new keystone support

2012-01-09 22:13:29 -08:00 · 2012-01-09 22:13:29 -08:00 · a96a418171
commit a96a418171
parent 149ac205ce
5 changed files with 205 additions and 137 deletions
--- a/files/default_catalog.templates
+++ b/files/default_catalog.templates
@ -0,0 +1,30 @@
+# config for TemplatedCatalog, using camelCase because I don't want to do
+# translations for legacy compat
+catalog.RegionOne.identity.publicURL = http://%SERVICE_HOST%:$(public_port)s/v2.0
+catalog.RegionOne.identity.adminURL = http://%SERVICE_HOST%:$(admin_port)s/v2.0
+catalog.RegionOne.identity.internalURL = http://%SERVICE_HOST%:$(public_port)s/v2.0
+catalog.RegionOne.identity.name = 'Identity Service'
+
+
+catalog.RegionOne.compute.publicURL = http://%SERVICE_HOST%:8774/v1.1/$(tenant_id)s
+catalog.RegionOne.compute.adminURL = http://%SERVICE_HOST%:8774/v1.1/$(tenant_id)s
+catalog.RegionOne.compute.internalURL = http://%SERVICE_HOST%:8774/v1.1/$(tenant_id)s
+catalog.RegionOne.compute.name = 'Compute Service'
+
+
+catalog.RegionOne.ec2.publicURL = http://%SERVICE_HOST%:8773/services/Cloud
+catalog.RegionOne.ec2.adminURL = http://%SERVICE_HOST%:8773/services/Admin
+catalog.RegionOne.ec2.internalURL = http://%SERVICE_HOST%:8773/services/Cloud
+catalog.RegionOne.ec2.name = 'EC2 Service'
+
+
+catalog.RegionOne.image.publicURL = http://%SERVICE_HOST%:9292/v1
+catalog.RegionOne.image.adminURL = http://%SERVICE_HOST%:9292/v1
+catalog.RegionOne.image.internalURL = http://%SERVICE_HOST%:9292/v1
+catalog.RegionOne.image.name = 'Image Service'
+
+
+catalog.RegionOne.object_store.publicURL = http://%SERVICE_HOST%:8080/v1/AUTH_$(tenant_id)s
+catalog.RegionOne.object_store.adminURL = http://%SERVICE_HOST%:8080/
+catalog.RegionOne.object_store.internalURL = http://%SERVICE_HOST%:8080/v1/AUTH_$(tenant_id)s
+catalog.RegionOne.object_store.name = 'Swift Service'
--- a/files/keystone.conf
+++ b/files/keystone.conf
@ -1,112 +1,61 @@
 [DEFAULT]
-# Show more verbose log output (sets INFO log level output)
-verbose = False
-
-# Show debugging output in logs (sets DEBUG log level output)
-debug = False
-
-# Which backend store should Keystone use by default.
-# Default: 'sqlite'
-# Available choices are 'sqlite' [future will include LDAP, PAM, etc]
-default_store = sqlite
-
-# Log to this file. Make sure you do not set the same log
-# file for both the API and registry servers!
+public_port = 5000
+admin_port = 35357
+admin_token = %SERVICE_TOKEN%
 log_file = %DEST%/keystone/keystone.log

-# List of backends to be configured
-backends = keystone.backends.sqlalchemy
-#For LDAP support, add: ,keystone.backends.ldap
+[sql]
+connection = %SQL_CONN%
+idle_timeout = 30
+min_pool_size = 5
+max_pool_size = 10
+pool_timeout = 200

-# Dictionary Maps every service to a header.Missing services would get header
-# X_(SERVICE_NAME) Key => Service Name, Value => Header Name
-service-header-mappings = {
-	'nova' : 'X-Server-Management-Url',
-	'swift' : 'X-Storage-Url',
-	'cdn' : 'X-CDN-Management-Url'}
+[identity]
+driver = keystone.backends.sql.SqlIdentity

-#List of extensions currently supported
-extensions= osksadm,oskscatalog
+[catalog]
+driver = keystone.backends.templated.TemplatedCatalog
+template_file = ./etc/default_catalog.templates

-# Address to bind the API server
-# TODO Properties defined within app not available via pipeline.
-service_host = 0.0.0.0
+[token]
+driver = keystone.backends.kvs.KvsToken

-# Port the bind the API server to
-service_port = 5000
-
-# SSL for API server
-service_ssl = False
-
-# Address to bind the Admin API server
-admin_host = 0.0.0.0
-
-# Port the bind the Admin API server to
-admin_port = 35357
-
-# SSL for API Admin server
-admin_ssl = False
-
-# Keystone certificate file (modify as needed)
-# Only required if *_ssl is set to True
-certfile = /etc/keystone/ssl/certs/keystone.pem
-
-# Keystone private key file (modify as needed)
-# Only required if *_ssl is set to True
-keyfile = /etc/keystone/ssl/private/keystonekey.pem
-
-# Keystone trusted CA certificates  (modify as needed)
-# Only required if *_ssl is set to True
-ca_certs = /etc/keystone/ssl/certs/ca.pem
-
-# Client certificate required
-# Only relevant if *_ssl is set to True
-cert_required = True
-
-#Role that allows to perform admin operations.
-keystone-admin-role = admin
-
-#Role that allows to perform service admin operations.
-keystone-service-admin-role = KeystoneServiceAdmin
-
-#Tells whether password user need to be hashed in the backend
-hash-password = True
-
-[keystone.backends.sqlalchemy]
-# SQLAlchemy connection string for the reference implementation registry
-# server. Any valid SQLAlchemy connection string is fine.
-# See: http://bit.ly/ideIpI
-sql_connection = %SQL_CONN%
-backend_entities = ['UserRoleAssociation', 'Endpoints', 'Role', 'Tenant',
-                    'User', 'Credentials', 'EndpointTemplates', 'Token',
-                    'Service']
-
-# Period in seconds after which SQLAlchemy should reestablish its connection
-# to the database.
-sql_idle_timeout = 30
-
-[pipeline:admin]
-pipeline =
-    urlrewritefilter
-    admin_api
-
-[pipeline:keystone-legacy-auth]
-pipeline =
-    urlrewritefilter
-    legacy_auth
-    service_api
-
-[app:service_api]
-paste.app_factory = keystone.server:service_app_factory
-
-[app:admin_api]
-paste.app_factory = keystone.server:admin_app_factory
-
-[filter:urlrewritefilter]
-paste.filter_factory = keystone.middleware.url:filter_factory
-
-[filter:legacy_auth]
-paste.filter_factory = keystone.frontends.legacy_token_auth:filter_factory
+[policy]
+driver = keystone.backends.policy.SimpleMatch

 [filter:debug]
-paste.filter_factory = keystone.common.wsgi:debug_filter_factory
+paste.filter_factory = keystone.wsgi:Debug.factory
+
+[filter:token_auth]
+paste.filter_factory = keystone.middleware:TokenAuthMiddleware.factory
+
+[filter:admin_token_auth]
+paste.filter_factory = keystone.middleware:AdminTokenAuthMiddleware.factory
+
+[filter:json_body]
+paste.filter_factory = keystone.middleware:JsonBodyMiddleware.factory
+
+[filter:crud_extension]
+paste.filter_factory = keystone.service:AdminCrudExtension.factory
+
+
+[app:public_service]
+paste.app_factory = keystone.service:public_app_factory
+
+[app:admin_service]
+paste.app_factory = keystone.service:admin_app_factory
+
+[pipeline:public_api]
+pipeline = token_auth admin_token_auth json_body debug public_service
+
+[pipeline:admin_api]
+pipeline = token_auth admin_token_auth json_body debug crud_extension admin_service
+
+[composite:main]
+use = egg:Paste#urlmap
+/v2.0 = public_api
+
+[composite:admin]
+use = egg:Paste#urlmap
+/v2.0 = admin_api
--- a/files/keystone_data.sh
+++ b/files/keystone_data.sh
@ -1,54 +1,138 @@
 #!/bin/bash
 BIN_DIR=${BIN_DIR:-.}
 # Tenants
-$BIN_DIR/keystone-manage tenant add admin
-$BIN_DIR/keystone-manage tenant add demo
-$BIN_DIR/keystone-manage tenant add invisible_to_admin
+ADMIN_TENANT=`$BIN_DIR/keystone-manage tenant --ks-id-only
+                                       create \
+                                       tenant_name=admin`
+DEMO_TENANT=`$BIN_DIR/keystone-manage tenant --ks-id-only create \
+                                      tenant_name=demo`
+INVIS_TENANT=`$BIN_DIR/keystone-manage tenant --ks-id-only create \
+                                       tenant_name=invisible_to_admin`
+

 # Users
-$BIN_DIR/keystone-manage user add admin %ADMIN_PASSWORD%
-$BIN_DIR/keystone-manage user add demo %ADMIN_PASSWORD%
+ADMIN_USER=`$BIN_DIR/keystone-manage user --ks-id-only create \
+                                          name=admin \
+                                          "password=%ADMIN_PASSWORD%" \
+                                          email=admin@example.com`
+DEMO_USER=`$BIN_DIR/keystone-manage user --ks-id-only create \
+                                         name=demo \
+                                         "password=%ADMIN_PASSWORD%" \
+                                         email=demo@example.com`

 # Roles
-$BIN_DIR/keystone-manage role add admin
-$BIN_DIR/keystone-manage role add Member
-$BIN_DIR/keystone-manage role add KeystoneAdmin
-$BIN_DIR/keystone-manage role add KeystoneServiceAdmin
-$BIN_DIR/keystone-manage role add sysadmin
-$BIN_DIR/keystone-manage role add netadmin
-$BIN_DIR/keystone-manage role grant admin admin admin
-$BIN_DIR/keystone-manage role grant Member demo demo
-$BIN_DIR/keystone-manage role grant sysadmin demo demo
-$BIN_DIR/keystone-manage role grant netadmin demo demo
-$BIN_DIR/keystone-manage role grant Member demo invisible_to_admin
-$BIN_DIR/keystone-manage role grant admin admin demo
-$BIN_DIR/keystone-manage role grant admin admin
-$BIN_DIR/keystone-manage role grant KeystoneAdmin admin
-$BIN_DIR/keystone-manage role grant KeystoneServiceAdmin admin
+ADMIN_ROLE=`$BIN_DIR/keystone-manage role --ks-id-only create \
+                                          name=Admin`
+MEMBER_ROLE=`$BIN_DIR/keystone-manage role --ks-id-only create \
+                                           name=Member`
+KEYSTONEADMIN_ROLE=`$BIN_DIR/keystone-manage role --ks-id-only create \
+                                                  name=KeystoneAdmin`
+KEYSTONESERVICE_ROLE=`$BIN_DIR/keystone-manage role --ks-id-only create \
+                                                         name=KeystoneServiceAdmin`
+SYSADMIN_ROLE=`$BIN_DIR/keystone-manage role --ks-id-only create \
+                                             name=sysadmin`
+NETADMIN_ROLE=`$BIN_DIR/keystone-manage role --ks-id-only create \
+                                             name=netadmin`
+
+
+# Add Roles to Users in Tenants
+
+$BIN_DIR/keystone-manage role add_user_to_tenant \
+                              role_id=$ADMIN_ROLE \
+                              user_id=$ADMIN_USER \
+                              tenant_id=$ADMIN_TENANT
+$BIN_DIR/keystone-manage role add_user_to_tenant \
+                              role_id=$MEMBER_ROLE \
+                              user_id=$DEMO_USER \
+                              tenant_id=$DEMO_TENANT
+$BIN_DIR/keystone-manage role add_user_to_tenant \
+                              role_id=$SYSADMIN_ROLE \
+                              user_id=$DEMO_USER \
+                              tenant_id=$DEMO_TENANT
+$BIN_DIR/keystone-manage role add_user_to_tenant \
+                              role_id=$NETADMIN_ROLE \
+                              user_id=$DEMO_USER \
+                              tenant_id=$DEMO_TENANT
+$BIN_DIR/keystone-manage role add_user_to_tenant \
+                              role_id=$MEMBER_ROLE \
+                              user_id=$DEMO_USER \
+                              tenant_id=$INVIS_TENANT
+$BIN_DIR/keystone-manage role add_user_to_tenant \
+                              role_id=$ADMIN_ROLE \
+                              user_id=$ADMIN_USER \
+                              tenant_id=$DEMO_TENANT
+
+# TODO(termie): these two might be dubious
+$BIN_DIR/keystone-manage role add_user_to_tenant \
+                              role_id=$KEYSTONEADMIN_ROLE \
+                              user_id=$ADMIN_USER \
+                              tenant_id=$ADMIN_TENANT
+$BIN_DIR/keystone-manage role add_user_to_tenant \
+                              role_id=$KEYSTONESERVICE_ROLE \
+                              user_id=$ADMIN_USER \
+                              tenant_id=$ADMIN_TENANT

 # Services
-$BIN_DIR/keystone-manage service add nova compute "Nova Compute Service"
-$BIN_DIR/keystone-manage service add ec2 ec2 "EC2 Compatability Layer"
-$BIN_DIR/keystone-manage service add glance image "Glance Image Service"
-$BIN_DIR/keystone-manage service add keystone identity "Keystone Identity Service"
+$BIN_DIR/keystone-manage service create \
+                                 name=nova \
+                                 service_type=compute \
+                                 "description=Nova Compute Service"
+
+$BIN_DIR/keystone-manage service create \
+                                 name=ec2 \
+                                 service_type=ec2 \
+                                 "description=EC2 Compatibility Layer"
+
+$BIN_DIR/keystone-manage service create \
+                                 name=glance \
+                                 service_type=image \
+                                 "description=Glance Image Service"
+
+$BIN_DIR/keystone-manage service create \
+                                 name=keystone \
+                                 service_type=identity \
+                                 "description=Keystone Identity Service"
 if [[ "$ENABLED_SERVICES" =~ "swift" ]]; then
-    $BIN_DIR/keystone-manage service add swift object-store "Swift Service"
+    $BIN_DIR/keystone-manage service create \
+                                     name=swift \
+                                     service_type=object-store \
+                                     "description=Swift Service"
 fi

 #endpointTemplates
-$BIN_DIR/keystone-manage $* endpointTemplates add RegionOne nova http://%SERVICE_HOST%:8774/v1.1/%tenant_id% http://%SERVICE_HOST%:8774/v1.1/%tenant_id%  http://%SERVICE_HOST%:8774/v1.1/%tenant_id% 1 1
-$BIN_DIR/keystone-manage $* endpointTemplates add RegionOne ec2 http://%SERVICE_HOST%:8773/services/Cloud http://%SERVICE_HOST%:8773/services/Admin http://%SERVICE_HOST%:8773/services/Cloud 1 1
-$BIN_DIR/keystone-manage $* endpointTemplates add RegionOne glance http://%SERVICE_HOST%:9292/v1 http://%SERVICE_HOST%:9292/v1 http://%SERVICE_HOST%:9292/v1 1 1
-$BIN_DIR/keystone-manage $* endpointTemplates add RegionOne keystone %KEYSTONE_SERVICE_PROTOCOL%://%KEYSTONE_SERVICE_HOST%:%KEYSTONE_SERVICE_PORT%/v2.0 %KEYSTONE_AUTH_PROTOCOL%://%KEYSTONE_AUTH_HOST%:%KEYSTONE_AUTH_PORT%/v2.0 %KEYSTONE_SERVICE_PROTOCOL%://%KEYSTONE_SERVICE_HOST%:%KEYSTONE_SERVICE_PORT%/v2.0 1 1
+$BIN_DIR/keystone-manage $* endpointTemplates add \
+      RegionOne nova
+      http://%SERVICE_HOST%:8774/v1.1/%tenant_id%
+      http://%SERVICE_HOST%:8774/v1.1/%tenant_id%
+      http://%SERVICE_HOST%:8774/v1.1/%tenant_id% 1 1
+$BIN_DIR/keystone-manage $* endpointTemplates add
+      RegionOne ec2
+      http://%SERVICE_HOST%:8773/services/Cloud
+      http://%SERVICE_HOST%:8773/services/Admin
+      http://%SERVICE_HOST%:8773/services/Cloud 1 1
+$BIN_DIR/keystone-manage $* endpointTemplates add
+      RegionOne glance
+      http://%SERVICE_HOST%:9292/v1
+      http://%SERVICE_HOST%:9292/v1
+      http://%SERVICE_HOST%:9292/v1 1 1
+$BIN_DIR/keystone-manage $* endpointTemplates add
+      RegionOne keystone
+      http://%SERVICE_HOST%:5000/v2.0
+      http://%SERVICE_HOST%:35357/v2.0
+      http://%SERVICE_HOST%:5000/v2.0 1 1
 if [[ "$ENABLED_SERVICES" =~ "swift" ]]; then
-    $BIN_DIR/keystone-manage $* endpointTemplates add RegionOne swift http://%SERVICE_HOST%:8080/v1/AUTH_%tenant_id% http://%SERVICE_HOST%:8080/ http://%SERVICE_HOST%:8080/v1/AUTH_%tenant_id% 1 1
+    $BIN_DIR/keystone-manage $* endpointTemplates add
+        RegionOne swift
+        http://%SERVICE_HOST%:8080/v1/AUTH_%tenant_id%
+        http://%SERVICE_HOST%:8080/
+        http://%SERVICE_HOST%:8080/v1/AUTH_%tenant_id% 1 1
 fi

 # Tokens
-$BIN_DIR/keystone-manage token add %SERVICE_TOKEN% admin admin 2015-02-05T00:00
+#$BIN_DIR/keystone-manage token add %SERVICE_TOKEN% admin admin 2015-02-05T00:00

 # EC2 related creds - note we are setting the secret key to ADMIN_PASSWORD
 # but keystone doesn't parse them - it is just a blob from keystone's
 # point of view
-$BIN_DIR/keystone-manage credentials add admin EC2 'admin' '%ADMIN_PASSWORD%' admin || echo "no support for adding credentials"
-$BIN_DIR/keystone-manage credentials add demo EC2 'demo' '%ADMIN_PASSWORD%' demo || echo "no support for adding credentials"
+#$BIN_DIR/keystone-manage credentials add admin EC2 'admin' '%ADMIN_PASSWORD%' admin || echo "no support for adding credentials"
+#$BIN_DIR/keystone-manage credentials add demo EC2 'demo' '%ADMIN_PASSWORD%' demo || echo "no support for adding credentials"
--- a/stack.sh
+++ b/stack.sh
@ -1310,6 +1310,11 @@ if [[ "$ENABLED_SERVICES" =~ "key" ]]; then
    cp $FILES/keystone.conf $KEYSTONE_CONF
    sudo sed -e "s,%SQL_CONN%,$BASE_SQL_CONN/keystone,g" -i $KEYSTONE_CONF
    sudo sed -e "s,%DEST%,$DEST,g" -i $KEYSTONE_CONF
+    sudo sed -e "s,%SERVICE_TOKEN%,$SERVICE_TOKEN,g" -i $KEYSTONE_CONF
+
+    KEYSTONE_CATALOG=$KEYSTONE_DIR/etc/default_catalog.template
+    cp $FILES/default_catalog.template $KEYSTONE_CATALOG
+    sudo sed -e "s,%SERVICE_HOST%,$SERVICE_HOST,g" -i $KEYSTONE_CATALOG

    # keystone_data.sh creates our admin user and our ``SERVICE_TOKEN``.
    KEYSTONE_DATA=$KEYSTONE_DIR/bin/keystone_data.sh
--- a/2
+++ b/2
@ -15,7 +15,7 @@ GLANCE_REPO=https://github.com/openstack/glance.git
 GLANCE_BRANCH=master

 # unified auth system (manages accounts/tokens)
-KEYSTONE_REPO=https://github.com/openstack/keystone.git
+KEYSTONE_REPO=https://github.com/termie/keystonelight.git
 KEYSTONE_BRANCH=master

 # a websockets/html5 or flash powered VNC console for vm instances