From 74b91c3eaf150eb40a5d5ab2df1533ae192ee26d Mon Sep 17 00:00:00 2001 From: Sean Dague Date: Mon, 1 Feb 2016 14:58:20 +0000 Subject: [PATCH] Revert "Move default Keystone API version to v3" It seems like the fallout from this was not well sorted. A lot of things aren't working, and there is still vestigial v2 bits left behind. This should have come with a much greater warning and some spot checking of additional services working with this. This reverts commit b162a1d58cdecfb32847b59bd341e06c26efb1ed. Change-Id: Ia792b23119c00089542ba08879dca1c29dc80945 --- lib/glance | 2 +- lib/heat | 2 +- lib/nova_plugins/hypervisor-ironic | 2 +- lib/tempest | 5 ++++- openrc | 11 ++--------- stackrc | 2 +- tools/create_userrc.sh | 4 ++-- 7 files changed, 12 insertions(+), 16 deletions(-) diff --git a/lib/glance b/lib/glance index bf0643bf53..0431bba024 100644 --- a/lib/glance +++ b/lib/glance @@ -205,7 +205,7 @@ function configure_glance { iniset $GLANCE_CACHE_CONF DEFAULT use_syslog $SYSLOG iniset $GLANCE_CACHE_CONF DEFAULT image_cache_dir $GLANCE_CACHE_DIR/ iniuncomment $GLANCE_CACHE_CONF DEFAULT auth_url - iniset $GLANCE_CACHE_CONF DEFAULT auth_url $KEYSTONE_AUTH_URI/v3 + iniset $GLANCE_CACHE_CONF DEFAULT auth_url $KEYSTONE_AUTH_URI/v2.0 iniuncomment $GLANCE_CACHE_CONF DEFAULT auth_tenant_name iniset $GLANCE_CACHE_CONF DEFAULT admin_tenant_name $SERVICE_TENANT_NAME iniuncomment $GLANCE_CACHE_CONF DEFAULT auth_user diff --git a/lib/heat b/lib/heat index 3c3be79ad7..df44b7689c 100644 --- a/lib/heat +++ b/lib/heat @@ -167,7 +167,7 @@ function configure_heat { iniset $HEAT_CONF clients_keystone auth_uri $KEYSTONE_AUTH_URI # ec2authtoken - iniset $HEAT_CONF ec2authtoken auth_uri $KEYSTONE_SERVICE_URI/v3 + iniset $HEAT_CONF ec2authtoken auth_uri $KEYSTONE_SERVICE_URI/v2.0 # OpenStack API iniset $HEAT_CONF heat_api bind_port $HEAT_API_PORT diff --git a/lib/nova_plugins/hypervisor-ironic b/lib/nova_plugins/hypervisor-ironic index 2aa9b12ae3..c6ed85d63e 100644 --- a/lib/nova_plugins/hypervisor-ironic +++ b/lib/nova_plugins/hypervisor-ironic @@ -47,7 +47,7 @@ function configure_nova_hypervisor { # ironic section iniset $NOVA_CONF ironic admin_username admin iniset $NOVA_CONF ironic admin_password $ADMIN_PASSWORD - iniset $NOVA_CONF ironic admin_url $KEYSTONE_AUTH_URI/v3 + iniset $NOVA_CONF ironic admin_url $KEYSTONE_AUTH_URI/v2.0 iniset $NOVA_CONF ironic admin_tenant_name demo iniset $NOVA_CONF ironic api_endpoint $IRONIC_SERVICE_PROTOCOL://$IRONIC_HOSTPORT/v1 } diff --git a/lib/tempest b/lib/tempest index 4a289fa859..3c34aad539 100644 --- a/lib/tempest +++ b/lib/tempest @@ -259,7 +259,6 @@ function configure_tempest { # Identity iniset $TEMPEST_CONFIG identity uri "$KEYSTONE_SERVICE_PROTOCOL://$KEYSTONE_SERVICE_HOST:5000/v2.0/" iniset $TEMPEST_CONFIG identity uri_v3 "$KEYSTONE_SERVICE_URI_V3" - iniset $TEMPEST_CONFIG identity auth_version ${TEMPEST_AUTH_VERSION:-v3} if [[ "$TEMPEST_HAS_ADMIN" == "True" ]]; then iniset $TEMPEST_CONFIG auth admin_username $ADMIN_USERNAME iniset $TEMPEST_CONFIG auth admin_password "$password" @@ -270,6 +269,10 @@ function configure_tempest { if [ "$ENABLE_IDENTITY_V2" == "False" ]; then # Only Identity v3 is available; then skip Identity API v2 tests iniset $TEMPEST_CONFIG identity-feature-enabled api_v2 False + # In addition, use v3 auth tokens for running all Tempest tests + iniset $TEMPEST_CONFIG identity auth_version v3 + else + iniset $TEMPEST_CONFIG identity auth_version ${TEMPEST_AUTH_VERSION:-v2} fi if is_ssl_enabled_service "key" || is_service_enabled tls-proxy; then diff --git a/openrc b/openrc index f81345f9fa..9bc0fd77f4 100644 --- a/openrc +++ b/openrc @@ -77,22 +77,15 @@ KEYSTONE_AUTH_PROTOCOL=${KEYSTONE_AUTH_PROTOCOL:-$SERVICE_PROTOCOL} KEYSTONE_AUTH_HOST=${KEYSTONE_AUTH_HOST:-$SERVICE_HOST} # Identity API version -export OS_IDENTITY_API_VERSION=${IDENTITY_API_VERSION:-3} +export OS_IDENTITY_API_VERSION=${IDENTITY_API_VERSION:-2.0} # Authenticating against an OpenStack cloud using Keystone returns a **Token** # and **Service Catalog**. The catalog contains the endpoints for all services # the user/tenant has access to - including nova, glance, keystone, swift, ... -# We currently recommend using the version 3 *identity api*. +# We currently recommend using the 2.0 *identity api*. # export OS_AUTH_URL=$KEYSTONE_AUTH_PROTOCOL://$KEYSTONE_AUTH_HOST:5000/v${OS_IDENTITY_API_VERSION} -# Currently, in order to use openstackclient with Identity API v3, -# we need to set the domain which the user and project belong to. -if [ "$OS_IDENTITY_API_VERSION" = "3" ]; then - export OS_USER_DOMAIN_ID=${OS_USER_DOMAIN_ID:-"default"} - export OS_PROJECT_DOMAIN_ID=${OS_PROJECT_DOMAIN_ID:-"default"} -fi - # Set OS_CACERT to a default CA certificate chain if it exists. if [[ ! -v OS_CACERT ]] ; then DEFAULT_OS_CACERT=$INT_CA_DIR/ca-chain.pem diff --git a/stackrc b/stackrc index 903da80dec..58146a4a1c 100644 --- a/stackrc +++ b/stackrc @@ -130,7 +130,7 @@ elif [[ -f $RC_DIR/.localrc.auto ]]; then fi # Configure Identity API version: 2.0, 3 -IDENTITY_API_VERSION=${IDENTITY_API_VERSION:-3} +IDENTITY_API_VERSION=${IDENTITY_API_VERSION:-2.0} # Set the option ENABLE_IDENTITY_V2 to True. It defines whether the DevStack # deployment will be deploying the Identity v2 pipelines. If this option is set diff --git a/tools/create_userrc.sh b/tools/create_userrc.sh index 00a208c21e..74d5428382 100755 --- a/tools/create_userrc.sh +++ b/tools/create_userrc.sh @@ -133,7 +133,7 @@ if [ -z "$OS_USERNAME" ]; then fi if [ -z "$OS_AUTH_URL" ]; then - export OS_AUTH_URL=http://localhost:5000/v3/ + export OS_AUTH_URL=http://localhost:5000/v2.0/ fi if [ -z "$OS_USER_DOMAIN_ID" -a -z "$OS_USER_DOMAIN_NAME" ]; then @@ -236,7 +236,7 @@ export EC2_PRIVATE_KEY="$ec2_private_key" export EC2_USER_ID=42 #not checked by nova (can be a 12-digit id) export EUCALYPTUS_CERT="$ACCOUNT_DIR/cacert.pem" export NOVA_CERT="$ACCOUNT_DIR/cacert.pem" -export OS_AUTH_TYPE=v3password +export OS_AUTH_TYPE=v2password EOF if [ -n "$ADDPASS" ]; then echo "export OS_PASSWORD=\"$user_passwd\"" >>"$rcfile"