new keystone support

This commit is contained in:
termie 2012-01-09 22:13:29 -08:00
parent 149ac205ce
commit a96a418171
5 changed files with 205 additions and 137 deletions

View File

@ -0,0 +1,30 @@
# config for TemplatedCatalog, using camelCase because I don't want to do
# translations for legacy compat
catalog.RegionOne.identity.publicURL = http://%SERVICE_HOST%:$(public_port)s/v2.0
catalog.RegionOne.identity.adminURL = http://%SERVICE_HOST%:$(admin_port)s/v2.0
catalog.RegionOne.identity.internalURL = http://%SERVICE_HOST%:$(public_port)s/v2.0
catalog.RegionOne.identity.name = 'Identity Service'
catalog.RegionOne.compute.publicURL = http://%SERVICE_HOST%:8774/v1.1/$(tenant_id)s
catalog.RegionOne.compute.adminURL = http://%SERVICE_HOST%:8774/v1.1/$(tenant_id)s
catalog.RegionOne.compute.internalURL = http://%SERVICE_HOST%:8774/v1.1/$(tenant_id)s
catalog.RegionOne.compute.name = 'Compute Service'
catalog.RegionOne.ec2.publicURL = http://%SERVICE_HOST%:8773/services/Cloud
catalog.RegionOne.ec2.adminURL = http://%SERVICE_HOST%:8773/services/Admin
catalog.RegionOne.ec2.internalURL = http://%SERVICE_HOST%:8773/services/Cloud
catalog.RegionOne.ec2.name = 'EC2 Service'
catalog.RegionOne.image.publicURL = http://%SERVICE_HOST%:9292/v1
catalog.RegionOne.image.adminURL = http://%SERVICE_HOST%:9292/v1
catalog.RegionOne.image.internalURL = http://%SERVICE_HOST%:9292/v1
catalog.RegionOne.image.name = 'Image Service'
catalog.RegionOne.object_store.publicURL = http://%SERVICE_HOST%:8080/v1/AUTH_$(tenant_id)s
catalog.RegionOne.object_store.adminURL = http://%SERVICE_HOST%:8080/
catalog.RegionOne.object_store.internalURL = http://%SERVICE_HOST%:8080/v1/AUTH_$(tenant_id)s
catalog.RegionOne.object_store.name = 'Swift Service'

View File

@ -1,112 +1,61 @@
[DEFAULT] [DEFAULT]
# Show more verbose log output (sets INFO log level output) public_port = 5000
verbose = False admin_port = 35357
admin_token = %SERVICE_TOKEN%
# Show debugging output in logs (sets DEBUG log level output)
debug = False
# Which backend store should Keystone use by default.
# Default: 'sqlite'
# Available choices are 'sqlite' [future will include LDAP, PAM, etc]
default_store = sqlite
# Log to this file. Make sure you do not set the same log
# file for both the API and registry servers!
log_file = %DEST%/keystone/keystone.log log_file = %DEST%/keystone/keystone.log
# List of backends to be configured [sql]
backends = keystone.backends.sqlalchemy connection = %SQL_CONN%
#For LDAP support, add: ,keystone.backends.ldap idle_timeout = 30
min_pool_size = 5
max_pool_size = 10
pool_timeout = 200
# Dictionary Maps every service to a header.Missing services would get header [identity]
# X_(SERVICE_NAME) Key => Service Name, Value => Header Name driver = keystone.backends.sql.SqlIdentity
service-header-mappings = {
'nova' : 'X-Server-Management-Url',
'swift' : 'X-Storage-Url',
'cdn' : 'X-CDN-Management-Url'}
#List of extensions currently supported [catalog]
extensions= osksadm,oskscatalog driver = keystone.backends.templated.TemplatedCatalog
template_file = ./etc/default_catalog.templates
# Address to bind the API server [token]
# TODO Properties defined within app not available via pipeline. driver = keystone.backends.kvs.KvsToken
service_host = 0.0.0.0
# Port the bind the API server to [policy]
service_port = 5000 driver = keystone.backends.policy.SimpleMatch
# SSL for API server
service_ssl = False
# Address to bind the Admin API server
admin_host = 0.0.0.0
# Port the bind the Admin API server to
admin_port = 35357
# SSL for API Admin server
admin_ssl = False
# Keystone certificate file (modify as needed)
# Only required if *_ssl is set to True
certfile = /etc/keystone/ssl/certs/keystone.pem
# Keystone private key file (modify as needed)
# Only required if *_ssl is set to True
keyfile = /etc/keystone/ssl/private/keystonekey.pem
# Keystone trusted CA certificates (modify as needed)
# Only required if *_ssl is set to True
ca_certs = /etc/keystone/ssl/certs/ca.pem
# Client certificate required
# Only relevant if *_ssl is set to True
cert_required = True
#Role that allows to perform admin operations.
keystone-admin-role = admin
#Role that allows to perform service admin operations.
keystone-service-admin-role = KeystoneServiceAdmin
#Tells whether password user need to be hashed in the backend
hash-password = True
[keystone.backends.sqlalchemy]
# SQLAlchemy connection string for the reference implementation registry
# server. Any valid SQLAlchemy connection string is fine.
# See: http://bit.ly/ideIpI
sql_connection = %SQL_CONN%
backend_entities = ['UserRoleAssociation', 'Endpoints', 'Role', 'Tenant',
'User', 'Credentials', 'EndpointTemplates', 'Token',
'Service']
# Period in seconds after which SQLAlchemy should reestablish its connection
# to the database.
sql_idle_timeout = 30
[pipeline:admin]
pipeline =
urlrewritefilter
admin_api
[pipeline:keystone-legacy-auth]
pipeline =
urlrewritefilter
legacy_auth
service_api
[app:service_api]
paste.app_factory = keystone.server:service_app_factory
[app:admin_api]
paste.app_factory = keystone.server:admin_app_factory
[filter:urlrewritefilter]
paste.filter_factory = keystone.middleware.url:filter_factory
[filter:legacy_auth]
paste.filter_factory = keystone.frontends.legacy_token_auth:filter_factory
[filter:debug] [filter:debug]
paste.filter_factory = keystone.common.wsgi:debug_filter_factory paste.filter_factory = keystone.wsgi:Debug.factory
[filter:token_auth]
paste.filter_factory = keystone.middleware:TokenAuthMiddleware.factory
[filter:admin_token_auth]
paste.filter_factory = keystone.middleware:AdminTokenAuthMiddleware.factory
[filter:json_body]
paste.filter_factory = keystone.middleware:JsonBodyMiddleware.factory
[filter:crud_extension]
paste.filter_factory = keystone.service:AdminCrudExtension.factory
[app:public_service]
paste.app_factory = keystone.service:public_app_factory
[app:admin_service]
paste.app_factory = keystone.service:admin_app_factory
[pipeline:public_api]
pipeline = token_auth admin_token_auth json_body debug public_service
[pipeline:admin_api]
pipeline = token_auth admin_token_auth json_body debug crud_extension admin_service
[composite:main]
use = egg:Paste#urlmap
/v2.0 = public_api
[composite:admin]
use = egg:Paste#urlmap
/v2.0 = admin_api

View File

@ -1,54 +1,138 @@
#!/bin/bash #!/bin/bash
BIN_DIR=${BIN_DIR:-.} BIN_DIR=${BIN_DIR:-.}
# Tenants # Tenants
$BIN_DIR/keystone-manage tenant add admin ADMIN_TENANT=`$BIN_DIR/keystone-manage tenant --ks-id-only
$BIN_DIR/keystone-manage tenant add demo create \
$BIN_DIR/keystone-manage tenant add invisible_to_admin tenant_name=admin`
DEMO_TENANT=`$BIN_DIR/keystone-manage tenant --ks-id-only create \
tenant_name=demo`
INVIS_TENANT=`$BIN_DIR/keystone-manage tenant --ks-id-only create \
tenant_name=invisible_to_admin`
# Users # Users
$BIN_DIR/keystone-manage user add admin %ADMIN_PASSWORD% ADMIN_USER=`$BIN_DIR/keystone-manage user --ks-id-only create \
$BIN_DIR/keystone-manage user add demo %ADMIN_PASSWORD% name=admin \
"password=%ADMIN_PASSWORD%" \
email=admin@example.com`
DEMO_USER=`$BIN_DIR/keystone-manage user --ks-id-only create \
name=demo \
"password=%ADMIN_PASSWORD%" \
email=demo@example.com`
# Roles # Roles
$BIN_DIR/keystone-manage role add admin ADMIN_ROLE=`$BIN_DIR/keystone-manage role --ks-id-only create \
$BIN_DIR/keystone-manage role add Member name=Admin`
$BIN_DIR/keystone-manage role add KeystoneAdmin MEMBER_ROLE=`$BIN_DIR/keystone-manage role --ks-id-only create \
$BIN_DIR/keystone-manage role add KeystoneServiceAdmin name=Member`
$BIN_DIR/keystone-manage role add sysadmin KEYSTONEADMIN_ROLE=`$BIN_DIR/keystone-manage role --ks-id-only create \
$BIN_DIR/keystone-manage role add netadmin name=KeystoneAdmin`
$BIN_DIR/keystone-manage role grant admin admin admin KEYSTONESERVICE_ROLE=`$BIN_DIR/keystone-manage role --ks-id-only create \
$BIN_DIR/keystone-manage role grant Member demo demo name=KeystoneServiceAdmin`
$BIN_DIR/keystone-manage role grant sysadmin demo demo SYSADMIN_ROLE=`$BIN_DIR/keystone-manage role --ks-id-only create \
$BIN_DIR/keystone-manage role grant netadmin demo demo name=sysadmin`
$BIN_DIR/keystone-manage role grant Member demo invisible_to_admin NETADMIN_ROLE=`$BIN_DIR/keystone-manage role --ks-id-only create \
$BIN_DIR/keystone-manage role grant admin admin demo name=netadmin`
$BIN_DIR/keystone-manage role grant admin admin
$BIN_DIR/keystone-manage role grant KeystoneAdmin admin
$BIN_DIR/keystone-manage role grant KeystoneServiceAdmin admin # Add Roles to Users in Tenants
$BIN_DIR/keystone-manage role add_user_to_tenant \
role_id=$ADMIN_ROLE \
user_id=$ADMIN_USER \
tenant_id=$ADMIN_TENANT
$BIN_DIR/keystone-manage role add_user_to_tenant \
role_id=$MEMBER_ROLE \
user_id=$DEMO_USER \
tenant_id=$DEMO_TENANT
$BIN_DIR/keystone-manage role add_user_to_tenant \
role_id=$SYSADMIN_ROLE \
user_id=$DEMO_USER \
tenant_id=$DEMO_TENANT
$BIN_DIR/keystone-manage role add_user_to_tenant \
role_id=$NETADMIN_ROLE \
user_id=$DEMO_USER \
tenant_id=$DEMO_TENANT
$BIN_DIR/keystone-manage role add_user_to_tenant \
role_id=$MEMBER_ROLE \
user_id=$DEMO_USER \
tenant_id=$INVIS_TENANT
$BIN_DIR/keystone-manage role add_user_to_tenant \
role_id=$ADMIN_ROLE \
user_id=$ADMIN_USER \
tenant_id=$DEMO_TENANT
# TODO(termie): these two might be dubious
$BIN_DIR/keystone-manage role add_user_to_tenant \
role_id=$KEYSTONEADMIN_ROLE \
user_id=$ADMIN_USER \
tenant_id=$ADMIN_TENANT
$BIN_DIR/keystone-manage role add_user_to_tenant \
role_id=$KEYSTONESERVICE_ROLE \
user_id=$ADMIN_USER \
tenant_id=$ADMIN_TENANT
# Services # Services
$BIN_DIR/keystone-manage service add nova compute "Nova Compute Service" $BIN_DIR/keystone-manage service create \
$BIN_DIR/keystone-manage service add ec2 ec2 "EC2 Compatability Layer" name=nova \
$BIN_DIR/keystone-manage service add glance image "Glance Image Service" service_type=compute \
$BIN_DIR/keystone-manage service add keystone identity "Keystone Identity Service" "description=Nova Compute Service"
$BIN_DIR/keystone-manage service create \
name=ec2 \
service_type=ec2 \
"description=EC2 Compatibility Layer"
$BIN_DIR/keystone-manage service create \
name=glance \
service_type=image \
"description=Glance Image Service"
$BIN_DIR/keystone-manage service create \
name=keystone \
service_type=identity \
"description=Keystone Identity Service"
if [[ "$ENABLED_SERVICES" =~ "swift" ]]; then if [[ "$ENABLED_SERVICES" =~ "swift" ]]; then
$BIN_DIR/keystone-manage service add swift object-store "Swift Service" $BIN_DIR/keystone-manage service create \
name=swift \
service_type=object-store \
"description=Swift Service"
fi fi
#endpointTemplates #endpointTemplates
$BIN_DIR/keystone-manage $* endpointTemplates add RegionOne nova http://%SERVICE_HOST%:8774/v1.1/%tenant_id% http://%SERVICE_HOST%:8774/v1.1/%tenant_id% http://%SERVICE_HOST%:8774/v1.1/%tenant_id% 1 1 $BIN_DIR/keystone-manage $* endpointTemplates add \
$BIN_DIR/keystone-manage $* endpointTemplates add RegionOne ec2 http://%SERVICE_HOST%:8773/services/Cloud http://%SERVICE_HOST%:8773/services/Admin http://%SERVICE_HOST%:8773/services/Cloud 1 1 RegionOne nova
$BIN_DIR/keystone-manage $* endpointTemplates add RegionOne glance http://%SERVICE_HOST%:9292/v1 http://%SERVICE_HOST%:9292/v1 http://%SERVICE_HOST%:9292/v1 1 1 http://%SERVICE_HOST%:8774/v1.1/%tenant_id%
$BIN_DIR/keystone-manage $* endpointTemplates add RegionOne keystone %KEYSTONE_SERVICE_PROTOCOL%://%KEYSTONE_SERVICE_HOST%:%KEYSTONE_SERVICE_PORT%/v2.0 %KEYSTONE_AUTH_PROTOCOL%://%KEYSTONE_AUTH_HOST%:%KEYSTONE_AUTH_PORT%/v2.0 %KEYSTONE_SERVICE_PROTOCOL%://%KEYSTONE_SERVICE_HOST%:%KEYSTONE_SERVICE_PORT%/v2.0 1 1 http://%SERVICE_HOST%:8774/v1.1/%tenant_id%
http://%SERVICE_HOST%:8774/v1.1/%tenant_id% 1 1
$BIN_DIR/keystone-manage $* endpointTemplates add
RegionOne ec2
http://%SERVICE_HOST%:8773/services/Cloud
http://%SERVICE_HOST%:8773/services/Admin
http://%SERVICE_HOST%:8773/services/Cloud 1 1
$BIN_DIR/keystone-manage $* endpointTemplates add
RegionOne glance
http://%SERVICE_HOST%:9292/v1
http://%SERVICE_HOST%:9292/v1
http://%SERVICE_HOST%:9292/v1 1 1
$BIN_DIR/keystone-manage $* endpointTemplates add
RegionOne keystone
http://%SERVICE_HOST%:5000/v2.0
http://%SERVICE_HOST%:35357/v2.0
http://%SERVICE_HOST%:5000/v2.0 1 1
if [[ "$ENABLED_SERVICES" =~ "swift" ]]; then if [[ "$ENABLED_SERVICES" =~ "swift" ]]; then
$BIN_DIR/keystone-manage $* endpointTemplates add RegionOne swift http://%SERVICE_HOST%:8080/v1/AUTH_%tenant_id% http://%SERVICE_HOST%:8080/ http://%SERVICE_HOST%:8080/v1/AUTH_%tenant_id% 1 1 $BIN_DIR/keystone-manage $* endpointTemplates add
RegionOne swift
http://%SERVICE_HOST%:8080/v1/AUTH_%tenant_id%
http://%SERVICE_HOST%:8080/
http://%SERVICE_HOST%:8080/v1/AUTH_%tenant_id% 1 1
fi fi
# Tokens # Tokens
$BIN_DIR/keystone-manage token add %SERVICE_TOKEN% admin admin 2015-02-05T00:00 #$BIN_DIR/keystone-manage token add %SERVICE_TOKEN% admin admin 2015-02-05T00:00
# EC2 related creds - note we are setting the secret key to ADMIN_PASSWORD # EC2 related creds - note we are setting the secret key to ADMIN_PASSWORD
# but keystone doesn't parse them - it is just a blob from keystone's # but keystone doesn't parse them - it is just a blob from keystone's
# point of view # point of view
$BIN_DIR/keystone-manage credentials add admin EC2 'admin' '%ADMIN_PASSWORD%' admin || echo "no support for adding credentials" #$BIN_DIR/keystone-manage credentials add admin EC2 'admin' '%ADMIN_PASSWORD%' admin || echo "no support for adding credentials"
$BIN_DIR/keystone-manage credentials add demo EC2 'demo' '%ADMIN_PASSWORD%' demo || echo "no support for adding credentials" #$BIN_DIR/keystone-manage credentials add demo EC2 'demo' '%ADMIN_PASSWORD%' demo || echo "no support for adding credentials"

View File

@ -1310,6 +1310,11 @@ if [[ "$ENABLED_SERVICES" =~ "key" ]]; then
cp $FILES/keystone.conf $KEYSTONE_CONF cp $FILES/keystone.conf $KEYSTONE_CONF
sudo sed -e "s,%SQL_CONN%,$BASE_SQL_CONN/keystone,g" -i $KEYSTONE_CONF sudo sed -e "s,%SQL_CONN%,$BASE_SQL_CONN/keystone,g" -i $KEYSTONE_CONF
sudo sed -e "s,%DEST%,$DEST,g" -i $KEYSTONE_CONF sudo sed -e "s,%DEST%,$DEST,g" -i $KEYSTONE_CONF
sudo sed -e "s,%SERVICE_TOKEN%,$SERVICE_TOKEN,g" -i $KEYSTONE_CONF
KEYSTONE_CATALOG=$KEYSTONE_DIR/etc/default_catalog.template
cp $FILES/default_catalog.template $KEYSTONE_CATALOG
sudo sed -e "s,%SERVICE_HOST%,$SERVICE_HOST,g" -i $KEYSTONE_CATALOG
# keystone_data.sh creates our admin user and our ``SERVICE_TOKEN``. # keystone_data.sh creates our admin user and our ``SERVICE_TOKEN``.
KEYSTONE_DATA=$KEYSTONE_DIR/bin/keystone_data.sh KEYSTONE_DATA=$KEYSTONE_DIR/bin/keystone_data.sh

View File

@ -15,7 +15,7 @@ GLANCE_REPO=https://github.com/openstack/glance.git
GLANCE_BRANCH=master GLANCE_BRANCH=master
# unified auth system (manages accounts/tokens) # unified auth system (manages accounts/tokens)
KEYSTONE_REPO=https://github.com/openstack/keystone.git KEYSTONE_REPO=https://github.com/termie/keystonelight.git
KEYSTONE_BRANCH=master KEYSTONE_BRANCH=master
# a websockets/html5 or flash powered VNC console for vm instances # a websockets/html5 or flash powered VNC console for vm instances