89 Commits

Author SHA1 Message Date
Julien Vey
00da58a0da Add an environment variable to enable extensions in keystone
Following https://review.openstack.org/#/c/44401/3

Change-Id: I8e0391cd68e29e6d57c0f35517bf4155110861c7
Closes-Bug: #1218733
Co-Authored-By: Yong Sheng Gong <gongysh@unitedstack.com>
2014-06-24 10:09:08 +02:00
Jenkins
399a2640bc Merge "Use Keystone's default token format if not set" 2014-06-23 13:43:30 +00:00
Jenkins
056b7c1193 Merge "PKIZ is the default token provider" 2014-06-19 23:00:13 +00:00
Brant Knudson
1e1fce856d Use Keystone's default token format if not set
Devstack was setting its own default for Keystone's token format, so
when Keystone's default token format changed then devstack needed to
be updated. With this change, devstack will only override Keystone's
token format if KEYSTONE_TOKEN_FORMAT is set explicitly. PKI setup
is assumed to be needed unless the KEYSTONE_TOKEN_FORMAT is set to
UUID.

Change-Id: Idfa78e93abd80273dadcf37007a024bb6a783a48
2014-06-19 16:59:09 -05:00
Jenkins
da2fe19e24 Merge "Use identity_uri instead of auth fragments" 2014-06-17 16:06:48 +00:00
Jenkins
f04abfe865 Merge "Support option for Keystone PKIZ token provider" 2014-06-17 06:14:29 +00:00
Jamie Lennox
3561d7f9ed Use identity_uri instead of auth fragments
auth_token middleware now accepts a standard URL string as the parameter
identity_uri instead of specifying protocol etc individually. Change the
services over to use this.

Also changes over some other places in which the auth fragments are used
individually to the new variables and fixes up some misconfigurations of
auth_token.

identity_uri option was release in keystoneclient 0.8.0

Change-Id: Iac13bc3d08c524a6a0f39cdfbc1009e2f5c45c2a
2014-06-16 15:16:48 +10:00
Morgan Fainberg
970ee9083e Use apache2ctl after apache is installed.
Ensure that apache2ctl is only called if apache2 is being used when
setting up Keystone. This patch corrects a case where apache2ctl
is being called at the time lib/keystone is being sourced. This
error breaks attempts to deploy Keystone under apache unless
apache is already installed at the time stack.sh is run.

Change-Id: I02d426438fa1246effd68c6bb3c3358910ed4c05
2014-06-09 12:09:33 -07:00
Brant Knudson
0b0cbd1378 PKIZ is the default token provider
Keystone changed the default token provider to PKIZ from PKI.

Change-Id: I56b975383ded450308a8fe01908b6e5549e7cd74
2014-06-06 10:55:42 -05:00
Brant Knudson
754c4408b3 Support option for Keystone PKIZ token provider
Keystone added support for a compressed token provider, PKIZ. This
change adds support to devstack. Set the KEYSTONE_TOKEN_FORMAT
option to "PKIZ" to configure Keystone to use it.

Change-Id: I123eef661c85cc805e950f1179b48e885078d40f
2014-06-04 09:07:32 -05:00
Gabriel Assis Bezerra
a688bc6510 Fix the way Apache site configuration files are used, to improve OS portability
On Ubuntu 14.04, the site configuration file must have a .conf suffix for a2ensite and a2dissite to
recognise it. a2ensite and a2dissite ignore the .conf suffix used as parameter. The default sites'
files are 000-default.conf and default-ssl.conf.

On Ubuntu 12.04, the site configuration file may have any format, as long as it is in
/etc/apache2/sites-available/. a2ensite and a2dissite need the entire file name to work. The default
sites' files are default and default-ssl.

On Fedora, any file in /etc/httpd/conf.d/ whose name ends with .conf is enabled.

On RHEL and CentOS, things should hopefully work as in Fedora.

This change puts all distribution-related site configuration file name differences in lib/apache and
the other services gets the file name for its sites using the new exported function
apache_site_config_for <sitename>.

It also makes Fedora disabled sites use the .conf.disabled suffix instead of removing the .conf from
the file name.

The table below summarizes what should happen on each distribution:
+----------------------+--------------------+--------------------------+--------------------------+
| Distribution         | File name          | Site enabling command    | Site disabling command   |
+----------------------+--------------------+--------------------------+--------------------------+
| Ubuntu 12.04         | site               | a2ensite site            | a2dissite site           |
| Ubuntu 14.04         | site.conf          | a2ensite site            | a2dissite site           |
| Fedora, RHEL, CentOS | site.conf.disabled | mv site.conf{.disabled,} | mv site.conf{,.disabled} |
+----------------------+--------------------+--------------------------+--------------------------+

Change-Id: Ia2ba3cb7caccb6e9b65380f9d51d9d21180b894e
Closes-bug: #1313765
2014-05-30 12:07:24 +00:00
Jenkins
1bb05a9631 Merge "Fix logging for keystone under mod_wsgi" 2014-05-06 11:36:02 +00:00
Morgan Fainberg
c11d6e0b09 Cleanup WSGI config for keystone on stop
Ensure that the VHOST and the scripts used to enable keystone under
mod_wsgi are properly cleaned up.

Change-Id: I76a748b0fd5f1a5182d10e425202857c5621e25a
2014-05-01 22:57:06 -07:00
Morgan Fainberg
2c2b1cccc9 Fix logging for keystone under mod_wsgi
When Keystone is configured under mod_wsgi, Keystone configuration 
requires debugging to be enabled as the debug flag cannot be passed
via cli arguments.

Because Apache 2.2 (default for a number of distributions) does not 
support passing an explicit format to the ErrorLog, Keystone under 
mod_wsgi ends up with duplicated timestamps in the Keystone log. 
This patchset eliminates the %(asctime) and %(msecs) substitution 
targets from the log format options when Keystone is configured 
under mod_wsgi.

Change-Id: I0bf32db6e53cb653921162cb1957eb988b819815
2014-05-02 05:12:21 +00:00
Dean Troyer
42a59c2bfa Complete moving Keystone setup out of keystone_data.sh
* Move remaining role creation to create_keystone_accounts()
* Move glance creation to create_glance_accounts()
* Move nova/ec2/s3 creation to create_nova_accounts()
* Move ceilometer creation to create_ceilometer_accounts()
* Move tempest creation to create_tempest_accounts()
* Convert moved code to use OpenStackClient for setup
* files/keystone_data.sh is removed

Note that the SERVICE_TENANT and ADMIN_ROLE lookups in the other service
implementations are not necessary with OSC, all operations can be done
using names rather than requiring IDs.

Change-Id: I4283ca0036ae39fd44ed2eed834b69d78e4f8257
2014-03-10 15:17:30 -05:00
Jenkins
dad6e4114d Merge "Enforce function declaration format in bash8" 2014-02-28 06:32:20 +00:00
Jenkins
3ac259c685 Merge "Make admin_bind_host configurable" 2014-02-27 23:41:11 +00:00
Ian Wienand
aee18c749b Enforce function declaration format in bash8
Check that function calls look like ^function foo {$ in bash8, and fix
all existing failures of that check.  Add a note to HACKING.rst

Change-Id: Ic19eecb39e0b20273d1bcd551a42fe400d54e938
2014-02-28 07:59:03 +11:00
Jamie Lennox
06ba5193be Insecure check if keystone is up
If we start keystone with an SSL endpoint then the curl check to see if
it is running will fail because it cannot create a secure connection.
This check can be done insecurely as all we care about is that the
service has started.

Change-Id: I826753d4d46e9956f443110029346bc70282951a
2014-02-26 13:46:56 +10:00
David Kranz
041fa71247 Make admin_bind_host configurable
The use case is running devstack inside an OpenStack vm and running tempest
from some other machine. To make the catalog export urls that can be accessed
from off the devstack machine, you need to set KEYSTONE_SERVICE_HOST to an
external IP. But devstack uses that address in its setup of keystone in
addition to exporting in the catalog. Because OpenStack has an issue where
a vm cannot access itself through its own floating ip, devstack fails. There
is no way to have this use case by providing an ip address. The workaround
is to use the hostname of the devstack machine. That worked until recently
when a change was made to set admin_bind_host to the value of
KEYSTONE_SERVICE_HOST. The result is that port 35357 is only opened locally.
This change allows the devstack user to restore the original behavior
allowing this use case.

Change-Id: I97b938b305b7dd878397e7e64462650064e59cd2
Closes-Bug: #1283803
2014-02-24 13:43:23 -05:00
Jenkins
d85e1ea669 Merge "Use database connection for keystone" 2014-02-17 01:52:49 +00:00
Steve Martinelli
19685428e3 Change most keystoneclient commands to openstacklient in libs
migrated most keystoneclient commands from the following libs:
 ceilometer
 cinder
 ironic
 keystone
 marconi
 neutron
 nova
 savanna
 swift
 trove

Also need to set and unset openstackclient specific environment
variables from stack.sh

Change-Id: I725f30bc08e1df5a4c5770576c19ad1ddaeb843a
2014-02-14 21:30:57 -06:00
Brant Knudson
16d3ad057d Use database connection for keystone
The keystone configuration used the 'connection' option in the
'sql' section of the keystone.conf file. This option is deprecated
in favor of 'connection' in the 'database' section.

The keystone setup code is changed to use the option in the new
section rather than the deprecated one.

Change-Id: I62fd2f50ded3b8848e9e5225e88c80ed8fed3bff
2014-02-13 18:59:50 -06:00
Clark Boylan
6c57fbab26 Set keystone admin_bind_host to KEYSTONE_SERVICE_HOST
On Linux ports 32768-61000 can be used by just about
anything needing a socket. Keystone's IANA assigned port is 35357.
Occasionally something else will be using port 35357 first because Linux
allows this. Workaround is to bind to port 127.0.0.1 instead of 0.0.0.0.
$KEYSTONE_SERVICE_HOST gets its value from $SERVICE_HOST which is set to
127.0.0.1 in the gate.

"Ephemeral (client) ports will *never* be sourced from 0.0.0.0, and are
uniquely identified by the full connection five-tuple (proto, src IP,
src port, dst IP, dst port) anyway, allowing them to overlap src IP/src
port as long as proto/dst IP/dst port are different. Thus it is up to
keystone/devstack to bind more appropriately and not use wildcard bind
addresses unless explicitly necessary for some reason. For example, in
the log output, the URLs are configured with dst IPs of 127.0.0.1
anyway, so binding explicitly to localhost would change nothing, while
skirting this particular edge case nicely." ~Evan Callicoat

This doesn't fix bug 1253482 it works around it while a better solution
is prepared (running keystone behind apache in devstack).

Co-Authored-By: Joe Gordon <joe.gordon0@gmail.com>
Change-Id: I112309661dadf8b753c3311182f82464d9d3595e
Related-bug: #1253482
2014-01-29 17:48:28 -08:00
Jenkins
00eb27bb5a Merge "Keystone use common logging setup" 2014-01-25 18:40:53 +00:00
Brant Knudson
4968d1ad5d Keystone use common logging setup
The Keystone setup was using logging.conf to configure logging,
unlike other projects. This may have been left over from before
Keystone switched to oslo logging.

Switching to common logging configuration allows:
- Common format for logs for easier parsing
- Pretty colorized logs
- Keystone can control the default logging levels for libraries
  that are used by setting the defaults in keystone.
- Potentially using a function to setup logging for all components
  using oslo-logging (e.g., share with lib/nova).

Change-Id: I4e9b1e6cffce30f16a1e039224312852b8abda07
Closes-Bug: #1271775
Closes-Bug: #1269987
2014-01-22 19:06:44 -06:00
Brant Knudson
0049c0c434 Make unstack.sh more like stack.sh
unstack.sh and stack.sh both have to "configure projects", but the
code was different. This change makes it so the 2 sections of the
files are the same.

Change-Id: Ia06f8bbfbe2a6e87fb406e34e13a39bd7fa9e5af
2014-01-16 18:16:48 -06:00
Gordon Chung
5eec5b6b80 command not found errors on unstack
- add lib/ceilometer and lib/heat to source list for when stop_heat
and stop_ceilometer functions are called.
- add lib/tls source to lib/keystone for when is_ssl_enabled_service
function called.

Change-Id: Ief05766e9cfda71fb6392c8a757d04751283414e
Closes-Bug: #1269047
2014-01-14 11:23:39 -05:00
Jenkins
3e98388d07 Merge "Robustify service shutdown" 2014-01-13 14:09:44 +00:00
Dean Troyer
9fc8792b0a Robustify service shutdown
* Save PID when using screen in screen_it()
* Add screen_stop()
* Call out service stop_*() in unstack.sh functions so screen_stop()
  can do its thing

Closes-bug: 1183449
Change-Id: Iac84231cfda960c4197de5b6e8ba6eb19225169a
2014-01-11 11:46:19 -06:00
Vincent Hou
21fe4e76d5 Add a flexible API version choice for Cinder, Glance and Heat
The version of the authentication url is set to v1.0 for some
projects by default. We can make it configurable via the parameter
"$IDENTITY_API_VERSION".

Closes-Bug: #1253539
Change-Id: I6640e345d1317b1308403c95b13f8a998320241b
2014-01-06 01:22:57 -05:00
Brant Knudson
055cdee2bf Remove duplicate debug option from keystone-all
The keystone server was started with the options like

 keystone-all ... -d --debug ...

The -d and --debug options are the same so one of them is
redundant.

This will make it less confusing if someone removes --debug and
thinks that debug is off, but debug is still on because they
didn't notice there was an extra -d.

Change-Id: I1ac977e6b12f1cc44f02b636c1bfb5c115b5b3e4
2013-12-13 14:01:46 -06:00
Jenkins
271f38b313 Merge "freshen the LDAP support" 2013-12-06 13:24:17 +00:00
Jenkins
bddaf0afb6 Merge "Allow deploying keystone with SSL certificates" 2013-12-04 05:36:40 +00:00
Dean Troyer
b9e25135c5 freshen the LDAP support
* Build the base DN from a given domain name
* Remove all hard-coded names to allow configuration of base DN
* Fix manager DN (cn=Manager,dc=...)
* Add ldap init_ldap()
* Add support for clean.sh

Change-Id: Ieb69be9740653645b8e000574ad3fe59a0f97540
2013-11-26 11:28:54 -06:00
Jenkins
298f7d4843 Merge "support memcache for keystone token backend" 2013-11-26 14:46:17 +00:00
Jamie Lennox
bd24a8d0f8 Allow deploying keystone with SSL certificates
Allow providing certificates through environment variables to be used
for keystone, and provide the basis for doing this for other services.
It cannot be used in conjunction with tls-proxy as the service provides
it's own encrypted endpoint.

Impletmenting: blueprint devstack-https
Change-Id: I8cf4c9c8c8a6911ae56ebcd14600a9d24cca99a0
2013-11-25 22:27:51 +00:00
Brant Knudson
f653419b15 Keystone don't use deprecated token_format option
devstack was setting the token_format option in the keystone
configuration file. This option is deprecated so should not be
used.

Change-Id: I047de155f0d9d2a1c009533c2f97f505cc80c6de
2013-11-17 13:03:52 -06:00
Peter Feiner
61ae7c166c support memcache for keystone token backend
Change-Id: I0c85a64932c39264b73cff4f9d952d0dbdf49e5b
2013-11-15 14:39:30 -05:00
Dean Troyer
d561b70930 Set keystone.conf to mode 0600
Set keystone.conf readable only by owner
Fixes CVE-2013-1977

Fixed bug: 1168252

Change-Id: Idd13b7a58e257565052c54f72c65d8dceb23f27a
2013-11-01 13:49:39 -04:00
Adam Spiers
6a5aa7c6a2 Fix some Markdown formatting issues
Address miscellaneous issues with Markdown formatting in comments which
are consumed by shocco when generating the online documentation.

Change-Id: I953075cdbddbf1f119c6c7e35f039e2e54b79078
2013-10-24 17:38:19 +01:00
Sean Dague
101b424842 fix whitespace in the rest of lib/*
this brings this in line with bash8 checker

Change-Id: Ib34a2292dd5bc259069457461041ec9cd4fd2957
2013-10-22 13:02:23 -04:00
JUN JIE NAN
0aa8534ada Using no proxy option to skip wget and curl proxy settings in config
When end users specify proxy settings in config file for wget /etc/wgetrc:
http_proxy = http://...
or for curl ${HOME}/.curlrc:
proxy = http://...

Using `http_proxy="" wget' can not skip the proxy setting in the
config files, also it can skip proxy settings in env viriables.

In order to skip proxy setting in both env and config file, we pass
--no-proxy option for wget, and --noproxy '*' for curl.

Fixes bug #1224836

Change-Id: I2b25aeca9edf2ce4525fb1db325e5e24c18b4d55
2013-09-30 16:03:00 +08:00
Jenkins
b48e008169 Merge "Update user_attribute_ignore for LDAP Identity config" 2013-09-29 16:59:38 +00:00
Morgan Fainberg
2dc11fb5c8 Update user_attribute_ignore for LDAP Identity config
With a recent patch to keystone, the use of tenantId, tenant_id, and
default_project_id was normalized to reference default_project_id for
all cases internally and translate to the expected results at the
controller (v2.0 returns tenantId, v3 returns default_project_id).

Devstack must now properly ignore the expected mapped LDAP attribute
of 'default_project_id' instead of the old 'tenantId'.  Without this
fix devstack will fail when using the LDAP identity backend because
the 'default_project_id' has been made a special case that requires
the operator of a Openstack cloud to explicitly choose an attribute
to map 'default_project_id' to if storing that value is desired.
Without explicitly mapping that attribute and not having it in the
'user_attribute_ignore' config option, the user_creates can fail.

related-bug: 1219739
Change-Id: I1dd3719de50f6d0948b3a9743e32a03d0ac56b3c
2013-09-24 23:49:21 -07:00
Jamie Lennox
a00e5f8810 Allow keystone to run from apache
Provide a template for running keystone as a mod_wsgi process and enable
it from configuration.

Based on: https://review.openstack.org/#/c/36474/
Also-by: zhang-hare <zhuadl@cn.ibm.com>
Implements: blueprint devstack-setup-apache-keystone

Change-Id: Icc9d7ddfa4a488c08816ff4ae0b53c0134a1016b
2013-09-24 01:14:28 +00:00
Alex Rudenko
cd77058ee0 blueprint devstack-support-for-keystone-mixbackend
Added KEYSTONE_ASSIGNMENT_BACKEND to support mixed backend

Modified code for KEYSTONE_IDENTITY_BACKEND according to comments.
Implemented the check for variables instead of case statements.
UPD: Removed arrays.
UPD2: fixed spacing issues
Change-Id: Ie92eed1fb5be5f875ef6633ede9c9e08daf6bf4f
Implements: devstack-support-for-keystone-mixbackend
2013-09-11 19:39:57 +02:00
Jorge Valderrama Romero
f39ee96f1d Fix deprecated params user_id, role_id, tenant_id
Update keystone cli by changing parameter options (user_id, role_id and tenant_id)
to use '-' rather than '_' in the method user_role_add and consequently the method
user_role_remove without maintain backward compatibility because these are deprecated.

python-keystoneclient - Bug #1150434
Change-Id: Ia5113718eb050cf7dba443b8d0caf3bdaa1730f0
2013-09-02 17:54:27 +02:00
Attila Fazekas
fac533e38d Configure bash completion
Add bash completion rules to the /etc/bash_completion.d from the
 cinder, neutron, keystone, nova and nova-manage.

This is very fast operation and makes the cli usage easier.

Change-Id: Icdcdaf55d58efaaa1afe25fd55f088bf7dc8b3f1
2013-08-22 05:54:29 +02:00
Sudarshan Acharya
3763141cf7 UUID Token provider in keystone.conf
Token provider needs to be set to uuid.Provider when the token format is
UUID. PKI is the default.

Change-Id: I967289524a50f650cdf2476d5067d263dbf55b03
Fixes: bug #1201639
2013-07-16 01:05:16 +00:00