Use keystone wsgi_scripts
Devstack was setting up a separate directory and copying
http/keystone.py into it for the admin and public endpoints.
Keystone now defines wsgi_scripts entrypoints so that
keystone-wsgi-admin and keystone-wsgi-public are created on
install so devstack can reference these files instead.
See http://httpd.apache.org/docs/2.4/upgrading.html#access for
the apache docs with examples for the Allow|Deny/Require
directives.
Depends-On: Ic9c03e6c00408f3698c10012ca98cfc6ea9b6ace
Change-Id: Ided688be62b64066d90776313c963ec5016363f2
diff --git a/files/apache-keystone.template b/files/apache-keystone.template
index 6dd1ad9..4d3d2d6 100644
--- a/files/apache-keystone.template
+++ b/files/apache-keystone.template
@@ -5,7 +5,7 @@
<VirtualHost *:%PUBLICPORT%>
WSGIDaemonProcess keystone-public processes=5 threads=1 user=%USER% display-name=%{GROUP} %VIRTUALENV%
WSGIProcessGroup keystone-public
- WSGIScriptAlias / %PUBLICWSGI%
+ WSGIScriptAlias / %KEYSTONE_BIN%/keystone-wsgi-public
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
<IfVersion >= 2.4>
@@ -16,12 +16,22 @@
%SSLENGINE%
%SSLCERTFILE%
%SSLKEYFILE%
+
+ <Directory %KEYSTONE_BIN%>
+ <IfVersion >= 2.4>
+ Require all granted
+ </IfVersion>
+ <IfVersion < 2.4>
+ Order allow,deny
+ Allow from all
+ </IfVersion>
+ </Directory>
</VirtualHost>
<VirtualHost *:%ADMINPORT%>
WSGIDaemonProcess keystone-admin processes=5 threads=1 user=%USER% display-name=%{GROUP} %VIRTUALENV%
WSGIProcessGroup keystone-admin
- WSGIScriptAlias / %ADMINWSGI%
+ WSGIScriptAlias / %KEYSTONE_BIN%/keystone-wsgi-admin
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
<IfVersion >= 2.4>
@@ -32,6 +42,16 @@
%SSLENGINE%
%SSLCERTFILE%
%SSLKEYFILE%
+
+ <Directory %KEYSTONE_BIN%>
+ <IfVersion >= 2.4>
+ Require all granted
+ </IfVersion>
+ <IfVersion < 2.4>
+ Order allow,deny
+ Allow from all
+ </IfVersion>
+ </Directory>
</VirtualHost>
Alias /identity %PUBLICWSGI%
diff --git a/lib/keystone b/lib/keystone
index e2448c9..921dc76 100644
--- a/lib/keystone
+++ b/lib/keystone
@@ -51,11 +51,6 @@
KEYSTONE_CONF_DIR=${KEYSTONE_CONF_DIR:-/etc/keystone}
KEYSTONE_CONF=$KEYSTONE_CONF_DIR/keystone.conf
KEYSTONE_PASTE_INI=${KEYSTONE_PASTE_INI:-$KEYSTONE_CONF_DIR/keystone-paste.ini}
-if is_suse; then
- KEYSTONE_WSGI_DIR=${KEYSTONE_WSGI_DIR:-/srv/www/htdocs/keystone}
-else
- KEYSTONE_WSGI_DIR=${KEYSTONE_WSGI_DIR:-/var/www/keystone}
-fi
# Set up additional extensions, such as oauth1, federation
# Example of KEYSTONE_EXTENSIONS=oauth1,federation
@@ -132,14 +127,11 @@
# _cleanup_keystone_apache_wsgi() - Remove wsgi files, disable and remove apache vhost file
function _cleanup_keystone_apache_wsgi {
- sudo rm -f $KEYSTONE_WSGI_DIR/*
sudo rm -f $(apache_site_config_for keystone)
}
# _config_keystone_apache_wsgi() - Set WSGI config files of Keystone
function _config_keystone_apache_wsgi {
- sudo mkdir -p $KEYSTONE_WSGI_DIR
-
local keystone_apache_conf=$(apache_site_config_for keystone)
local keystone_ssl=""
local keystone_certfile=""
@@ -161,22 +153,17 @@
venv_path="python-path=${PROJECT_VENV["keystone"]}/lib/$(python_version)/site-packages"
fi
- # copy proxy vhost and wsgi file
- sudo cp $KEYSTONE_DIR/httpd/keystone.py $KEYSTONE_WSGI_DIR/main
- sudo cp $KEYSTONE_DIR/httpd/keystone.py $KEYSTONE_WSGI_DIR/admin
-
sudo cp $FILES/apache-keystone.template $keystone_apache_conf
sudo sed -e "
s|%PUBLICPORT%|$keystone_service_port|g;
s|%ADMINPORT%|$keystone_auth_port|g;
s|%APACHE_NAME%|$APACHE_NAME|g;
- s|%PUBLICWSGI%|$KEYSTONE_WSGI_DIR/main|g;
- s|%ADMINWSGI%|$KEYSTONE_WSGI_DIR/admin|g;
s|%SSLENGINE%|$keystone_ssl|g;
s|%SSLCERTFILE%|$keystone_certfile|g;
s|%SSLKEYFILE%|$keystone_keyfile|g;
s|%USER%|$STACK_USER|g;
s|%VIRTUALENV%|$venv_path|g
+ s|%KEYSTONE_BIN%|$KEYSTONE_BIN_DIR|g
" -i $keystone_apache_conf
}