused'; do sleep 1; done"; then
       echo "keystone did not start"
       exit 1
     fi
 
     # keystone_data.sh creates services, admin and demo users, and roles.
     SERVICE_ENDPOINT=$KEYSTONE_AUTH_PROTOCOL://$KEYSTONE_AUTH_HOST:$KEYSTONE_AUTH_PORT/v2.0
-    ADMIN_PASSWORD=$ADMIN_PASSWORD SERVICE_TENANT_NAME=$SERVICE_TENANT_NAME SERVICE_PASSWORD=$SERVICE_PASSWORD SERVICE_TOKEN=$SERVICE_TOKEN SERVICE_ENDPOINT=$SERVICE_ENDPOINT DEVSTACK_DIR=$TOP_DIR ENABLED_SERVICES=$ENABLED_SERVICES \
+
+    ADMIN_PASSWORD=$ADMIN_PASSWORD SERVICE_TENANT_NAME=$SERVICE_TENANT_NAME SERVICE_PASSWORD=$SERVICE_PASSWORD \
+    SERVICE_TOKEN=$SERVICE_TOKEN SERVICE_ENDPOINT=$SERVICE_ENDPOINT SERVICE_HOST=$SERVICE_HOST \
+    S3_SERVICE_PORT=$S3_SERVICE_PORT KEYSTONE_CATALOG_BACKEND=$KEYSTONE_CATALOG_BACKEND \
+    DEVSTACK_DIR=$TOP_DIR ENABLED_SERVICES=$ENABLED_SERVICES \
         bash $FILES/keystone_data.sh
 
     # create an access key and secret key for nova ec2 register image
     if is_service_enabled swift && is_service_enabled nova; then
-        CREDS=$(keystone --os_auth_url=$SERVICE_ENDPOINT --os_username=nova --os_password=$SERVICE_PASSWORD --os_tenant_name=$SERVICE_TENANT_NAME ec2-credentials-create)
+        NOVA_USER_ID=$(keystone user-list | grep ' nova ' | get_field 1)
+        NOVA_TENANT_ID=$(keystone tenant-list | grep " $SERVICE_TENANT_NAME " | get_field 1)
+        CREDS=$(keystone ec2-credentials-create --user $NOVA_USER_ID --tenant_id $NOVA_TENANT_ID)
         ACCESS_KEY=$(echo "$CREDS" | awk '/ access / { print $4 }')
         SECRET_KEY=$(echo "$CREDS" | awk '/ secret / { print $4 }')
         add_nova_opt "s3_access_key=$ACCESS_KEY"