Configure auth_token middleware by auth plugin
As of release 1.3 auth_token middleware can be configured to use any
authentication plugin. This allows us to move to the more generic
password mechanism which will default to using keystone v3 if available.
This will allow in future revisions to move the devstack service users
out of the default domain.
Work will need to be done in heat to remove it's dependency on the
(supposed to be private) keystone_authtoken CONF values.
Change-Id: Ieac26806bd420aa08fc79bbc6a11eb6a1c15c7df
diff --git a/lib/heat b/lib/heat
index 4e72cae..019f668 100644
--- a/lib/heat
+++ b/lib/heat
@@ -114,7 +114,18 @@
setup_colorized_logging $HEAT_CONF DEFAULT tenant user
fi
- configure_auth_token_middleware $HEAT_CONF heat $HEAT_AUTH_CACHE_DIR
+ # NOTE(jamielennox): heat re-uses specific values from the
+ # keystone_authtoken middleware group and so currently fails when using the
+ # auth plugin setup. This should be fixed in heat. Heat is also the only
+ # service that requires the auth_uri to include a /v2.0. Remove this custom
+ # setup when bug #1300246 is resolved.
+ iniset $HEAT_CONF keystone_authtoken identity_uri $KEYSTONE_AUTH_URI
+ iniset $HEAT_CONF keystone_authtoken auth_uri $KEYSTONE_SERVICE_URI/v2.0
+ iniset $HEAT_CONF keystone_authtoken admin_user heat
+ iniset $HEAT_CONF keystone_authtoken admin_password $SERVICE_PASSWORD
+ iniset $HEAT_CONF keystone_authtoken admin_tenant_name $SERVICE_TENANT_NAME
+ iniset $HEAT_CONF keystone_authtoken cafile $SSL_BUNDLE_FILE
+ iniset $HEAT_CONF keystone_authtoken signing_dir $HEAT_AUTH_CACHE_DIR
if is_ssl_enabled_service "key"; then
iniset $HEAT_CONF clients_keystone ca_file $SSL_BUNDLE_FILE
diff --git a/lib/keystone b/lib/keystone
index 1599fa5..9c15688 100644
--- a/lib/keystone
+++ b/lib/keystone
@@ -407,15 +407,6 @@
fi
}
-# Configure the API version for the OpenStack projects.
-# configure_API_version conf_file version [section]
-function configure_API_version {
- local conf_file=$1
- local api_version=$2
- local section=${3:-keystone_authtoken}
- iniset $conf_file $section auth_uri $KEYSTONE_SERVICE_PROTOCOL://$KEYSTONE_SERVICE_HOST:$KEYSTONE_SERVICE_PORT/v$api_version
-}
-
# Configure the service to use the auth token middleware.
#
# configure_auth_token_middleware conf_file admin_user signing_dir [section]
@@ -429,15 +420,16 @@
local signing_dir=$3
local section=${4:-keystone_authtoken}
- iniset $conf_file $section auth_host $KEYSTONE_AUTH_HOST
- iniset $conf_file $section auth_port $KEYSTONE_AUTH_PORT
- iniset $conf_file $section auth_protocol $KEYSTONE_AUTH_PROTOCOL
- iniset $conf_file $section identity_uri $KEYSTONE_AUTH_URI
+ iniset $conf_file $section auth_plugin password
+ iniset $conf_file $section auth_url $KEYSTONE_AUTH_URI
+ iniset $conf_file $section username $admin_user
+ iniset $conf_file $section password $SERVICE_PASSWORD
+ iniset $conf_file $section user_domain_id default
+ iniset $conf_file $section project_name $SERVICE_TENANT_NAME
+ iniset $conf_file $section project_domain_id default
+
+ iniset $conf_file $section auth_uri $KEYSTONE_SERVICE_URI
iniset $conf_file $section cafile $SSL_BUNDLE_FILE
- configure_API_version $conf_file $IDENTITY_API_VERSION $section
- iniset $conf_file $section admin_tenant_name $SERVICE_TENANT_NAME
- iniset $conf_file $section admin_user $admin_user
- iniset $conf_file $section admin_password $SERVICE_PASSWORD
iniset $conf_file $section signing_dir $signing_dir
}