Support sql service catalog backend
* Add KEYSTONE_CATALOG_BACKEND to select 'sql' or 'template'
'template' is the default
* Add service creation to keystone_data.sh
Rebased and re-submitted
Fixes bug 966457
Change-Id: Id24fbdeba3de11537559e24b72571ec92ab44750
diff --git a/files/keystone_data.sh b/files/keystone_data.sh
index 2cdc2fa..1f05f10 100755
--- a/files/keystone_data.sh
+++ b/files/keystone_data.sh
@@ -19,8 +19,13 @@
# SERVICE_TOKEN - aka admin_token in keystone.conf
# SERVICE_ENDPOINT - local Keystone admin endpoint
# SERVICE_TENANT_NAME - name of tenant containing service accounts
+# SERVICE_HOST - host used for endpoint creation
# ENABLED_SERVICES - stack.sh's list of services to start
# DEVSTACK_DIR - Top-level DevStack directory
+# KEYSTONE_CATALOG_BACKEND - used to determine service catalog creation
+
+# Defaults
+# --------
ADMIN_PASSWORD=${ADMIN_PASSWORD:-secrete}
SERVICE_PASSWORD=${SERVICE_PASSWORD:-$ADMIN_PASSWORD}
@@ -29,10 +34,13 @@
SERVICE_TENANT_NAME=${SERVICE_TENANT_NAME:-service}
function get_id () {
- echo `$@ | awk '/ id / { print $4 }'`
+ echo `"$@" | awk '/ id / { print $4 }'`
}
+
# Tenants
+# -------
+
ADMIN_TENANT=$(get_id keystone tenant-create --name=admin)
SERVICE_TENANT=$(get_id keystone tenant-create --name=$SERVICE_TENANT_NAME)
DEMO_TENANT=$(get_id keystone tenant-create --name=demo)
@@ -40,6 +48,8 @@
# Users
+# -----
+
ADMIN_USER=$(get_id keystone user-create --name=admin \
--pass="$ADMIN_PASSWORD" \
--email=admin@example.com)
@@ -49,6 +59,8 @@
# Roles
+# -----
+
ADMIN_ROLE=$(get_id keystone role-create --name=admin)
KEYSTONEADMIN_ROLE=$(get_id keystone role-create --name=KeystoneAdmin)
KEYSTONESERVICE_ROLE=$(get_id keystone role-create --name=KeystoneServiceAdmin)
@@ -73,58 +85,191 @@
keystone user-role-add --user_id $DEMO_USER --role_id $MEMBER_ROLE --tenant_id $INVIS_TENANT
-# Configure service users/roles
-NOVA_USER=$(get_id keystone user-create --name=nova \
- --pass="$SERVICE_PASSWORD" \
- --tenant_id $SERVICE_TENANT \
- --email=nova@example.com)
-keystone user-role-add --tenant_id $SERVICE_TENANT \
- --user_id $NOVA_USER \
- --role_id $ADMIN_ROLE
+# Services
+# --------
-GLANCE_USER=$(get_id keystone user-create --name=glance \
- --pass="$SERVICE_PASSWORD" \
- --tenant_id $SERVICE_TENANT \
- --email=glance@example.com)
-keystone user-role-add --tenant_id $SERVICE_TENANT \
- --user_id $GLANCE_USER \
- --role_id $ADMIN_ROLE
+# Keystone
+if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
+ KEYSTONE_SERVICE=$(get_id keystone service-create \
+ --name=keystone \
+ --type=identity \
+ --description="Keystone Identity Service")
+ keystone endpoint-create \
+ --region RegionOne \
+ --service_id $KEYSTONE_SERVICE \
+ --publicurl "http://$SERVICE_HOST:\$(public_port)s/v2.0" \
+ --adminurl "http://$SERVICE_HOST:\$(admin_port)s/v2.0" \
+ --internalurl "http://$SERVICE_HOST:\$(admin_port)s/v2.0"
+fi
-if [[ "$ENABLED_SERVICES" =~ "swift" ]]; then
- SWIFT_USER=$(get_id keystone user-create --name=swift \
- --pass="$SERVICE_PASSWORD" \
- --tenant_id $SERVICE_TENANT \
- --email=swift@example.com)
- keystone user-role-add --tenant_id $SERVICE_TENANT \
- --user_id $SWIFT_USER \
- --role_id $ADMIN_ROLE
+# Nova
+if [[ "$ENABLED_SERVICES" =~ "n-cpu" ]]; then
+ NOVA_USER=$(get_id keystone user-create \
+ --name=nova \
+ --pass="$SERVICE_PASSWORD" \
+ --tenant_id $SERVICE_TENANT \
+ --email=nova@example.com)
+ keystone user-role-add \
+ --tenant_id $SERVICE_TENANT \
+ --user_id $NOVA_USER \
+ --role_id $ADMIN_ROLE
+ if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
+ NOVA_SERVICE=$(get_id keystone service-create \
+ --name=nova \
+ --type=compute \
+ --description="Nova Compute Service")
+ keystone endpoint-create \
+ --region RegionOne \
+ --service_id $NOVA_SERVICE \
+ --publicurl "http://$SERVICE_HOST:\$(compute_port)s/v1.1/\$(tenant_id)s" \
+ --adminurl "http://$SERVICE_HOST:\$(compute_port)s/v1.1/\$(tenant_id)s" \
+ --internalurl "http://$SERVICE_HOST:\$(compute_port)s/v1.1/\$(tenant_id)s"
+ fi
# Nova needs ResellerAdmin role to download images when accessing
# swift through the s3 api. The admin role in swift allows a user
# to act as an admin for their tenant, but ResellerAdmin is needed
# for a user to act as any tenant. The name of this role is also
# configurable in swift-proxy.conf
RESELLER_ROLE=$(get_id keystone role-create --name=ResellerAdmin)
- keystone user-role-add --tenant_id $SERVICE_TENANT \
- --user_id $NOVA_USER \
- --role_id $RESELLER_ROLE
+ keystone user-role-add \
+ --tenant_id $SERVICE_TENANT \
+ --user_id $NOVA_USER \
+ --role_id $RESELLER_ROLE
fi
-if [[ "$ENABLED_SERVICES" =~ "quantum" ]]; then
- QUANTUM_USER=$(get_id keystone user-create --name=quantum \
- --pass="$SERVICE_PASSWORD" \
- --tenant_id $SERVICE_TENANT \
- --email=quantum@example.com)
- keystone user-role-add --tenant_id $SERVICE_TENANT \
- --user_id $QUANTUM_USER \
- --role_id $ADMIN_ROLE
+# Volume
+if [[ "$ENABLED_SERVICES" =~ "n-vol" ]]; then
+ if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
+ VOLUME_SERVICE=$(get_id keystone service-create \
+ --name=volume \
+ --type=volume \
+ --description="Volume Service")
+ keystone endpoint-create \
+ --region RegionOne \
+ --service_id $VOLUME_SERVICE \
+ --publicurl "http://$SERVICE_HOST:8776/v1/\$(tenant_id)s" \
+ --adminurl "http://$SERVICE_HOST:8776/v1/\$(tenant_id)s" \
+ --internalurl "http://$SERVICE_HOST:8776/v1/\$(tenant_id)s"
+ fi
+fi
+
+# Glance
+if [[ "$ENABLED_SERVICES" =~ "g-api" ]]; then
+ GLANCE_USER=$(get_id keystone user-create \
+ --name=glance \
+ --pass="$SERVICE_PASSWORD" \
+ --tenant_id $SERVICE_TENANT \
+ --email=glance@example.com)
+ keystone user-role-add \
+ --tenant_id $SERVICE_TENANT \
+ --user_id $GLANCE_USER \
+ --role_id $ADMIN_ROLE
+ if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
+ GLANCE_SERVICE=$(get_id keystone service-create \
+ --name=glance \
+ --type=image \
+ --description="Glance Image Service")
+ keystone endpoint-create \
+ --region RegionOne \
+ --service_id $GLANCE_SERVICE \
+ --publicurl "http://$SERVICE_HOST:9292/v1" \
+ --adminurl "http://$SERVICE_HOST:9292/v1" \
+ --internalurl "http://$SERVICE_HOST:9292/v1"
+ fi
+fi
+
+# Swift
+if [[ "$ENABLED_SERVICES" =~ "swift" ]]; then
+ SWIFT_USER=$(get_id keystone user-create \
+ --name=swift \
+ --pass="$SERVICE_PASSWORD" \
+ --tenant_id $SERVICE_TENANT \
+ --email=swift@example.com)
+ keystone user-role-add \
+ --tenant_id $SERVICE_TENANT \
+ --user_id $SWIFT_USER \
+ --role_id $ADMIN_ROLE
+ if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
+ SWIFT_SERVICE=$(get_id keystone service-create \
+ --name=swift \
+ --type="object-store" \
+ --description="Swift Service")
+ keystone endpoint-create \
+ --region RegionOne \
+ --service_id $SWIFT_SERVICE \
+ --publicurl "http://$SERVICE_HOST:8080/v1/AUTH_\$(tenant_id)s" \
+ --adminurl "http://$SERVICE_HOST:8080/v1" \
+ --internalurl "http://$SERVICE_HOST:8080/v1/AUTH_\$(tenant_id)s"
+ fi
+fi
+
+if [[ "$ENABLED_SERVICES" =~ "q-svc" ]]; then
+ QUANTUM_USER=$(get_id keystone user-create \
+ --name=quantum \
+ --pass="$SERVICE_PASSWORD" \
+ --tenant_id $SERVICE_TENANT \
+ --email=quantum@example.com)
+ keystone user-role-add \
+ --tenant_id $SERVICE_TENANT \
+ --user_id $QUANTUM_USER \
+ --role_id $ADMIN_ROLE
+ if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
+ QUANTUM_SERVICE=$(get_id keystone service-create \
+ --name=quantum \
+ --type=network \
+ --description="Quantum Service")
+ keystone endpoint-create \
+ --region RegionOne \
+ --service_id $QUANTUM_SERVICE \
+ --publicurl "http://$SERVICE_HOST:9696/" \
+ --adminurl "http://$SERVICE_HOST:9696/" \
+ --internalurl "http://$SERVICE_HOST:9696/"
+ fi
+fi
+
+# EC2
+if [[ "$ENABLED_SERVICES" =~ "n-api" ]]; then
+ if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
+ EC2_SERVICE=$(get_id keystone service-create \
+ --name=ec2 \
+ --type=ec2 \
+ --description="EC2 Compatibility Layer")
+ keystone endpoint-create \
+ --region RegionOne \
+ --service_id $EC2_SERVICE \
+ --publicurl "http://$SERVICE_HOST:8773/services/Cloud" \
+ --adminurl "http://$SERVICE_HOST:8773/services/Admin" \
+ --internalurl "http://$SERVICE_HOST:8773/services/Cloud"
+ fi
+fi
+
+# S3
+if [[ "$ENABLED_SERVICES" =~ "n-obj" || "$ENABLED_SERVICES" =~ "swift" ]]; then
+ if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
+ S3_SERVICE=$(get_id keystone service-create \
+ --name=s3 \
+ --type=s3 \
+ --description="S3")
+ keystone endpoint-create \
+ --region RegionOne \
+ --service_id $S3_SERVICE \
+ --publicurl "http://$SERVICE_HOST:$S3_SERVICE_PORT" \
+ --adminurl "http://$SERVICE_HOST:$S3_SERVICE_PORT" \
+ --internalurl "http://$SERVICE_HOST:$S3_SERVICE_PORT"
+ fi
fi
if [[ "$ENABLED_SERVICES" =~ "tempest" ]]; then
# Tempest has some tests that validate various authorization checks
# between two regular users in separate tenants
- ALT_DEMO_TENANT=$(get_id keystone tenant-create --name=alt_demo)
- ALT_DEMO_USER=$(get_id keystone user-create --name=alt_demo \
- --pass="$ADMIN_PASSWORD" \
- --email=alt_demo@example.com)
- keystone user-role-add --user $ALT_DEMO_USER --role $MEMBER_ROLE --tenant_id $ALT_DEMO_TENANT
+ ALT_DEMO_TENANT=$(get_id keystone tenant-create \
+ --name=alt_demo)
+ ALT_DEMO_USER=$(get_id keystone user-create \
+ --name=alt_demo \
+ --pass="$ADMIN_PASSWORD" \
+ --email=alt_demo@example.com)
+ keystone user-role-add \
+ --tenant_id $ALT_DEMO_TENANT \
+ --user_id $ALT_DEMO_USER \
+ --role_id $MEMBER_ROLE
fi
diff --git a/stack.sh b/stack.sh
index cc5f594..f3c0537 100755
--- a/stack.sh
+++ b/stack.sh
@@ -1866,7 +1866,7 @@
KEYSTONE_CONF_DIR=${KEYSTONE_CONF_DIR:-/etc/keystone}
KEYSTONE_CONF=$KEYSTONE_CONF_DIR/keystone.conf
- KEYSTONE_CATALOG=$KEYSTONE_CONF_DIR/default_catalog.templates
+ KEYSTONE_CATALOG_BACKEND=${KEYSTONE_CATALOG_BACKEND:-template}
if [[ ! -d $KEYSTONE_CONF_DIR ]]; then
sudo mkdir -p $KEYSTONE_CONF_DIR
@@ -1877,41 +1877,49 @@
cp -p $KEYSTONE_DIR/etc/keystone.conf.sample $KEYSTONE_CONF
cp -p $KEYSTONE_DIR/etc/policy.json $KEYSTONE_CONF_DIR
fi
- cp -p $FILES/default_catalog.templates $KEYSTONE_CATALOG
# Rewrite stock keystone.conf:
iniset $KEYSTONE_CONF DEFAULT admin_token "$SERVICE_TOKEN"
iniset $KEYSTONE_CONF sql connection "$BASE_SQL_CONN/keystone?charset=utf8"
iniset $KEYSTONE_CONF ec2 driver "keystone.contrib.ec2.backends.sql.Ec2"
- # Configure keystone.conf to use templates
- iniset $KEYSTONE_CONF catalog driver "keystone.catalog.backends.templated.TemplatedCatalog"
- iniset $KEYSTONE_CONF catalog template_file "$KEYSTONE_CATALOG"
sed -e "
/^pipeline.*ec2_extension crud_/s|ec2_extension crud_extension|ec2_extension s3_extension crud_extension|;
" -i $KEYSTONE_CONF
# Append the S3 bits
iniset $KEYSTONE_CONF filter:s3_extension paste.filter_factory "keystone.contrib.s3:S3Extension.factory"
- # Add swift endpoints to service catalog if swift is enabled
- if is_service_enabled swift; then
- echo "catalog.RegionOne.object_store.publicURL = http://%SERVICE_HOST%:8080/v1/AUTH_\$(tenant_id)s" >> $KEYSTONE_CATALOG
- echo "catalog.RegionOne.object_store.adminURL = http://%SERVICE_HOST%:8080/" >> $KEYSTONE_CATALOG
- echo "catalog.RegionOne.object_store.internalURL = http://%SERVICE_HOST%:8080/v1/AUTH_\$(tenant_id)s" >> $KEYSTONE_CATALOG
- echo "catalog.RegionOne.object_store.name = Swift Service" >> $KEYSTONE_CATALOG
- fi
+ if [[ "$KEYSTONE_CATALOG_BACKEND" = "sql" ]]; then
+ # Configure keystone.conf to use sql
+ iniset $KEYSTONE_CONF catalog driver keystone.catalog.backends.sql.Catalog
+ inicomment $KEYSTONE_CONF catalog template_file
+ else
+ KEYSTONE_CATALOG=$KEYSTONE_CONF_DIR/default_catalog.templates
+ cp -p $FILES/default_catalog.templates $KEYSTONE_CATALOG
+ # Add swift endpoints to service catalog if swift is enabled
+ if is_service_enabled swift; then
+ echo "catalog.RegionOne.object_store.publicURL = http://%SERVICE_HOST%:8080/v1/AUTH_\$(tenant_id)s" >> $KEYSTONE_CATALOG
+ echo "catalog.RegionOne.object_store.adminURL = http://%SERVICE_HOST%:8080/" >> $KEYSTONE_CATALOG
+ echo "catalog.RegionOne.object_store.internalURL = http://%SERVICE_HOST%:8080/v1/AUTH_\$(tenant_id)s" >> $KEYSTONE_CATALOG
+ echo "catalog.RegionOne.object_store.name = Swift Service" >> $KEYSTONE_CATALOG
+ fi
- # Add quantum endpoints to service catalog if quantum is enabled
- if is_service_enabled quantum; then
- echo "catalog.RegionOne.network.publicURL = http://%SERVICE_HOST%:9696/" >> $KEYSTONE_CATALOG
- echo "catalog.RegionOne.network.adminURL = http://%SERVICE_HOST%:9696/" >> $KEYSTONE_CATALOG
- echo "catalog.RegionOne.network.internalURL = http://%SERVICE_HOST%:9696/" >> $KEYSTONE_CATALOG
- echo "catalog.RegionOne.network.name = Quantum Service" >> $KEYSTONE_CATALOG
- fi
+ # Add quantum endpoints to service catalog if quantum is enabled
+ if is_service_enabled quantum; then
+ echo "catalog.RegionOne.network.publicURL = http://%SERVICE_HOST%:9696/" >> $KEYSTONE_CATALOG
+ echo "catalog.RegionOne.network.adminURL = http://%SERVICE_HOST%:9696/" >> $KEYSTONE_CATALOG
+ echo "catalog.RegionOne.network.internalURL = http://%SERVICE_HOST%:9696/" >> $KEYSTONE_CATALOG
+ echo "catalog.RegionOne.network.name = Quantum Service" >> $KEYSTONE_CATALOG
+ fi
- sudo sed -e "
- s,%SERVICE_HOST%,$SERVICE_HOST,g;
- s,%S3_SERVICE_PORT%,$S3_SERVICE_PORT,g;
- " -i $KEYSTONE_CATALOG
+ sudo sed -e "
+ s,%SERVICE_HOST%,$SERVICE_HOST,g;
+ s,%S3_SERVICE_PORT%,$S3_SERVICE_PORT,g;
+ " -i $KEYSTONE_CATALOG
+
+ # Configure keystone.conf to use templates
+ iniset $KEYSTONE_CONF catalog driver "keystone.catalog.backends.templated.TemplatedCatalog"
+ iniset $KEYSTONE_CONF catalog template_file "$KEYSTONE_CATALOG"
+ fi
# Set up logging
LOGGING_ROOT="devel"
@@ -1923,25 +1931,31 @@
iniset $KEYSTONE_CONF_DIR/logging.conf logger_root level "DEBUG"
iniset $KEYSTONE_CONF_DIR/logging.conf logger_root handlers "devel,production"
- # initialize keystone database
+ # Set up the keystone database
$KEYSTONE_DIR/bin/keystone-manage db_sync
# launch keystone and wait for it to answer before continuing
screen_it key "cd $KEYSTONE_DIR && $KEYSTONE_DIR/bin/keystone-all --config-file $KEYSTONE_CONF $KEYSTONE_LOG_CONFIG -d --debug"
echo "Waiting for keystone to start..."
- if ! timeout $SERVICE_TIMEOUT sh -c "while ! http_proxy= wget -O- $KEYSTONE_AUTH_PROTOCOL://$SERVICE_HOST:$KEYSTONE_API_PORT/v2.0/ 2>&1 | grep -q '200 OK'; do sleep 1; done"; then
+ if ! timeout $SERVICE_TIMEOUT sh -c "while http_proxy= wget -O- $KEYSTONE_AUTH_PROTOCOL://$SERVICE_HOST:$KEYSTONE_API_PORT/v2.0/ 2>&1 | grep -q 'refused'; do sleep 1; done"; then
echo "keystone did not start"
exit 1
fi
# keystone_data.sh creates services, admin and demo users, and roles.
SERVICE_ENDPOINT=$KEYSTONE_AUTH_PROTOCOL://$KEYSTONE_AUTH_HOST:$KEYSTONE_AUTH_PORT/v2.0
- ADMIN_PASSWORD=$ADMIN_PASSWORD SERVICE_TENANT_NAME=$SERVICE_TENANT_NAME SERVICE_PASSWORD=$SERVICE_PASSWORD SERVICE_TOKEN=$SERVICE_TOKEN SERVICE_ENDPOINT=$SERVICE_ENDPOINT DEVSTACK_DIR=$TOP_DIR ENABLED_SERVICES=$ENABLED_SERVICES \
+
+ ADMIN_PASSWORD=$ADMIN_PASSWORD SERVICE_TENANT_NAME=$SERVICE_TENANT_NAME SERVICE_PASSWORD=$SERVICE_PASSWORD \
+ SERVICE_TOKEN=$SERVICE_TOKEN SERVICE_ENDPOINT=$SERVICE_ENDPOINT SERVICE_HOST=$SERVICE_HOST \
+ S3_SERVICE_PORT=$S3_SERVICE_PORT KEYSTONE_CATALOG_BACKEND=$KEYSTONE_CATALOG_BACKEND \
+ DEVSTACK_DIR=$TOP_DIR ENABLED_SERVICES=$ENABLED_SERVICES \
bash $FILES/keystone_data.sh
# create an access key and secret key for nova ec2 register image
if is_service_enabled swift && is_service_enabled nova; then
- CREDS=$(keystone --os_auth_url=$SERVICE_ENDPOINT --os_username=nova --os_password=$SERVICE_PASSWORD --os_tenant_name=$SERVICE_TENANT_NAME ec2-credentials-create)
+ NOVA_USER_ID=$(keystone user-list | grep ' nova ' | get_field 1)
+ NOVA_TENANT_ID=$(keystone tenant-list | grep " $SERVICE_TENANT_NAME " | get_field 1)
+ CREDS=$(keystone ec2-credentials-create --user $NOVA_USER_ID --tenant_id $NOVA_TENANT_ID)
ACCESS_KEY=$(echo "$CREDS" | awk '/ access / { print $4 }')
SECRET_KEY=$(echo "$CREDS" | awk '/ secret / { print $4 }')
add_nova_opt "s3_access_key=$ACCESS_KEY"