| #!/bin/bash |
| # |
| # lib/keystone |
| # Functions to control the configuration and operation of **Keystone** |
| |
| # Dependencies: |
| # |
| # - ``functions`` file |
| # - ``tls`` file |
| # - ``DEST``, ``STACK_USER`` |
| # - ``FILES`` |
| # - ``BASE_SQL_CONN`` |
| # - ``SERVICE_HOST``, ``SERVICE_PROTOCOL`` |
| # - ``S3_SERVICE_PORT`` (template backend only) |
| |
| # ``stack.sh`` calls the entry points in this order: |
| # |
| # - install_keystone |
| # - configure_keystone |
| # - _config_keystone_apache_wsgi |
| # - init_keystone |
| # - start_keystone |
| # - bootstrap_keystone |
| # - create_keystone_accounts |
| # - stop_keystone |
| # - cleanup_keystone |
| |
| # Save trace setting |
| _XTRACE_KEYSTONE=$(set +o | grep xtrace) |
| set +o xtrace |
| |
| # Defaults |
| # -------- |
| |
| # Set up default directories |
| GITDIR["keystoneauth"]=$DEST/keystoneauth |
| GITDIR["python-keystoneclient"]=$DEST/python-keystoneclient |
| GITDIR["keystonemiddleware"]=$DEST/keystonemiddleware |
| KEYSTONE_DIR=$DEST/keystone |
| |
| # Keystone virtual environment |
| if [[ ${USE_VENV} = True ]]; then |
| PROJECT_VENV["keystone"]=${KEYSTONE_DIR}.venv |
| KEYSTONE_BIN_DIR=${PROJECT_VENV["keystone"]}/bin |
| else |
| KEYSTONE_BIN_DIR=$(get_python_exec_prefix) |
| fi |
| |
| KEYSTONE_CONF_DIR=${KEYSTONE_CONF_DIR:-/etc/keystone} |
| KEYSTONE_CONF=$KEYSTONE_CONF_DIR/keystone.conf |
| KEYSTONE_PUBLIC_UWSGI_CONF=$KEYSTONE_CONF_DIR/keystone-uwsgi-public.ini |
| KEYSTONE_PUBLIC_UWSGI=keystone.wsgi.api:application |
| |
| # Select the Identity backend driver |
| KEYSTONE_IDENTITY_BACKEND=${KEYSTONE_IDENTITY_BACKEND:-sql} |
| |
| # Select the Assignment backend driver |
| KEYSTONE_ASSIGNMENT_BACKEND=${KEYSTONE_ASSIGNMENT_BACKEND:-sql} |
| |
| # Select the Role backend driver |
| KEYSTONE_ROLE_BACKEND=${KEYSTONE_ROLE_BACKEND:-sql} |
| |
| # Select the Resource backend driver |
| KEYSTONE_RESOURCE_BACKEND=${KEYSTONE_RESOURCE_BACKEND:-sql} |
| |
| # Select Keystone's token provider (and format) |
| # Refer keystone doc for supported token provider: |
| # https://docs.openstack.org/keystone/latest/admin/token-provider.html |
| KEYSTONE_TOKEN_FORMAT=${KEYSTONE_TOKEN_FORMAT:-fernet} |
| KEYSTONE_TOKEN_FORMAT=$(echo ${KEYSTONE_TOKEN_FORMAT} | tr '[:upper:]' '[:lower:]') |
| |
| # Public facing bits |
| KEYSTONE_SERVICE_HOST=${KEYSTONE_SERVICE_HOST:-$SERVICE_HOST} |
| KEYSTONE_SERVICE_PORT=${KEYSTONE_SERVICE_PORT:-5000} |
| KEYSTONE_SERVICE_PORT_INT=${KEYSTONE_SERVICE_PORT_INT:-5001} |
| KEYSTONE_SERVICE_PROTOCOL=${KEYSTONE_SERVICE_PROTOCOL:-$SERVICE_PROTOCOL} |
| |
| # Set the project for service accounts in Keystone |
| SERVICE_DOMAIN_NAME=${SERVICE_DOMAIN_NAME:-Default} |
| SERVICE_PROJECT_NAME=${SERVICE_PROJECT_NAME:-service} |
| |
| # Note 2016-03 : SERVICE_TENANT_NAME is kept for backwards |
| # compatibility; we should be using SERVICE_PROJECT_NAME now |
| SERVICE_TENANT_NAME=${SERVICE_PROJECT_NAME:-service} |
| |
| # if we are running with SSL use https protocols |
| if is_service_enabled tls-proxy; then |
| KEYSTONE_SERVICE_PROTOCOL="https" |
| fi |
| |
| KEYSTONE_SERVICE_URI=${KEYSTONE_SERVICE_PROTOCOL}://${KEYSTONE_SERVICE_HOST}/identity |
| # for compat |
| KEYSTONE_AUTH_URI=$KEYSTONE_SERVICE_URI |
| |
| # V3 URIs |
| KEYSTONE_AUTH_URI_V3=$KEYSTONE_SERVICE_URI/v3 |
| KEYSTONE_SERVICE_URI_V3=$KEYSTONE_SERVICE_URI/v3 |
| |
| # Security compliance |
| KEYSTONE_SECURITY_COMPLIANCE_ENABLED=${KEYSTONE_SECURITY_COMPLIANCE_ENABLED:-True} |
| KEYSTONE_LOCKOUT_FAILURE_ATTEMPTS=${KEYSTONE_LOCKOUT_FAILURE_ATTEMPTS:-2} |
| KEYSTONE_LOCKOUT_DURATION=${KEYSTONE_LOCKOUT_DURATION:-10} |
| KEYSTONE_UNIQUE_LAST_PASSWORD_COUNT=${KEYSTONE_UNIQUE_LAST_PASSWORD_COUNT:-2} |
| |
| # Number of bcrypt hashing rounds, increasing number exponentially increases required |
| # resources to generate password hash. This is very effective way to protect from |
| # bruteforce attacks. 4 is minimal value that can be specified for bcrypt and |
| # it works way faster than default 12. Minimal value is great for CI and development |
| # however may not be suitable for real production. |
| KEYSTONE_PASSWORD_HASH_ROUNDS=${KEYSTONE_PASSWORD_HASH_ROUNDS:-4} |
| |
| # Cache settings |
| KEYSTONE_ENABLE_CACHE=${KEYSTONE_ENABLE_CACHE:-True} |
| |
| # Whether to create a keystone admin endpoint for legacy applications |
| KEYSTONE_ADMIN_ENDPOINT=$(trueorfalse False KEYSTONE_ADMIN_ENDPOINT) |
| |
| # Flag to set the oslo_policy.enforce_scope. This is used to switch |
| # the Identity API policies to start checking the scope of token. By Default, |
| # this flag is False. |
| # For more detail: https://docs.openstack.org/oslo.policy/latest/configuration/index.html#oslo_policy.enforce_scope |
| KEYSTONE_ENFORCE_SCOPE=$(trueorfalse False KEYSTONE_ENFORCE_SCOPE) |
| |
| # Functions |
| # --------- |
| |
| # Test if Keystone is enabled |
| # is_keystone_enabled |
| function is_keystone_enabled { |
| [[ ,${DISABLED_SERVICES} =~ ,"keystone" ]] && return 1 |
| [[ ,${ENABLED_SERVICES}, =~ ,"key", ]] && return 0 |
| return 1 |
| } |
| |
| # cleanup_keystone() - Remove residual data files, anything left over from previous |
| # runs that a clean run would need to clean up |
| function cleanup_keystone { |
| stop_process "keystone" |
| remove_uwsgi_config "$KEYSTONE_PUBLIC_UWSGI_CONF" "keystone-wsgi-public" |
| sudo rm -f $(apache_site_config_for keystone-wsgi-public) |
| } |
| |
| # _config_keystone_apache_wsgi() - Set WSGI config files of Keystone |
| function _config_keystone_apache_wsgi { |
| local keystone_apache_conf |
| keystone_apache_conf=$(apache_site_config_for keystone) |
| keystone_ssl_listen="#" |
| local keystone_ssl="" |
| local keystone_certfile="" |
| local keystone_keyfile="" |
| local keystone_service_port=$KEYSTONE_SERVICE_PORT |
| local venv_path="" |
| |
| if is_service_enabled tls-proxy; then |
| keystone_service_port=$KEYSTONE_SERVICE_PORT_INT |
| fi |
| if [[ ${USE_VENV} = True ]]; then |
| venv_path="python-path=${PROJECT_VENV["keystone"]}/lib/$(python_version)/site-packages" |
| fi |
| |
| sudo cp $FILES/apache-keystone.template $keystone_apache_conf |
| sudo sed -e " |
| s|%PUBLICPORT%|$keystone_service_port|g; |
| s|%APACHE_NAME%|$APACHE_NAME|g; |
| s|%SSLLISTEN%|$keystone_ssl_listen|g; |
| s|%SSLENGINE%|$keystone_ssl|g; |
| s|%SSLCERTFILE%|$keystone_certfile|g; |
| s|%SSLKEYFILE%|$keystone_keyfile|g; |
| s|%USER%|$STACK_USER|g; |
| s|%VIRTUALENV%|$venv_path|g |
| s|%KEYSTONE_BIN%|$KEYSTONE_BIN_DIR|g |
| " -i $keystone_apache_conf |
| } |
| |
| # configure_keystone() - Set config files, create data dirs, etc |
| function configure_keystone { |
| sudo install -d -o $STACK_USER $KEYSTONE_CONF_DIR |
| |
| if [[ "$KEYSTONE_CONF_DIR" != "$KEYSTONE_DIR/etc" ]]; then |
| install -m 600 /dev/null $KEYSTONE_CONF |
| fi |
| # Populate ``keystone.conf`` |
| if is_service_enabled ldap; then |
| iniset $KEYSTONE_CONF identity domain_config_dir "$KEYSTONE_CONF_DIR/domains" |
| iniset $KEYSTONE_CONF identity domain_specific_drivers_enabled "True" |
| fi |
| iniset $KEYSTONE_CONF identity driver "$KEYSTONE_IDENTITY_BACKEND" |
| iniset $KEYSTONE_CONF identity password_hash_rounds $KEYSTONE_PASSWORD_HASH_ROUNDS |
| iniset $KEYSTONE_CONF assignment driver "$KEYSTONE_ASSIGNMENT_BACKEND" |
| iniset $KEYSTONE_CONF role driver "$KEYSTONE_ROLE_BACKEND" |
| iniset $KEYSTONE_CONF resource driver "$KEYSTONE_RESOURCE_BACKEND" |
| |
| # Enable caching |
| iniset $KEYSTONE_CONF cache enabled $KEYSTONE_ENABLE_CACHE |
| iniset $KEYSTONE_CONF cache backend $CACHE_BACKEND |
| iniset $KEYSTONE_CONF cache memcache_servers $MEMCACHE_SERVERS |
| |
| iniset_rpc_backend keystone $KEYSTONE_CONF oslo_messaging_notifications |
| |
| local service_port=$KEYSTONE_SERVICE_PORT |
| |
| if is_service_enabled tls-proxy; then |
| # Set the service ports for a proxy to take the originals |
| service_port=$KEYSTONE_SERVICE_PORT_INT |
| fi |
| |
| # Override the endpoints advertised by keystone so that clients use the correct |
| # endpoint. By default, the keystone server uses the public_port which isn't |
| # going to work when you want to use a different port (in the case of proxy), |
| # or you don't want the port (in the case of putting keystone on a path in apache). |
| iniset $KEYSTONE_CONF DEFAULT public_endpoint $KEYSTONE_SERVICE_URI |
| |
| if [[ "$KEYSTONE_TOKEN_FORMAT" != "" ]]; then |
| iniset $KEYSTONE_CONF token provider $KEYSTONE_TOKEN_FORMAT |
| fi |
| |
| iniset $KEYSTONE_CONF database connection `database_connection_url keystone` |
| |
| # Set up logging |
| if [ "$SYSLOG" != "False" ]; then |
| iniset $KEYSTONE_CONF DEFAULT use_syslog "True" |
| fi |
| |
| # Format logging |
| setup_logging $KEYSTONE_CONF |
| |
| iniset $KEYSTONE_CONF DEFAULT debug $ENABLE_DEBUG_LOG_LEVEL |
| |
| write_uwsgi_config "$KEYSTONE_PUBLIC_UWSGI_CONF" "$KEYSTONE_PUBLIC_UWSGI" "/identity" "" "keystone-api" |
| |
| iniset $KEYSTONE_CONF DEFAULT max_token_size 16384 |
| |
| iniset $KEYSTONE_CONF fernet_tokens key_repository "$KEYSTONE_CONF_DIR/fernet-keys/" |
| |
| iniset $KEYSTONE_CONF credential key_repository "$KEYSTONE_CONF_DIR/credential-keys/" |
| |
| # Configure the project created by the 'keystone-manage bootstrap' as the cloud-admin project. |
| # The users from this project are globally admin as before, but it also |
| # allows policy changes in order to clarify the adminess scope. |
| #iniset $KEYSTONE_CONF resource admin_project_domain_name Default |
| #iniset $KEYSTONE_CONF resource admin_project_name admin |
| |
| if [[ "$KEYSTONE_SECURITY_COMPLIANCE_ENABLED" = True ]]; then |
| iniset $KEYSTONE_CONF security_compliance lockout_failure_attempts $KEYSTONE_LOCKOUT_FAILURE_ATTEMPTS |
| iniset $KEYSTONE_CONF security_compliance lockout_duration $KEYSTONE_LOCKOUT_DURATION |
| iniset $KEYSTONE_CONF security_compliance unique_last_password_count $KEYSTONE_UNIQUE_LAST_PASSWORD_COUNT |
| fi |
| |
| iniset $KEYSTONE_CONF oslo_policy policy_file policy.yaml |
| |
| if [[ "$KEYSTONE_ENFORCE_SCOPE" == True || "$ENFORCE_SCOPE" == True ]] ; then |
| iniset $KEYSTONE_CONF oslo_policy enforce_scope true |
| iniset $KEYSTONE_CONF oslo_policy enforce_new_defaults true |
| else |
| iniset $KEYSTONE_CONF oslo_policy enforce_scope false |
| iniset $KEYSTONE_CONF oslo_policy enforce_new_defaults false |
| fi |
| } |
| |
| # create_keystone_accounts() - Sets up common required keystone accounts |
| |
| # Project User Roles |
| # ------------------------------------------------------------------ |
| # admin admin admin |
| # service -- -- |
| # -- -- service |
| # -- -- ResellerAdmin |
| # -- -- member |
| # demo admin admin |
| # demo demo member, anotherrole |
| # alt_demo admin admin |
| # alt_demo alt_demo member, anotherrole |
| # invisible_to_admin demo member |
| |
| # Group Users Roles Project |
| # ------------------------------------------------------------------ |
| # admins admin admin admin |
| # nonadmins demo, alt_demo member, anotherrole demo, alt_demo |
| |
| # System User Roles |
| # ------------------------------------------------------------------ |
| # all admin admin |
| # all system_reader reader |
| # all system_member member |
| |
| |
| # Migrated from keystone_data.sh |
| function create_keystone_accounts { |
| |
| # The keystone bootstrapping process (performed via keystone-manage |
| # bootstrap) creates an admin user and an admin |
| # project. As a sanity check we exercise the CLI to retrieve the IDs for |
| # these values. |
| local admin_project |
| admin_project=$(openstack project show "admin" -f value -c id) |
| local admin_user |
| admin_user=$(openstack user show "admin" -f value -c id) |
| # These roles are also created during bootstrap but we don't need their IDs |
| local admin_role="admin" |
| local member_role="member" |
| local reader_role="reader" |
| |
| async_run ks-domain-role get_or_add_user_domain_role $admin_role $admin_user default |
| |
| # Create service project/role |
| get_or_create_domain "$SERVICE_DOMAIN_NAME" |
| async_run ks-project get_or_create_project "$SERVICE_PROJECT_NAME" "$SERVICE_DOMAIN_NAME" |
| |
| # Service role, so service users do not have to be admins |
| async_run ks-service get_or_create_role service |
| |
| # The ResellerAdmin role is used by Nova and Ceilometer so we need to keep it. |
| # The admin role in swift allows a user to act as an admin for their project, |
| # but ResellerAdmin is needed for a user to act as any project. The name of this |
| # role is also configurable in swift-proxy.conf |
| async_run ks-reseller get_or_create_role ResellerAdmin |
| |
| # another_role demonstrates that an arbitrary role may be created and used |
| # TODO(sleepsonthefloor): show how this can be used for rbac in the future! |
| local another_role="anotherrole" |
| async_run ks-anotherrole get_or_create_role $another_role |
| |
| # invisible project - admin can't see this one |
| local invis_project |
| invis_project=$(get_or_create_project "invisible_to_admin" default) |
| |
| # demo |
| local demo_project |
| demo_project=$(get_or_create_project "demo" default) |
| local demo_user |
| demo_user=$(get_or_create_user "demo" \ |
| "$ADMIN_PASSWORD" "default" "demo@example.com") |
| |
| async_wait ks-{domain-role,domain,project,service,reseller,anotherrole} |
| |
| async_run ks-demo-member get_or_add_user_project_role $member_role $demo_user $demo_project |
| |
| async_run ks-demo-admin get_or_add_user_project_role $admin_role $admin_user $demo_project |
| async_run ks-demo-another get_or_add_user_project_role $another_role $demo_user $demo_project |
| async_run ks-demo-invis get_or_add_user_project_role $member_role $demo_user $invis_project |
| |
| # Create a user to act as a reader on project demo |
| local demo_reader |
| demo_reader=$(get_or_create_user "demo_reader" \ |
| "$ADMIN_PASSWORD" "default" "demo_reader@example.com") |
| |
| async_run ks-demo-reader get_or_add_user_project_role $reader_role $demo_reader $demo_project |
| |
| # Create a different project called alt_demo |
| local alt_demo_project |
| alt_demo_project=$(get_or_create_project "alt_demo" default) |
| # Create a user to act as member, admin and anotherrole on project alt_demo |
| local alt_demo_user |
| alt_demo_user=$(get_or_create_user "alt_demo" \ |
| "$ADMIN_PASSWORD" "default" "alt_demo@example.com") |
| |
| async_run ks-alt-admin get_or_add_user_project_role $admin_role $alt_demo_user $alt_demo_project |
| async_run ks-alt-another get_or_add_user_project_role $another_role $alt_demo_user $alt_demo_project |
| |
| # Create another user to act as a member on project alt_demo |
| local alt_demo_member |
| alt_demo_member=$(get_or_create_user "alt_demo_member" \ |
| "$ADMIN_PASSWORD" "default" "alt_demo_member@example.com") |
| async_run ks-alt-member-user get_or_add_user_project_role $member_role $alt_demo_member $alt_demo_project |
| |
| # Create another user to act as a reader on project alt_demo |
| local alt_demo_reader |
| alt_demo_reader=$(get_or_create_user "alt_demo_reader" \ |
| "$ADMIN_PASSWORD" "default" "alt_demo_reader@example.com") |
| async_run ks-alt-reader-user get_or_add_user_project_role $reader_role $alt_demo_reader $alt_demo_project |
| |
| # Create two users, give one the member role on the system and the other the |
| # reader role on the system. These two users model system-member and |
| # system-reader personas. The admin user already has the admin role on the |
| # system and we can re-use this user as a system-admin. |
| system_member_user=$(get_or_create_user "system_member" \ |
| "$ADMIN_PASSWORD" "default" "system_member@example.com") |
| async_run ks-system-member get_or_add_user_system_role $member_role $system_member_user "all" |
| |
| system_reader_user=$(get_or_create_user "system_reader" \ |
| "$ADMIN_PASSWORD" "default" "system_reader@example.com") |
| async_run ks-system-reader get_or_add_user_system_role $reader_role $system_reader_user "all" |
| |
| # groups |
| local admin_group |
| admin_group=$(get_or_create_group "admins" \ |
| "default" "openstack admin group") |
| local non_admin_group |
| non_admin_group=$(get_or_create_group "nonadmins" \ |
| "default" "non-admin group") |
| |
| async_run ks-group-memberdemo get_or_add_group_project_role $member_role $non_admin_group $demo_project |
| async_run ks-group-anotherdemo get_or_add_group_project_role $another_role $non_admin_group $demo_project |
| async_run ks-group-memberalt get_or_add_group_project_role $member_role $non_admin_group $alt_demo_project |
| async_run ks-group-anotheralt get_or_add_group_project_role $another_role $non_admin_group $alt_demo_project |
| async_run ks-group-admin get_or_add_group_project_role $admin_role $admin_group $admin_project |
| |
| async_wait ks-demo-{member,admin,another,invis,reader} |
| async_wait ks-alt-{admin,another,member-user,reader-user} |
| async_wait ks-system-{member,reader} |
| async_wait ks-group-{memberdemo,anotherdemo,memberalt,anotheralt,admin} |
| |
| if is_service_enabled ldap; then |
| create_ldap_domain |
| fi |
| } |
| |
| # Create a user that is capable of verifying keystone tokens for use with auth_token middleware. |
| # |
| # create_service_user <name> [role] |
| # |
| # We always add the service role, other roles are also allowed to be added as historically |
| # a lot of projects have configured themselves with the admin or other role here if they are |
| # using this user for other purposes beyond simply auth_token middleware. |
| function create_service_user { |
| get_or_create_user "$1" "$SERVICE_PASSWORD" "$SERVICE_DOMAIN_NAME" |
| get_or_add_user_project_role service "$1" "$SERVICE_PROJECT_NAME" "$SERVICE_DOMAIN_NAME" "$SERVICE_DOMAIN_NAME" |
| |
| if [[ -n "$2" ]]; then |
| get_or_add_user_project_role "$2" "$1" "$SERVICE_PROJECT_NAME" "$SERVICE_DOMAIN_NAME" "$SERVICE_DOMAIN_NAME" |
| fi |
| } |
| |
| # Configure a service to use the auth token middleware. |
| # |
| # configure_keystone_authtoken_middleware conf_file admin_user IGNORED [section] |
| # |
| # section defaults to keystone_authtoken, which is where auth_token looks in |
| # the .conf file. If the paste config file is used (api-paste.ini) then |
| # provide the section name for the auth_token filter. |
| function configure_keystone_authtoken_middleware { |
| local conf_file=$1 |
| local admin_user=$2 |
| local section=${3:-keystone_authtoken} |
| |
| iniset $conf_file $section auth_type password |
| iniset $conf_file $section interface public |
| iniset $conf_file $section auth_url $KEYSTONE_SERVICE_URI |
| iniset $conf_file $section username $admin_user |
| iniset $conf_file $section password $SERVICE_PASSWORD |
| iniset $conf_file $section user_domain_name "$SERVICE_DOMAIN_NAME" |
| iniset $conf_file $section project_name $SERVICE_PROJECT_NAME |
| iniset $conf_file $section project_domain_name "$SERVICE_DOMAIN_NAME" |
| |
| iniset $conf_file $section cafile $SSL_BUNDLE_FILE |
| iniset $conf_file $section memcached_servers $MEMCACHE_SERVERS |
| } |
| |
| # configure_auth_token_middleware conf_file admin_user IGNORED [section] |
| # TODO(frickler): old function for backwards compatibility, remove in U cycle |
| function configure_auth_token_middleware { |
| echo "WARNING: configure_auth_token_middleware is deprecated, use configure_keystone_authtoken_middleware instead" |
| configure_keystone_authtoken_middleware $1 $2 $4 |
| } |
| |
| # init_keystone() - Initialize databases, etc. |
| function init_keystone { |
| if is_service_enabled ldap; then |
| init_ldap |
| fi |
| |
| if [[ "$RECREATE_KEYSTONE_DB" == True ]]; then |
| # (Re)create keystone database |
| recreate_database keystone |
| fi |
| |
| time_start "dbsync" |
| # Initialize keystone database |
| $KEYSTONE_BIN_DIR/keystone-manage --config-file $KEYSTONE_CONF db_sync |
| time_stop "dbsync" |
| |
| if [[ "$KEYSTONE_TOKEN_FORMAT" == "fernet" ]]; then |
| rm -rf "$KEYSTONE_CONF_DIR/fernet-keys/" |
| $KEYSTONE_BIN_DIR/keystone-manage --config-file $KEYSTONE_CONF fernet_setup |
| fi |
| rm -rf "$KEYSTONE_CONF_DIR/credential-keys/" |
| $KEYSTONE_BIN_DIR/keystone-manage --config-file $KEYSTONE_CONF credential_setup |
| |
| } |
| |
| # install_keystoneauth() - Collect source and prepare |
| function install_keystoneauth { |
| if use_library_from_git "keystoneauth"; then |
| git_clone_by_name "keystoneauth" |
| setup_dev_lib "keystoneauth" |
| fi |
| } |
| |
| # install_keystoneclient() - Collect source and prepare |
| function install_keystoneclient { |
| if use_library_from_git "python-keystoneclient"; then |
| git_clone_by_name "python-keystoneclient" |
| setup_dev_lib "python-keystoneclient" |
| fi |
| } |
| |
| # install_keystonemiddleware() - Collect source and prepare |
| function install_keystonemiddleware { |
| # install_keystonemiddleware() is called when keystonemiddleware is needed |
| # to provide an opportunity to install it from the source repo |
| if use_library_from_git "keystonemiddleware"; then |
| git_clone_by_name "keystonemiddleware" |
| setup_dev_lib "keystonemiddleware" |
| else |
| # When not installing from repo, keystonemiddleware is still needed... |
| pip_install_gr keystonemiddleware |
| fi |
| # Install the memcache library so keystonemiddleware can cache tokens in a |
| # shared location. |
| pip_install_gr python-memcached |
| } |
| |
| # install_keystone() - Collect source and prepare |
| function install_keystone { |
| # only install ldap if the service has been enabled |
| if is_service_enabled ldap; then |
| install_ldap |
| fi |
| |
| git_clone $KEYSTONE_REPO $KEYSTONE_DIR $KEYSTONE_BRANCH |
| setup_develop $KEYSTONE_DIR |
| |
| if is_service_enabled ldap; then |
| setup_develop $KEYSTONE_DIR ldap |
| fi |
| } |
| |
| # start_keystone() - Start running processes |
| function start_keystone { |
| # Get right service port for testing |
| local service_port=$KEYSTONE_SERVICE_PORT |
| local auth_protocol=$KEYSTONE_SERVICE_PROTOCOL |
| if is_service_enabled tls-proxy; then |
| service_port=$KEYSTONE_SERVICE_PORT_INT |
| auth_protocol="http" |
| fi |
| |
| run_process keystone "$(which uwsgi) --procname-prefix keystone --ini $KEYSTONE_PUBLIC_UWSGI_CONF" "" |
| |
| echo "Waiting for keystone to start..." |
| # Check that the keystone service is running. Even if the tls tunnel |
| # should be enabled, make sure the internal port is checked using |
| # unencryted traffic at this point. |
| # If running in Apache, use the path rather than port. |
| |
| local service_uri=$auth_protocol://$KEYSTONE_SERVICE_HOST/identity/v3/ |
| |
| if ! wait_for_service $SERVICE_TIMEOUT $service_uri; then |
| die $LINENO "keystone did not start" |
| fi |
| |
| # Start proxies if enabled |
| if is_service_enabled tls-proxy; then |
| start_tls_proxy keystone-service '*' $KEYSTONE_SERVICE_PORT $KEYSTONE_SERVICE_HOST $KEYSTONE_SERVICE_PORT_INT |
| fi |
| |
| # (re)start memcached to make sure we have a clean memcache. |
| restart_service memcached |
| } |
| |
| # stop_keystone() - Stop running processes |
| function stop_keystone { |
| stop_process keystone |
| } |
| |
| # bootstrap_keystone() - Initialize user, role and project |
| # This function uses the following GLOBAL variables: |
| # - ``KEYSTONE_BIN_DIR`` |
| # - ``ADMIN_PASSWORD`` |
| # - ``REGION_NAME`` |
| # - ``KEYSTONE_SERVICE_URI`` |
| function bootstrap_keystone { |
| $KEYSTONE_BIN_DIR/keystone-manage bootstrap \ |
| --bootstrap-username admin \ |
| --bootstrap-password "$ADMIN_PASSWORD" \ |
| --bootstrap-project-name admin \ |
| --bootstrap-role-name admin \ |
| --bootstrap-service-name keystone \ |
| --bootstrap-region-id "$REGION_NAME" \ |
| --bootstrap-public-url "$KEYSTONE_SERVICE_URI" |
| if [ "$KEYSTONE_ADMIN_ENDPOINT" == "True" ]; then |
| openstack endpoint create --region "$REGION_NAME" \ |
| --os-username admin \ |
| --os-user-domain-id default \ |
| --os-password "$ADMIN_PASSWORD" \ |
| --os-project-name admin \ |
| --os-project-domain-id default \ |
| keystone admin "$KEYSTONE_SERVICE_URI" |
| fi |
| } |
| |
| # create_ldap_domain() - Create domain file and initialize domain with a user |
| function create_ldap_domain { |
| # Creates domain Users |
| openstack domain create --description "LDAP domain" Users |
| |
| # Create domain file inside etc/keystone/domains |
| KEYSTONE_LDAP_DOMAIN_FILE=$KEYSTONE_CONF_DIR/domains/keystone.Users.conf |
| mkdir -p "$KEYSTONE_CONF_DIR/domains" |
| touch "$KEYSTONE_LDAP_DOMAIN_FILE" |
| |
| # Set identity driver 'ldap' |
| iniset $KEYSTONE_LDAP_DOMAIN_FILE identity driver "ldap" |
| |
| # LDAP settings for Users domain |
| iniset $KEYSTONE_LDAP_DOMAIN_FILE ldap user_tree_dn "ou=Users,$LDAP_BASE_DN" |
| iniset $KEYSTONE_LDAP_DOMAIN_FILE ldap user_objectclass "inetOrgPerson" |
| iniset $KEYSTONE_LDAP_DOMAIN_FILE ldap user_name_attribute "cn" |
| iniset $KEYSTONE_LDAP_DOMAIN_FILE ldap user_mail_attribute "mail" |
| iniset $KEYSTONE_LDAP_DOMAIN_FILE ldap user_id_attribute "uid" |
| iniset $KEYSTONE_LDAP_DOMAIN_FILE ldap user "cn=Manager,dc=openstack,dc=org" |
| iniset $KEYSTONE_LDAP_DOMAIN_FILE ldap url "ldap://localhost" |
| iniset $KEYSTONE_LDAP_DOMAIN_FILE ldap suffix $LDAP_BASE_DN |
| iniset $KEYSTONE_LDAP_DOMAIN_FILE ldap password $LDAP_PASSWORD |
| iniset $KEYSTONE_LDAP_DOMAIN_FILE ldap group_tree_dn "ou=Groups,$LDAP_BASE_DN" |
| iniset $KEYSTONE_LDAP_DOMAIN_FILE ldap group_objectclass "groupOfNames" |
| iniset $KEYSTONE_LDAP_DOMAIN_FILE ldap group_name_attribute "cn" |
| iniset $KEYSTONE_LDAP_DOMAIN_FILE ldap group_id_attribute "cn" |
| |
| # Restart apache and identity services to associate domain and conf file |
| sudo service apache2 reload |
| sudo systemctl restart devstack@keystone |
| |
| # Create LDAP user.ldif and add user to LDAP backend |
| local tmp_ldap_dir |
| tmp_ldap_dir=$(mktemp -d -t ldap.$$.XXXXXXXXXX) |
| |
| _ldap_varsubst $FILES/ldap/user.ldif.in $slappass >$tmp_ldap_dir/user.ldif |
| sudo ldapadd -x -w $LDAP_PASSWORD -D "$LDAP_MANAGER_DN" -H $LDAP_URL -c -f $tmp_ldap_dir/user.ldif |
| rm -rf $tmp_ldap_dir |
| |
| local admin_project |
| admin_project=$(get_or_create_project "admin" default) |
| local ldap_user |
| ldap_user=$(openstack user show --domain=Users demo -f value -c id) |
| local admin_role="admin" |
| get_or_create_role $admin_role |
| |
| # Grant demo LDAP user access to project and role |
| get_or_add_user_project_role $admin_role $ldap_user $admin_project |
| } |
| |
| # Restore xtrace |
| $_XTRACE_KEYSTONE |
| |
| # Tell emacs to use shell-script-mode |
| ## Local variables: |
| ## mode: shell-script |
| ## End: |