Add service account configuration

* Use username/password instead of service token for service auth to Keystone
* Updates files/glance-*-paste.ini and files/swift/proxy-server.conf
* keystone_data.sh creates 'service' tenant, 'nova' and 'glance' users
  ('swift' and 'quantum' if those services are enabled)
* Uses $SERVICE_PASSWORD for the service auth password. There is no default;
  to default to $ADMIN_PASSWORD, place the assignment in localrc.

Fixes bug 942983

Change-Id: If78eed1b509a9c1e8441bb4cfa095da9052f9395
This commit is contained in:
Dean Troyer 2012-02-28 16:41:10 -06:00
parent f1a11adf2b
commit b328838104
5 changed files with 85 additions and 14 deletions

View File

@ -30,6 +30,7 @@ glance.filter_factory = glance.common.context:ContextMiddleware
[filter:authtoken]
paste.filter_factory = keystone.middleware.auth_token:filter_factory
# FIXME(dtroyer): remove these service_* entries after auth_token is updated
service_host = %KEYSTONE_SERVICE_HOST%
service_port = %KEYSTONE_SERVICE_PORT%
service_protocol = %KEYSTONE_SERVICE_PROTOCOL%
@ -37,7 +38,11 @@ auth_host = %KEYSTONE_AUTH_HOST%
auth_port = %KEYSTONE_AUTH_PORT%
auth_protocol = %KEYSTONE_AUTH_PROTOCOL%
auth_uri = %KEYSTONE_SERVICE_PROTOCOL%://%KEYSTONE_SERVICE_HOST%:%KEYSTONE_SERVICE_PORT%/
# FIXME(dtroyer): remove admin_token after auth_token is updated
admin_token = %SERVICE_TOKEN%
admin_tenant_name = %SERVICE_TENANT_NAME%
admin_user = %SERVICE_USERNAME%
admin_password = %SERVICE_PASSWORD%
[filter:auth-context]
paste.filter_factory = glance.common.wsgi:filter_factory

View File

@ -14,6 +14,7 @@ glance.filter_factory = glance.common.context:ContextMiddleware
[filter:authtoken]
paste.filter_factory = keystone.middleware.auth_token:filter_factory
# FIXME(dtroyer): remove these service_* entries after auth_token is updated
service_host = %KEYSTONE_SERVICE_HOST%
service_port = %KEYSTONE_SERVICE_PORT%
service_protocol = %KEYSTONE_SERVICE_PROTOCOL%
@ -21,7 +22,11 @@ auth_host = %KEYSTONE_AUTH_HOST%
auth_port = %KEYSTONE_AUTH_PORT%
auth_protocol = %KEYSTONE_AUTH_PROTOCOL%
auth_uri = %KEYSTONE_SERVICE_PROTOCOL%://%KEYSTONE_SERVICE_HOST%:%KEYSTONE_SERVICE_PORT%/
# FIXME(dtroyer): remove admin_token after auth_token is updated
admin_token = %SERVICE_TOKEN%
admin_tenant_name = %SERVICE_TENANT_NAME%
admin_user = %SERVICE_USERNAME%
admin_password = %SERVICE_PASSWORD%
[filter:auth-context]
context_class = glance.registry.context.RequestContext

View File

@ -17,6 +17,7 @@ if keystone help | grep -q user-role-add; then
fi
ADMIN_TENANT=`get_id keystone tenant-create --name=admin`
SERVICE_TENANT=`get_id keystone tenant-create --name=$SERVICE_TENANT_NAME`
DEMO_TENANT=`get_id keystone tenant-create --name=demo`
INVIS_TENANT=`get_id keystone tenant-create --name=invisible_to_admin`
@ -73,6 +74,14 @@ keystone service-create \
--name=nova \
--type=compute \
--description="Nova Compute Service"
NOVA_USER=`get_id keystone user-create \
--name=nova \
--pass="$SERVICE_PASSWORD" \
--tenant_id $SERVICE_TENANT \
--email=nova@example.com`
keystone user-role-add --tenant_id $SERVICE_TENANT \
--user $NOVA_USER \
--role $ADMIN_ROLE
keystone service-create \
--name=ec2 \
@ -83,6 +92,14 @@ keystone service-create \
--name=glance \
--type=image \
--description="Glance Image Service"
GLANCE_USER=`get_id keystone user-create \
--name=glance \
--pass="$SERVICE_PASSWORD" \
--tenant_id $SERVICE_TENANT \
--email=glance@example.com`
keystone user-role-add --tenant_id $SERVICE_TENANT \
--user $GLANCE_USER \
--role $ADMIN_ROLE
keystone service-create \
--name=keystone \
@ -101,12 +118,28 @@ if [[ "$ENABLED_SERVICES" =~ "swift" ]]; then
--name=swift \
--type="object-store" \
--description="Swift Service"
SWIFT_USER=`get_id keystone user-create \
--name=swift \
--pass="$SERVICE_PASSWORD" \
--tenant_id $SERVICE_TENANT \
--email=swift@example.com`
keystone user-role-add --tenant_id $SERVICE_TENANT \
--user $SWIFT_USER \
--role $ADMIN_ROLE
fi
if [[ "$ENABLED_SERVICES" =~ "quantum" ]]; then
keystone service-create \
--name=quantum \
--type=network \
--description="Quantum Service"
QUANTUM_USER=`get_id keystone user-create \
--name=quantum \
--pass="$SERVICE_PASSWORD" \
--tenant_id $SERVICE_TENANT \
--email=quantum@example.com`
keystone user-role-add --tenant_id $SERVICE_TENANT \
--user $QUANTUM_USER \
--role $ADMIN_ROLE
fi
# create ec2 creds and parse the secret and access key returned

View File

@ -31,13 +31,18 @@ admin_token = %SERVICE_TOKEN%
[filter:tokenauth]
paste.filter_factory = keystone.middleware.auth_token:filter_factory
# FIXME(dtroyer): remove these service_* entries after auth_token is updated
service_port = %KEYSTONE_SERVICE_PORT%
service_host = %KEYSTONE_SERVICE_HOST%
auth_port = %KEYSTONE_AUTH_PORT%
auth_host = %KEYSTONE_AUTH_HOST%
auth_protocol = %KEYSTONE_AUTH_PROTOCOL%
auth_token = %SERVICE_TOKEN%
# FIXME(dtroyer): remove admin_token after auth_token is updated
admin_token = %SERVICE_TOKEN%
admin_tenant_name = %SERVICE_TENANT_NAME%
admin_user = %SERVICE_USERNAME%
admin_password = %SERVICE_PASSWORD%
cache = swift.cache
[filter:swift3]

View File

@ -421,10 +421,16 @@ fi
# Service Token - Openstack components need to have an admin token
# to validate user tokens.
read_password SERVICE_TOKEN "ENTER A SERVICE_TOKEN TO USE FOR THE SERVICE ADMIN TOKEN."
# Services authenticate to Identity with servicename/SERVICE_PASSWORD
read_password SERVICE_PASSWORD "ENTER A SERVICE_PASSWORD TO USE FOR THE SERVICE AUTHENTICATION."
# Horizon currently truncates usernames and passwords at 20 characters
read_password ADMIN_PASSWORD "ENTER A PASSWORD TO USE FOR HORIZON AND KEYSTONE (20 CHARS OR LESS)."
# Set the tenant for service accounts in Keystone
SERVICE_TENANT_NAME=${SERVICE_TENANT_NAME:-service}
# Set Keystone interface configuration
KEYSTONE_API_PORT=${KEYSTONE_API_PORT:-5000}
KEYSTONE_AUTH_HOST=${KEYSTONE_AUTH_HOST:-$SERVICE_HOST}
KEYSTONE_AUTH_PORT=${KEYSTONE_AUTH_PORT:-35357}
KEYSTONE_AUTH_PROTOCOL=${KEYSTONE_AUTH_PROTOCOL:-http}
@ -768,6 +774,7 @@ if is_service_enabled g-reg; then
function glance_config {
sudo sed -e "
s,%KEYSTONE_API_PORT%,$KEYSTONE_API_PORT,g;
s,%KEYSTONE_AUTH_HOST%,$KEYSTONE_AUTH_HOST,g;
s,%KEYSTONE_AUTH_PORT%,$KEYSTONE_AUTH_PORT,g;
s,%KEYSTONE_AUTH_PROTOCOL%,$KEYSTONE_AUTH_PROTOCOL,g;
@ -775,6 +782,9 @@ if is_service_enabled g-reg; then
s,%KEYSTONE_SERVICE_PORT%,$KEYSTONE_SERVICE_PORT,g;
s,%KEYSTONE_SERVICE_PROTOCOL%,$KEYSTONE_SERVICE_PROTOCOL,g;
s,%SQL_CONN%,$BASE_SQL_CONN/glance,g;
s,%SERVICE_TENANT_NAME%,$SERVICE_TENANT_NAME,g;
s,%SERVICE_USERNAME%,glance,g;
s,%SERVICE_PASSWORD%,$SERVICE_PASSWORD,g;
s,%SERVICE_TOKEN%,$SERVICE_TOKEN,g;
s,%DEST%,$DEST,g;
s,%SYSLOG%,$SYSLOG,g;
@ -825,7 +835,14 @@ if is_service_enabled n-api; then
cp $NOVA_DIR/etc/nova/api-paste.ini $NOVA_CONF
# Then we add our own service token to the configuration
sed -e "s,%SERVICE_TOKEN%,$SERVICE_TOKEN,g" -i $NOVA_CONF/api-paste.ini
sed -e "
/^admin_token/i admin_tenant_name = $SERVICE_TENANT_NAME
/admin_tenant_name/s/^.*$/admin_tenant_name = $SERVICE_TENANT_NAME/;
/admin_user/s/^.*$/admin_user = nova/;
/admin_password/s/^.*$/admin_password = $SERVICE_PASSWORD/;
s,%SERVICE_TENANT_NAME%,$SERVICE_TENANT_NAME,g;
s,%SERVICE_TOKEN%,$SERVICE_TOKEN,g;
" -i $NOVA_CONF/api-paste.ini
# Finally, we change the pipelines in nova to use keystone
function replace_pipeline() {
@ -1011,16 +1028,21 @@ if is_service_enabled swift; then
# We do the install of the proxy-server and swift configuration
# replacing a few directives to match our configuration.
sed -e "s,%SWIFT_CONFIG_LOCATION%,${SWIFT_CONFIG_LOCATION},g;
s,%USER%,$USER,g;
s,%SERVICE_TOKEN%,${SERVICE_TOKEN},g;
s,%KEYSTONE_SERVICE_PORT%,${KEYSTONE_SERVICE_PORT},g;
s,%KEYSTONE_SERVICE_HOST%,${KEYSTONE_SERVICE_HOST},g;
s,%KEYSTONE_AUTH_PORT%,${KEYSTONE_AUTH_PORT},g;
s,%KEYSTONE_AUTH_HOST%,${KEYSTONE_AUTH_HOST},g;
s,%KEYSTONE_AUTH_PROTOCOL%,${KEYSTONE_AUTH_PROTOCOL},g;
s/%AUTH_SERVER%/${swift_auth_server}/g;" \
$FILES/swift/proxy-server.conf | \
sed -e "
s,%SWIFT_CONFIG_LOCATION%,${SWIFT_CONFIG_LOCATION},g;
s,%USER%,$USER,g;
s,%SERVICE_TENANT_NAME%,$SERVICE_TENANT_NAME,g;
s,%SERVICE_USERNAME%,swift,g;
s,%SERVICE_PASSWORD%,$SERVICE_PASSWORD,g;
s,%SERVICE_TOKEN%,${SERVICE_TOKEN},g;
s,%KEYSTONE_SERVICE_PORT%,${KEYSTONE_SERVICE_PORT},g;
s,%KEYSTONE_SERVICE_HOST%,${KEYSTONE_SERVICE_HOST},g;
s,%KEYSTONE_API_PORT%,${KEYSTONE_API_PORT},g;
s,%KEYSTONE_AUTH_HOST%,${KEYSTONE_AUTH_HOST},g;
s,%KEYSTONE_AUTH_PORT%,${KEYSTONE_AUTH_PORT},g;
s,%KEYSTONE_AUTH_PROTOCOL%,${KEYSTONE_AUTH_PROTOCOL},g;
s/%AUTH_SERVER%/${swift_auth_server}/g;
" $FILES/swift/proxy-server.conf | \
sudo tee ${SWIFT_CONFIG_LOCATION}/proxy-server.conf
sed -e "s/%SWIFT_HASH%/$SWIFT_HASH/" $FILES/swift/swift.conf > ${SWIFT_CONFIG_LOCATION}/swift.conf
@ -1389,7 +1411,7 @@ fi
if is_service_enabled key; then
screen_it key "cd $KEYSTONE_DIR && $KEYSTONE_DIR/bin/keystone-all --config-file $KEYSTONE_CONF $KEYSTONE_LOG_CONFIG -d --debug"
echo "Waiting for keystone to start..."
if ! timeout $SERVICE_TIMEOUT sh -c "while ! http_proxy= wget -q -O- $KEYSTONE_SERVICE_PROTOCOL://$KEYSTONE_SERVICE_HOST:$KEYSTONE_SERVICE_PORT/v2.0/; do sleep 1; done"; then
if ! timeout $SERVICE_TIMEOUT sh -c "while ! http_proxy= wget -q -O- $KEYSTONE_AUTH_PROTOCOL://$SERVICE_HOST:$KEYSTONE_API_PORT/v2.0/; do sleep 1; done"; then
echo "keystone did not start"
exit 1
fi
@ -1401,7 +1423,8 @@ if is_service_enabled key; then
# keystone_data.sh creates services, admin and demo users, and roles.
SERVICE_ENDPOINT=$KEYSTONE_AUTH_PROTOCOL://$KEYSTONE_AUTH_HOST:$KEYSTONE_AUTH_PORT/v2.0
ADMIN_PASSWORD=$ADMIN_PASSWORD SERVICE_TOKEN=$SERVICE_TOKEN SERVICE_ENDPOINT=$SERVICE_ENDPOINT DEVSTACK_DIR=$TOP_DIR ENABLED_SERVICES=$ENABLED_SERVICES bash $FILES/keystone_data.sh
ADMIN_PASSWORD=$ADMIN_PASSWORD SERVICE_TENANT_NAME=$SERVICE_TENANT_NAME SERVICE_PASSWORD=$SERVICE_PASSWORD SERVICE_TOKEN=$SERVICE_TOKEN SERVICE_ENDPOINT=$SERVICE_ENDPOINT DEVSTACK_DIR=$TOP_DIR ENABLED_SERVICES=$ENABLED_SERVICES \
bash $FILES/keystone_data.sh
fi
@ -1630,7 +1653,7 @@ fi
# If keystone is present, you can point nova cli to this server
if is_service_enabled key; then
echo "keystone is serving at $KEYSTONE_SERVICE_PROTOCOL://$KEYSTONE_SERVICE_HOST:$KEYSTONE_SERVICE_PORT/v2.0/"
echo "keystone is serving at $KEYSTONE_AUTH_PROTOCOL://$SERVICE_HOST:$KEYSTONE_API_PORT/v2.0/"
echo "examples on using novaclient command line is in exercise.sh"
echo "the default users are: admin and demo"
echo "the password: $ADMIN_PASSWORD"