Gitiles
Code Review Sign In
spfactory.storpool.com / devstack / 1d8888dc24143d81c13557ffdfa615052e794ebe / . / lib / keystone
blob: 2d48bb10bd78ded6d1b9aa3bc9f99cc4f4567c2d [file] [log] [blame]
Sean Daguee263c822014-12-05 14:25:28 -0500[diff] [blame]1#!/bin/bash
2#
Dean Troyerd81a0272012-08-31 18:04:55 -0500[diff] [blame]3# lib/keystone
4# Functions to control the configuration and operation of **Keystone**
5
6# Dependencies:
Adam Spiers6a5aa7c2013-10-24 11:27:02 +0100[diff] [blame]7#
8# - ``functions`` file
Jamie Lennoxbd24a8d2013-09-20 16:26:42 +1000[diff] [blame]9# - ``tls`` file
Adam Spiers6a5aa7c2013-10-24 11:27:02 +0100[diff] [blame]10# - ``DEST``, ``STACK_USER``
Adam Gandelmanc4b06712014-09-03 11:44:31 -0700[diff] [blame]11# - ``FILES``
Adam Spiers6a5aa7c2013-10-24 11:27:02 +0100[diff] [blame]12# - ``IDENTITY_API_VERSION``
13# - ``BASE_SQL_CONN``
14# - ``SERVICE_HOST``, ``SERVICE_PROTOCOL``
Adam Spiers6a5aa7c2013-10-24 11:27:02 +0100[diff] [blame]15# - ``S3_SERVICE_PORT`` (template backend only)
Dean Troyerd81a0272012-08-31 18:04:55 -0500[diff] [blame]16
Dean Troyerd81a0272012-08-31 18:04:55 -0500[diff] [blame]17# ``stack.sh`` calls the entry points in this order:
18#
Adam Spiers6a5aa7c2013-10-24 11:27:02 +0100[diff] [blame]19# - install_keystone
20# - configure_keystone
21# - _config_keystone_apache_wsgi
22# - init_keystone
23# - start_keystone
Steve Martinelli923be5f2015-12-20 00:24:19 -0500[diff] [blame]24# - bootstrap_keystone
Adam Spiers6a5aa7c2013-10-24 11:27:02 +0100[diff] [blame]25# - create_keystone_accounts
26# - stop_keystone
27# - cleanup_keystone
Dean Troyerd81a0272012-08-31 18:04:55 -0500[diff] [blame]28
Dean Troyer7903b792012-09-13 17:16:12 -0500[diff] [blame]29# Save trace setting
Ian Wienand523f4882015-10-13 11:03:03 +1100[diff] [blame]30_XTRACE_KEYSTONE=$(set +o | grep xtrace)
Dean Troyer7903b792012-09-13 17:16:12 -0500[diff] [blame]31set +o xtrace
Dean Troyerd81a0272012-08-31 18:04:55 -0500[diff] [blame]32
Dean Troyerd81a0272012-08-31 18:04:55 -0500[diff] [blame]33# Defaults
34# --------
35
Dean Troyerd81a0272012-08-31 18:04:55 -0500[diff] [blame]36# Set up default directories
Jamie Lennox21a90772015-07-03 11:54:38 +1000[diff] [blame]37GITDIR["keystoneauth"]=$DEST/keystoneauth
Sean Daguee08ab102014-11-13 17:09:28 -0500[diff] [blame]38GITDIR["python-keystoneclient"]=$DEST/python-keystoneclient
Sean Dague658312c2014-11-14 11:35:56 -0500[diff] [blame]39GITDIR["keystonemiddleware"]=$DEST/keystonemiddleware
Dean Troyerd81a0272012-08-31 18:04:55 -0500[diff] [blame]40KEYSTONE_DIR=$DEST/keystone
Dean Troyerf8ae6472015-02-17 11:05:06 -0600[diff] [blame]41
42# Keystone virtual environment
43if [[ ${USE_VENV} = True ]]; then
44 PROJECT_VENV["keystone"]=${KEYSTONE_DIR}.venv
45 KEYSTONE_BIN_DIR=${PROJECT_VENV["keystone"]}/bin
46else
47 KEYSTONE_BIN_DIR=$(get_python_exec_prefix)
48fi
49
Dean Troyerd81a0272012-08-31 18:04:55 -0500[diff] [blame]50KEYSTONE_CONF_DIR=${KEYSTONE_CONF_DIR:-/etc/keystone}
51KEYSTONE_CONF=$KEYSTONE_CONF_DIR/keystone.conf
Sean Dague2f8c88e2017-04-13 09:08:39 -0400[diff] [blame]52KEYSTONE_PUBLIC_UWSGI_CONF=$KEYSTONE_CONF_DIR/keystone-uwsgi-public.ini
Sean Dague2f8c88e2017-04-13 09:08:39 -0400[diff] [blame]53KEYSTONE_PUBLIC_UWSGI=$KEYSTONE_BIN_DIR/keystone-wsgi-public
Dean Troyerd81a0272012-08-31 18:04:55 -0500[diff] [blame]54
Brant Knudsona0305362016-01-25 13:38:27 -0600[diff] [blame]55# KEYSTONE_DEPLOY defines how keystone is deployed, allowed values:
56# - mod_wsgi : Run keystone under Apache HTTPd mod_wsgi
Brant Knudsonedc11c22015-12-14 15:32:05 -0600[diff] [blame]57# - uwsgi : Run keystone under uwsgi
Sean Dague6ed53152017-04-13 13:33:16 -0400[diff] [blame]58if [[ "$WSGI_MODE" == "uwsgi" ]]; then
59 KEYSTONE_DEPLOY=uwsgi
60else
61 KEYSTONE_DEPLOY=mod_wsgi
Brant Knudsona0305362016-01-25 13:38:27 -0600[diff] [blame]62fi
63
Brant Knudson331a64f2015-05-11 10:02:24 -0500[diff] [blame]64# Select the Identity backend driver
Alex Rudenkocd770582013-09-01 16:26:03 +0200[diff] [blame]65KEYSTONE_IDENTITY_BACKEND=${KEYSTONE_IDENTITY_BACKEND:-sql}
66
Brant Knudson331a64f2015-05-11 10:02:24 -0500[diff] [blame]67# Select the Assignment backend driver
Alex Rudenkocd770582013-09-01 16:26:03 +0200[diff] [blame]68KEYSTONE_ASSIGNMENT_BACKEND=${KEYSTONE_ASSIGNMENT_BACKEND:-sql}
69
Steve Martinelli35262762016-01-05 23:56:40 -0500[diff] [blame]70# Select the Role backend driver
71KEYSTONE_ROLE_BACKEND=${KEYSTONE_ROLE_BACKEND:-sql}
72
73# Select the Resource backend driver
74KEYSTONE_RESOURCE_BACKEND=${KEYSTONE_RESOURCE_BACKEND:-sql}
75
Brant Knudson331a64f2015-05-11 10:02:24 -0500[diff] [blame]76# Select Keystone's token provider (and format)
ghanshyam27428752018-07-10 09:21:46 +0000[diff] [blame]77# Refer keystone doc for supported token provider:
78# https://docs.openstack.org/keystone/latest/admin/token-provider.html
Steve Martinellidc486bc2016-09-08 02:29:25 +0000[diff] [blame]79KEYSTONE_TOKEN_FORMAT=${KEYSTONE_TOKEN_FORMAT:-fernet}
Brant Knudson1e1fce82014-06-19 16:55:45 -0500[diff] [blame]80KEYSTONE_TOKEN_FORMAT=$(echo ${KEYSTONE_TOKEN_FORMAT} | tr '[:upper:]' '[:lower:]')
Dean Troyerbc071bc2012-10-01 14:06:44 -0500[diff] [blame]81
Dean Troyerc83a7e12012-11-29 11:47:58 -0600[diff] [blame]82# Public facing bits
Dean Troyerd81a0272012-08-31 18:04:55 -0500[diff] [blame]83KEYSTONE_SERVICE_HOST=${KEYSTONE_SERVICE_HOST:-$SERVICE_HOST}
Abhishek Kekanef8dbfd32020-07-06 18:42:30 +0000[diff] [blame]84KEYSTONE_SERVICE_PORT=${KEYSTONE_SERVICE_PORT:-5000}
85KEYSTONE_SERVICE_PORT_INT=${KEYSTONE_SERVICE_PORT_INT:-5001}
Dean Troyerc83a7e12012-11-29 11:47:58 -0600[diff] [blame]86KEYSTONE_SERVICE_PROTOCOL=${KEYSTONE_SERVICE_PROTOCOL:-$SERVICE_PROTOCOL}
Dean Troyerd81a0272012-08-31 18:04:55 -0500[diff] [blame]87
Sean Dague0b1465b2016-04-04 10:15:47 -0400[diff] [blame]88# Set the project for service accounts in Keystone
Jamie Lennoxcbcbd8f2016-01-21 16:08:14 -0600[diff] [blame]89SERVICE_DOMAIN_NAME=${SERVICE_DOMAIN_NAME:-Default}
Sean Dague0b1465b2016-04-04 10:15:47 -0400[diff] [blame]90SERVICE_PROJECT_NAME=${SERVICE_PROJECT_NAME:-service}
Ian Wienand982b9912016-04-14 07:48:24 +1000[diff] [blame]91
92# Note 2016-03 : SERVICE_TENANT_NAME is kept for backwards
93# compatibility; we should be using SERVICE_PROJECT_NAME now
Sean Dague0b1465b2016-04-04 10:15:47 -0400[diff] [blame]94SERVICE_TENANT_NAME=${SERVICE_PROJECT_NAME:-service}
Dean Troyerb7490da2013-03-18 16:07:56 -0500[diff] [blame]95
Jamie Lennoxbd24a8d2013-09-20 16:26:42 +1000[diff] [blame]96# if we are running with SSL use https protocols
Sean Daguef3b2f4c2017-04-13 10:11:48 -0400[diff] [blame]97if is_service_enabled tls-proxy; then
Jamie Lennoxbd24a8d2013-09-20 16:26:42 +1000[diff] [blame]98 KEYSTONE_SERVICE_PROTOCOL="https"
99fi
100
Sean Dague6ed53152017-04-13 13:33:16 -0400[diff] [blame]101KEYSTONE_SERVICE_URI=${KEYSTONE_SERVICE_PROTOCOL}://${KEYSTONE_SERVICE_HOST}/identity
Sean Daguebb443112017-04-19 16:22:42 -0400[diff] [blame]102# for compat
103KEYSTONE_AUTH_URI=$KEYSTONE_SERVICE_URI
Jamie Lennox3561d7f2014-05-21 17:18:43 +1000[diff] [blame]104
Steve Martinellib74e01c2014-12-18 01:35:35 -0500[diff] [blame]105# V3 URIs
Jens Harbott32c00892019-04-10 10:33:39 +0000[diff] [blame]106KEYSTONE_AUTH_URI_V3=$KEYSTONE_SERVICE_URI/v3
Steve Martinellib74e01c2014-12-18 01:35:35 -0500[diff] [blame]107KEYSTONE_SERVICE_URI_V3=$KEYSTONE_SERVICE_URI/v3
108
Rodrigo Duarteb51a8862016-09-26 15:22:35 -0300[diff] [blame]109# Security compliance
110KEYSTONE_SECURITY_COMPLIANCE_ENABLED=${KEYSTONE_SECURITY_COMPLIANCE_ENABLED:-True}
111KEYSTONE_LOCKOUT_FAILURE_ATTEMPTS=${KEYSTONE_LOCKOUT_FAILURE_ATTEMPTS:-2}
Lance Bragstaddcd4b642017-06-12 14:41:42 +0000[diff] [blame]112KEYSTONE_LOCKOUT_DURATION=${KEYSTONE_LOCKOUT_DURATION:-10}
Rodrigo Duarteb51a8862016-09-26 15:22:35 -0300[diff] [blame]113KEYSTONE_UNIQUE_LAST_PASSWORD_COUNT=${KEYSTONE_UNIQUE_LAST_PASSWORD_COUNT:-2}
114
Boris Pavlovic2b6e9ac2017-06-12 17:08:33 -0700[diff] [blame]115# Number of bcrypt hashing rounds, increasing number exponentially increases required
116# resources to generate password hash. This is very effective way to protect from
117# bruteforce attacks. 4 is minimal value that can be specified for bcrypt and
118# it works way faster than default 12. Minimal value is great for CI and development
119# however may not be suitable for real production.
120KEYSTONE_PASSWORD_HASH_ROUNDS=${KEYSTONE_PASSWORD_HASH_ROUNDS:-4}
Dean Troyer5ce44cd2015-02-12 22:18:33 -0600[diff] [blame]121
Slawek Kaplonskid33cdd02019-08-01 14:58:37 +0200[diff] [blame]122# Cache settings
123KEYSTONE_ENABLE_CACHE=${KEYSTONE_ENABLE_CACHE:-True}
124
Jens Harbotteb376572021-02-24 10:04:31 +0100[diff] [blame]125# Whether to create a keystone admin endpoint for legacy applications
Jens Harbottb538b322021-02-24 10:24:03 +0100[diff] [blame]126KEYSTONE_ADMIN_ENDPOINT=$(trueorfalse False KEYSTONE_ADMIN_ENDPOINT)
Jens Harbotteb376572021-02-24 10:04:31 +0100[diff] [blame]127
Dean Troyercc6b4432013-04-08 15:38:03 -0500[diff] [blame]128# Functions
129# ---------
Dean Troyer5ce44cd2015-02-12 22:18:33 -0600[diff] [blame]130
131# Test if Keystone is enabled
132# is_keystone_enabled
133function is_keystone_enabled {
Clark Boylan902158b2017-05-30 14:11:09 -0700[diff] [blame]134 [[ ,${DISABLED_SERVICES} =~ ,"keystone" ]] && return 1
Dean Troyer5ce44cd2015-02-12 22:18:33 -0600[diff] [blame]135 [[ ,${ENABLED_SERVICES}, =~ ,"key", ]] && return 0
136 return 1
137}
138
Dean Troyerd81a0272012-08-31 18:04:55 -0500[diff] [blame]139# cleanup_keystone() - Remove residual data files, anything left over from previous
140# runs that a clean run would need to clean up
Ian Wienandaee18c72014-02-21 15:35:08 +1100[diff] [blame]141function cleanup_keystone {
Davanum Srinivasaa33c872017-08-16 22:51:07 -0400[diff] [blame]142 if [ "$KEYSTONE_DEPLOY" == "mod_wsgi" ]; then
143 # These files will be created if we are running WSGI_MODE="mod_wsgi"
144 disable_apache_site keystone
145 sudo rm -f $(apache_site_config_for keystone)
146 else
147 stop_process "keystone"
Davanum Srinivasaa33c872017-08-16 22:51:07 -0400[diff] [blame]148 remove_uwsgi_config "$KEYSTONE_PUBLIC_UWSGI_CONF" "$KEYSTONE_PUBLIC_UWSGI"
Davanum Srinivasaa33c872017-08-16 22:51:07 -0400[diff] [blame]149 sudo rm -f $(apache_site_config_for keystone-wsgi-public)
Davanum Srinivasaa33c872017-08-16 22:51:07 -0400[diff] [blame]150 fi
Jamie Lennoxa00e5f82013-09-17 12:47:03 +1000[diff] [blame]151}
152
153# _config_keystone_apache_wsgi() - Set WSGI config files of Keystone
Ian Wienandaee18c72014-02-21 15:35:08 +1100[diff] [blame]154function _config_keystone_apache_wsgi {
Ian Wienandada886d2015-10-07 14:06:26 +1100[diff] [blame]155 local keystone_apache_conf
156 keystone_apache_conf=$(apache_site_config_for keystone)
Rob Crittendena1e1f512016-07-20 18:12:09 -0400[diff] [blame]157 keystone_ssl_listen="#"
Rob Crittenden18d47782014-03-19 17:47:42 -0400[diff] [blame]158 local keystone_ssl=""
159 local keystone_certfile=""
160 local keystone_keyfile=""
Abhishek Kekanef8dbfd32020-07-06 18:42:30 +0000[diff] [blame]161 local keystone_service_port=$KEYSTONE_SERVICE_PORT
Dean Troyerf8ae6472015-02-17 11:05:06 -0600[diff] [blame]162 local venv_path=""
Rob Crittenden18d47782014-03-19 17:47:42 -0400[diff] [blame]163
Abhishek Kekanef8dbfd32020-07-06 18:42:30 +0000[diff] [blame]164 if is_service_enabled tls-proxy; then
165 keystone_service_port=$KEYSTONE_SERVICE_PORT_INT
Abhishek Kekanef8dbfd32020-07-06 18:42:30 +0000[diff] [blame]166 fi
Dean Troyerf8ae6472015-02-17 11:05:06 -0600[diff] [blame]167 if [[ ${USE_VENV} = True ]]; then
Chris Dent3a2c86a2015-05-12 13:41:25 +0000[diff] [blame]168 venv_path="python-path=${PROJECT_VENV["keystone"]}/lib/$(python_version)/site-packages"
Dean Troyerf8ae6472015-02-17 11:05:06 -0600[diff] [blame]169 fi
Morgan Fainbergd074dc72014-06-24 21:33:39 -0700[diff] [blame]170
Morgan Fainberg970ee902014-06-09 12:07:29 -0700[diff] [blame]171 sudo cp $FILES/apache-keystone.template $keystone_apache_conf
Jamie Lennoxa00e5f82013-09-17 12:47:03 +1000[diff] [blame]172 sudo sed -e "
Abhishek Kekanef8dbfd32020-07-06 18:42:30 +0000[diff] [blame]173 s|%PUBLICPORT%|$keystone_service_port|g;
Jamie Lennoxa00e5f82013-09-17 12:47:03 +1000[diff] [blame]174 s|%APACHE_NAME%|$APACHE_NAME|g;
Rob Crittendena1e1f512016-07-20 18:12:09 -0400[diff] [blame]175 s|%SSLLISTEN%|$keystone_ssl_listen|g;
Rob Crittenden18d47782014-03-19 17:47:42 -0400[diff] [blame]176 s|%SSLENGINE%|$keystone_ssl|g;
177 s|%SSLCERTFILE%|$keystone_certfile|g;
178 s|%SSLKEYFILE%|$keystone_keyfile|g;
Dean Troyerf8ae6472015-02-17 11:05:06 -0600[diff] [blame]179 s|%USER%|$STACK_USER|g;
180 s|%VIRTUALENV%|$venv_path|g
Brant Knudson2ad1a422015-06-23 10:53:50 -0500[diff] [blame]181 s|%KEYSTONE_BIN%|$KEYSTONE_BIN_DIR|g
Morgan Fainberg970ee902014-06-09 12:07:29 -0700[diff] [blame]182 " -i $keystone_apache_conf
Jamie Lennoxa00e5f82013-09-17 12:47:03 +1000[diff] [blame]183}
184
Dean Troyerd81a0272012-08-31 18:04:55 -0500[diff] [blame]185# configure_keystone() - Set config files, create data dirs, etc
Ian Wienandaee18c72014-02-21 15:35:08 +1100[diff] [blame]186function configure_keystone {
Dean Troyer8421c2b2015-03-16 13:52:19 -0500[diff] [blame]187 sudo install -d -o $STACK_USER $KEYSTONE_CONF_DIR
Dean Troyerd81a0272012-08-31 18:04:55 -0500[diff] [blame]188
189 if [[ "$KEYSTONE_CONF_DIR" != "$KEYSTONE_DIR/etc" ]]; then
Lance Bragstadfe628b92018-04-17 17:01:46 +0000[diff] [blame]190 install -m 600 /dev/null $KEYSTONE_CONF
Alan Pevece0bb4472013-03-12 11:10:52 +0100[diff] [blame]191 fi
Lance Bragstadfe628b92018-04-17 17:01:46 +0000[diff] [blame]192 # Populate ``keystone.conf``
Brad Topolf127e2f2013-01-22 10:17:50 -0600[diff] [blame]193 if is_service_enabled ldap; then
Leticia Wanderleycc363972017-06-26 23:52:52 -0300[diff] [blame]194 iniset $KEYSTONE_CONF identity domain_config_dir "$KEYSTONE_CONF_DIR/domains"
195 iniset $KEYSTONE_CONF identity domain_specific_drivers_enabled "True"
Brad Topolf127e2f2013-01-22 10:17:50 -0600[diff] [blame]196 fi
Brant Knudson331a64f2015-05-11 10:02:24 -0500[diff] [blame]197 iniset $KEYSTONE_CONF identity driver "$KEYSTONE_IDENTITY_BACKEND"
Boris Pavlovic2b6e9ac2017-06-12 17:08:33 -0700[diff] [blame]198 iniset $KEYSTONE_CONF identity password_hash_rounds $KEYSTONE_PASSWORD_HASH_ROUNDS
Brant Knudson331a64f2015-05-11 10:02:24 -0500[diff] [blame]199 iniset $KEYSTONE_CONF assignment driver "$KEYSTONE_ASSIGNMENT_BACKEND"
Steve Martinelli35262762016-01-05 23:56:40 -0500[diff] [blame]200 iniset $KEYSTONE_CONF role driver "$KEYSTONE_ROLE_BACKEND"
201 iniset $KEYSTONE_CONF resource driver "$KEYSTONE_RESOURCE_BACKEND"
Brad Topolf127e2f2013-01-22 10:17:50 -0600[diff] [blame]202
Morgan Fainberga8ffe8a2016-01-24 20:36:35 -0800[diff] [blame]203 # Enable caching
Slawek Kaplonskid33cdd02019-08-01 14:58:37 +0200[diff] [blame]204 iniset $KEYSTONE_CONF cache enabled $KEYSTONE_ENABLE_CACHE
205 iniset $KEYSTONE_CONF cache backend $CACHE_BACKEND
206 iniset $KEYSTONE_CONF cache memcache_servers $MEMCACHE_SERVERS
Morgan Fainberga8ffe8a2016-01-24 20:36:35 -0800[diff] [blame]207
Lance Bragstaded6e1d02018-08-01 18:03:44 +0000[diff] [blame]208 iniset_rpc_backend keystone $KEYSTONE_CONF oslo_messaging_notifications
Sergey Skripnick8464a4c2014-07-08 21:05:23 +0300[diff] [blame]209
Abhishek Kekanef8dbfd32020-07-06 18:42:30 +0000[diff] [blame]210 local service_port=$KEYSTONE_SERVICE_PORT
Abhishek Kekanef8dbfd32020-07-06 18:42:30 +0000[diff] [blame]211
212 if is_service_enabled tls-proxy; then
213 # Set the service ports for a proxy to take the originals
214 service_port=$KEYSTONE_SERVICE_PORT_INT
Abhishek Kekanef8dbfd32020-07-06 18:42:30 +0000[diff] [blame]215 fi
216
Brant Knudson841fdaf2015-06-21 10:08:22 -0500[diff] [blame]217 # Override the endpoints advertised by keystone (the public_endpoint and
Abhishek Kekanef8dbfd32020-07-06 18:42:30 +0000[diff] [blame]218 # admin_endpoint) so that clients use the correct endpoint. By default, the
219 # keystone server uses the public_port and admin_port which isn't going to
220 # work when you want to use a different port (in the case of proxy), or you
221 # don't want the port (in the case of putting keystone on a path in
222 # apache).
Sean Dague6ed53152017-04-13 13:33:16 -0400[diff] [blame]223 iniset $KEYSTONE_CONF DEFAULT public_endpoint $KEYSTONE_SERVICE_URI
Jens Harbottc2491ba2020-06-14 18:06:23 +0200[diff] [blame]224 iniset $KEYSTONE_CONF DEFAULT admin_endpoint $KEYSTONE_SERVICE_URI
Dean Troyerc83a7e12012-11-29 11:47:58 -0600[diff] [blame]225
Brant Knudson1e1fce82014-06-19 16:55:45 -0500[diff] [blame]226 if [[ "$KEYSTONE_TOKEN_FORMAT" != "" ]]; then
Brant Knudson331a64f2015-05-11 10:02:24 -0500[diff] [blame]227 iniset $KEYSTONE_CONF token provider $KEYSTONE_TOKEN_FORMAT
Sudarshan Acharya37631412013-07-16 00:47:54 +0000[diff] [blame]228 fi
229
Brant Knudson16d3ad02014-02-13 18:59:50 -0600[diff] [blame]230 iniset $KEYSTONE_CONF database connection `database_connection_url keystone`
Dean Troyerd81a0272012-08-31 18:04:55 -0500[diff] [blame]231
Dean Troyerd81a0272012-08-31 18:04:55 -0500[diff] [blame]232 # Set up logging
Dean Troyerd81a0272012-08-31 18:04:55 -0500[diff] [blame]233 if [ "$SYSLOG" != "False" ]; then
Brant Knudson4968d1a2014-01-22 19:06:44 -0600[diff] [blame]234 iniset $KEYSTONE_CONF DEFAULT use_syslog "True"
Dean Troyerd81a0272012-08-31 18:04:55 -0500[diff] [blame]235 fi
Brant Knudson4968d1a2014-01-22 19:06:44 -0600[diff] [blame]236
237 # Format logging
Sean Dague27f66e92017-05-02 09:08:17 -0400[diff] [blame]238 setup_logging $KEYSTONE_CONF
Jamie Lennoxa00e5f82013-09-17 12:47:03 +1000[diff] [blame]239
Brant Knudson0fc336d2015-02-08 11:03:02 -0600[diff] [blame]240 iniset $KEYSTONE_CONF DEFAULT debug $ENABLE_DEBUG_LOG_LEVEL
241
Brant Knudsona0305362016-01-25 13:38:27 -0600[diff] [blame]242 if [ "$KEYSTONE_DEPLOY" == "mod_wsgi" ]; then
Morgan Fainbergda1cc572016-02-02 09:09:28 -0800[diff] [blame]243 iniset $KEYSTONE_CONF DEFAULT logging_exception_prefix "%(asctime)s.%(msecs)03d %(process)d TRACE %(name)s %(instance)s"
Jamie Lennoxa00e5f82013-09-17 12:47:03 +1000[diff] [blame]244 _config_keystone_apache_wsgi
Brant Knudson556eeb02016-03-24 14:01:57 -0500[diff] [blame]245 else # uwsgi
Sean Dague6ed53152017-04-13 13:33:16 -0400[diff] [blame]246 write_uwsgi_config "$KEYSTONE_PUBLIC_UWSGI_CONF" "$KEYSTONE_PUBLIC_UWSGI" "/identity"
Jamie Lennoxa00e5f82013-09-17 12:47:03 +1000[diff] [blame]247 fi
Bartosz Górski0abde392014-02-28 14:15:19 +0100[diff] [blame]248
249 iniset $KEYSTONE_CONF DEFAULT max_token_size 16384
Brant Knudson85a17ea2014-09-13 14:49:24 -0500[diff] [blame]250
Brant Knudsoncef5e402015-06-25 17:57:53 -0500[diff] [blame]251 iniset $KEYSTONE_CONF fernet_tokens key_repository "$KEYSTONE_CONF_DIR/fernet-keys/"
Attila Fazekas9ea49752016-03-22 15:22:03 +0100[diff] [blame]252
Lance Bragstad69d4a712016-08-27 01:01:37 +0000[diff] [blame]253 iniset $KEYSTONE_CONF credential key_repository "$KEYSTONE_CONF_DIR/credential-keys/"
254
Abhishek Kekanef8dbfd32020-07-06 18:42:30 +0000[diff] [blame]255 # Configure the project created by the 'keystone-manage bootstrap' as the cloud-admin project.
256 # The users from this project are globally admin as before, but it also
257 # allows policy changes in order to clarify the adminess scope.
258 #iniset $KEYSTONE_CONF resource admin_project_domain_name Default
259 #iniset $KEYSTONE_CONF resource admin_project_name admin
260
Rodrigo Duarteb51a8862016-09-26 15:22:35 -0300[diff] [blame]261 if [[ "$KEYSTONE_SECURITY_COMPLIANCE_ENABLED" = True ]]; then
262 iniset $KEYSTONE_CONF security_compliance lockout_failure_attempts $KEYSTONE_LOCKOUT_FAILURE_ATTEMPTS
263 iniset $KEYSTONE_CONF security_compliance lockout_duration $KEYSTONE_LOCKOUT_DURATION
264 iniset $KEYSTONE_CONF security_compliance unique_last_password_count $KEYSTONE_UNIQUE_LAST_PASSWORD_COUNT
265 fi
Dean Troyerd81a0272012-08-31 18:04:55 -0500[diff] [blame]266}
267
Dean Troyerd835de82012-11-29 17:11:35 -0600[diff] [blame]268# create_keystone_accounts() - Sets up common required keystone accounts
269
Sean Dague0b1465b2016-04-04 10:15:47 -0400[diff] [blame]270# Project User Roles
Dean Troyerd835de82012-11-29 17:11:35 -0600[diff] [blame]271# ------------------------------------------------------------------
Dean Troyerd835de82012-11-29 17:11:35 -0600[diff] [blame]272# admin admin admin
Dean Troyer42a59c22014-03-03 14:31:29 -0600[diff] [blame]273# service -- --
274# -- -- service
275# -- -- ResellerAdmin
Lance Bragstada7d0c6f2018-06-18 15:06:48 +0000[diff] [blame]276# -- -- member
Dean Troyerd835de82012-11-29 17:11:35 -0600[diff] [blame]277# demo admin admin
Lance Bragstada7d0c6f2018-06-18 15:06:48 +0000[diff] [blame]278# demo demo member, anotherrole
Sean Daguec67d22e2016-02-02 05:51:14 -0500[diff] [blame]279# alt_demo admin admin
Lance Bragstada7d0c6f2018-06-18 15:06:48 +0000[diff] [blame]280# alt_demo alt_demo member, anotherrole
281# invisible_to_admin demo member
Dean Troyerd835de82012-11-29 17:11:35 -0600[diff] [blame]282
Sean Dague0b1465b2016-04-04 10:15:47 -0400[diff] [blame]283# Group Users Roles Project
Steve Martinelli4599fd12015-03-12 21:30:58 -0400[diff] [blame]284# ------------------------------------------------------------------
Dean Troyer50f75a92016-02-03 17:40:17 -0600[diff] [blame]285# admins admin admin admin
Lance Bragstada7d0c6f2018-06-18 15:06:48 +0000[diff] [blame]286# nonadmins demo, alt_demo member, anotherrole demo, alt_demo
Steve Martinelli4599fd12015-03-12 21:30:58 -0400[diff] [blame]287
Lance Bragstad021ae0b2021-03-11 15:47:50 +0000[diff] [blame]288# System User Roles
289# ------------------------------------------------------------------
290# all admin admin
291# all system_reader reader
292# all system_member member
293
Steve Martinelli4599fd12015-03-12 21:30:58 -0400[diff] [blame]294
Dean Troyerd835de82012-11-29 17:11:35 -0600[diff] [blame]295# Migrated from keystone_data.sh
Ian Wienandaee18c72014-02-21 15:35:08 +1100[diff] [blame]296function create_keystone_accounts {
Dean Troyerd835de82012-11-29 17:11:35 -0600[diff] [blame]297
Lance Bragstada7d0c6f2018-06-18 15:06:48 +0000[diff] [blame]298 # The keystone bootstrapping process (performed via keystone-manage
Lance Bragstad021ae0b2021-03-11 15:47:50 +0000[diff] [blame]299 # bootstrap) creates an admin user and an admin
Lance Bragstada7d0c6f2018-06-18 15:06:48 +0000[diff] [blame]300 # project. As a sanity check we exercise the CLI to retrieve the IDs for
301 # these values.
Sean Dague0b1465b2016-04-04 10:15:47 -0400[diff] [blame]302 local admin_project
303 admin_project=$(openstack project show "admin" -f value -c id)
Ian Wienandada886d2015-10-07 14:06:26 +1100[diff] [blame]304 local admin_user
Steve Martinelli923be5f2015-12-20 00:24:19 -0500[diff] [blame]305 admin_user=$(openstack user show "admin" -f value -c id)
Lance Bragstad021ae0b2021-03-11 15:47:50 +0000[diff] [blame]306 # These roles are also created during bootstrap but we don't need their IDs
Sean Dagueee37d202017-02-08 11:24:31 -0500[diff] [blame]307 local admin_role="admin"
Lance Bragstada7d0c6f2018-06-18 15:06:48 +0000[diff] [blame]308 local member_role="member"
Lance Bragstad021ae0b2021-03-11 15:47:50 +0000[diff] [blame]309 local reader_role="reader"
Steve Martinelli923be5f2015-12-20 00:24:19 -0500[diff] [blame]310
Dan Smith30d9bf92021-01-19 12:10:52 -0800[diff] [blame]311 async_run ks-domain-role get_or_add_user_domain_role $admin_role $admin_user default
Dean Troyerd835de82012-11-29 17:11:35 -0600[diff] [blame]312
Dean Troyer42a59c22014-03-03 14:31:29 -0600[diff] [blame]313 # Create service project/role
Jamie Lennoxcbcbd8f2016-01-21 16:08:14 -0600[diff] [blame]314 get_or_create_domain "$SERVICE_DOMAIN_NAME"
Dan Smith30d9bf92021-01-19 12:10:52 -0800[diff] [blame]315 async_run ks-project get_or_create_project "$SERVICE_PROJECT_NAME" "$SERVICE_DOMAIN_NAME"
Dean Troyer42a59c22014-03-03 14:31:29 -0600[diff] [blame]316
317 # Service role, so service users do not have to be admins
Dan Smith30d9bf92021-01-19 12:10:52 -0800[diff] [blame]318 async_run ks-service get_or_create_role service
Dean Troyer42a59c22014-03-03 14:31:29 -0600[diff] [blame]319
320 # The ResellerAdmin role is used by Nova and Ceilometer so we need to keep it.
Sean Dague0b1465b2016-04-04 10:15:47 -0400[diff] [blame]321 # The admin role in swift allows a user to act as an admin for their project,
322 # but ResellerAdmin is needed for a user to act as any project. The name of this
Dean Troyer42a59c22014-03-03 14:31:29 -0600[diff] [blame]323 # role is also configurable in swift-proxy.conf
Dan Smith30d9bf92021-01-19 12:10:52 -0800[diff] [blame]324 async_run ks-reseller get_or_create_role ResellerAdmin
Dean Troyerd835de82012-11-29 17:11:35 -0600[diff] [blame]325
Masayuki Igawad3654052014-09-01 17:30:05 +0900[diff] [blame]326 # another_role demonstrates that an arbitrary role may be created and used
Dean Troyerd835de82012-11-29 17:11:35 -0600[diff] [blame]327 # TODO(sleepsonthefloor): show how this can be used for rbac in the future!
Sean Dagueee37d202017-02-08 11:24:31 -0500[diff] [blame]328 local another_role="anotherrole"
Dan Smith30d9bf92021-01-19 12:10:52 -0800[diff] [blame]329 async_run ks-anotherrole get_or_create_role $another_role
Dean Troyerd835de82012-11-29 17:11:35 -0600[diff] [blame]330
Sean Dague0b1465b2016-04-04 10:15:47 -0400[diff] [blame]331 # invisible project - admin can't see this one
332 local invis_project
333 invis_project=$(get_or_create_project "invisible_to_admin" default)
Dean Troyerd835de82012-11-29 17:11:35 -0600[diff] [blame]334
335 # demo
Sean Dague0b1465b2016-04-04 10:15:47 -0400[diff] [blame]336 local demo_project
337 demo_project=$(get_or_create_project "demo" default)
Ian Wienandada886d2015-10-07 14:06:26 +1100[diff] [blame]338 local demo_user
339 demo_user=$(get_or_create_user "demo" \
Jamie Lennox9d7e7762015-05-29 01:08:53 +0000[diff] [blame]340 "$ADMIN_PASSWORD" "default" "demo@example.com")
Steve Martinelli19685422014-01-24 13:02:26 -0600[diff] [blame]341
Dan Smith30d9bf92021-01-19 12:10:52 -0800[diff] [blame]342 async_wait ks-{domain-role,domain,project,service,reseller,anotherrole}
343
344 async_run ks-demo-member get_or_add_user_project_role $member_role $demo_user $demo_project
Lance Bragstad1d8888d2021-03-11 16:36:28 +0000[diff] [blame^]345
Dan Smith30d9bf92021-01-19 12:10:52 -0800[diff] [blame]346 async_run ks-demo-admin get_or_add_user_project_role $admin_role $admin_user $demo_project
347 async_run ks-demo-another get_or_add_user_project_role $another_role $demo_user $demo_project
348 async_run ks-demo-invis get_or_add_user_project_role $member_role $demo_user $invis_project
Dean Troyerd835de82012-11-29 17:11:35 -0600[diff] [blame]349
Lance Bragstad9c813212021-03-11 16:29:31 +0000[diff] [blame]350 # Create a user to act as a reader on project demo
351 local demo_reader
352 demo_reader=$(get_or_create_user "demo_reader" \
353 "$ADMIN_PASSWORD" "default" "demo_reader@example.com")
354
355 async_run ks-demo-reader get_or_add_user_project_role $reader_role $demo_reader $demo_project
356
357 # Create a different project called alt_demo
Sean Dague0b1465b2016-04-04 10:15:47 -0400[diff] [blame]358 local alt_demo_project
359 alt_demo_project=$(get_or_create_project "alt_demo" default)
Lance Bragstad9c813212021-03-11 16:29:31 +0000[diff] [blame]360 # Create a user to act as member, admin and anotherrole on project alt_demo
Sean Daguec67d22e2016-02-02 05:51:14 -0500[diff] [blame]361 local alt_demo_user
362 alt_demo_user=$(get_or_create_user "alt_demo" \
363 "$ADMIN_PASSWORD" "default" "alt_demo@example.com")
364
Lance Bragstad9c813212021-03-11 16:29:31 +0000[diff] [blame]365 async_run ks-alt-admin get_or_add_user_project_role $admin_role $alt_demo_user $alt_demo_project
Dan Smith30d9bf92021-01-19 12:10:52 -0800[diff] [blame]366 async_run ks-alt-another get_or_add_user_project_role $another_role $alt_demo_user $alt_demo_project
Sean Daguec67d22e2016-02-02 05:51:14 -0500[diff] [blame]367
Lance Bragstad9c813212021-03-11 16:29:31 +0000[diff] [blame]368 # Create another user to act as a member on project alt_demo
369 local alt_demo_member
370 alt_demo_member=$(get_or_create_user "alt_demo_member" \
371 "$ADMIN_PASSWORD" "default" "alt_demo_member@example.com")
372 async_run ks-alt-member-user get_or_add_user_project_role $member_role $alt_demo_member $alt_demo_project
373
374 # Create another user to act as a reader on project alt_demo
375 local alt_demo_reader
376 alt_demo_reader=$(get_or_create_user "alt_demo_reader" \
377 "$ADMIN_PASSWORD" "default" "alt_demo_reader@example.com")
378 async_run ks-alt-reader-user get_or_add_user_project_role $reader_role $alt_demo_reader $alt_demo_project
379
380 # Create two users, give one the member role on the system and the other the
381 # reader role on the system. These two users model system-member and
Lance Bragstad021ae0b2021-03-11 15:47:50 +0000[diff] [blame]382 # system-reader personas. The admin user already has the admin role on the
383 # system and we can re-use this user as a system-admin.
384 system_member_user=$(get_or_create_user "system_member" \
385 "$ADMIN_PASSWORD" "default" "system_member@example.com")
386 async_run ks-system-member get_or_add_user_system_role $member_role $system_member_user "all"
387
388 system_reader_user=$(get_or_create_user "system_reader" \
389 "$ADMIN_PASSWORD" "default" "system_reader@example.com")
390 async_run ks-system-reader get_or_add_user_system_role $reader_role $system_reader_user "all"
391
Sean Daguec67d22e2016-02-02 05:51:14 -0500[diff] [blame]392 # groups
Ian Wienandada886d2015-10-07 14:06:26 +1100[diff] [blame]393 local admin_group
394 admin_group=$(get_or_create_group "admins" \
Steve Martinelli4599fd12015-03-12 21:30:58 -0400[diff] [blame]395 "default" "openstack admin group")
Ian Wienandada886d2015-10-07 14:06:26 +1100[diff] [blame]396 local non_admin_group
397 non_admin_group=$(get_or_create_group "nonadmins" \
Steve Martinelli4599fd12015-03-12 21:30:58 -0400[diff] [blame]398 "default" "non-admin group")
399
Dan Smith30d9bf92021-01-19 12:10:52 -0800[diff] [blame]400 async_run ks-group-memberdemo get_or_add_group_project_role $member_role $non_admin_group $demo_project
401 async_run ks-group-anotherdemo get_or_add_group_project_role $another_role $non_admin_group $demo_project
402 async_run ks-group-memberalt get_or_add_group_project_role $member_role $non_admin_group $alt_demo_project
403 async_run ks-group-anotheralt get_or_add_group_project_role $another_role $non_admin_group $alt_demo_project
404 async_run ks-group-admin get_or_add_group_project_role $admin_role $admin_group $admin_project
405
Lance Bragstad9c813212021-03-11 16:29:31 +0000[diff] [blame]406 async_wait ks-demo-{member,admin,another,invis,reader}
Lance Bragstad1d8888d2021-03-11 16:36:28 +0000[diff] [blame^]407 async_wait ks-alt-{admin,another,member-user,reader-user}
Lance Bragstad021ae0b2021-03-11 15:47:50 +0000[diff] [blame]408 async_wait ks-system-{member,reader}
Dan Smith30d9bf92021-01-19 12:10:52 -0800[diff] [blame]409 async_wait ks-group-{memberdemo,anotherdemo,memberalt,anotheralt,admin}
Leticia Wanderleycc363972017-06-26 23:52:52 -0300[diff] [blame]410
411 if is_service_enabled ldap; then
412 create_ldap_domain
413 fi
Dean Troyerd835de82012-11-29 17:11:35 -0600[diff] [blame]414}
415
Jamie Lennox85ff5322015-01-28 14:28:01 +1000[diff] [blame]416# Create a user that is capable of verifying keystone tokens for use with auth_token middleware.
417#
418# create_service_user <name> [role]
419#
Jamie Lennox7f685482016-12-13 15:47:11 +1100[diff] [blame]420# We always add the service role, other roles are also allowed to be added as historically
Jamie Lennox85ff5322015-01-28 14:28:01 +1000[diff] [blame]421# a lot of projects have configured themselves with the admin or other role here if they are
422# using this user for other purposes beyond simply auth_token middleware.
423function create_service_user {
Jamie Lennoxcbcbd8f2016-01-21 16:08:14 -0600[diff] [blame]424 get_or_create_user "$1" "$SERVICE_PASSWORD" "$SERVICE_DOMAIN_NAME"
Jamie Lennox7f685482016-12-13 15:47:11 +1100[diff] [blame]425 get_or_add_user_project_role service "$1" "$SERVICE_PROJECT_NAME" "$SERVICE_DOMAIN_NAME" "$SERVICE_DOMAIN_NAME"
426
427 if [[ -n "$2" ]]; then
428 get_or_add_user_project_role "$2" "$1" "$SERVICE_PROJECT_NAME" "$SERVICE_DOMAIN_NAME" "$SERVICE_DOMAIN_NAME"
429 fi
Jamie Lennox85ff5322015-01-28 14:28:01 +1000[diff] [blame]430}
431
Dirk Mueller8ab64b32017-11-17 19:52:29 +0100[diff] [blame]432# Configure a service to use the auth token middleware.
Brant Knudson05952372014-09-19 17:22:22 -0500[diff] [blame]433#
Dirk Mueller8ab64b32017-11-17 19:52:29 +0100[diff] [blame]434# configure_keystone_authtoken_middleware conf_file admin_user IGNORED [section]
Brant Knudson05952372014-09-19 17:22:22 -0500[diff] [blame]435#
436# section defaults to keystone_authtoken, which is where auth_token looks in
437# the .conf file. If the paste config file is used (api-paste.ini) then
438# provide the section name for the auth_token filter.
Dirk Mueller8ab64b32017-11-17 19:52:29 +0100[diff] [blame]439function configure_keystone_authtoken_middleware {
Brant Knudson05952372014-09-19 17:22:22 -0500[diff] [blame]440 local conf_file=$1
441 local admin_user=$2
Dirk Mueller8ab64b32017-11-17 19:52:29 +0100[diff] [blame]442 local section=${3:-keystone_authtoken}
Brant Knudson05952372014-09-19 17:22:22 -0500[diff] [blame]443
Hua Wangf7dc06c2015-12-23 12:15:59 +0800[diff] [blame]444 iniset $conf_file $section auth_type password
Jens Harbott32c00892019-04-10 10:33:39 +0000[diff] [blame]445 iniset $conf_file $section interface public
Sean Dague38d47822017-04-19 16:12:00 -0400[diff] [blame]446 iniset $conf_file $section auth_url $KEYSTONE_SERVICE_URI
Jamie Lennox78b77262014-12-19 12:56:01 +1000[diff] [blame]447 iniset $conf_file $section username $admin_user
448 iniset $conf_file $section password $SERVICE_PASSWORD
Jamie Lennoxcbcbd8f2016-01-21 16:08:14 -0600[diff] [blame]449 iniset $conf_file $section user_domain_name "$SERVICE_DOMAIN_NAME"
Sean Dague7580a0c2016-02-17 06:23:36 -0500[diff] [blame]450 iniset $conf_file $section project_name $SERVICE_PROJECT_NAME
Jamie Lennoxcbcbd8f2016-01-21 16:08:14 -0600[diff] [blame]451 iniset $conf_file $section project_domain_name "$SERVICE_DOMAIN_NAME"
Jamie Lennox78b77262014-12-19 12:56:01 +1000[diff] [blame]452
Rob Crittenden18d47782014-03-19 17:47:42 -0400[diff] [blame]453 iniset $conf_file $section cafile $SSL_BUNDLE_FILE
Mohammed Naser7db34f62020-03-18 15:35:27 -0400[diff] [blame]454 iniset $conf_file $section memcached_servers $MEMCACHE_SERVERS
Vincent Hou21fe4e72013-11-21 03:10:27 -0500[diff] [blame]455}
456
Dirk Mueller8ab64b32017-11-17 19:52:29 +0100[diff] [blame]457# configure_auth_token_middleware conf_file admin_user IGNORED [section]
458# TODO(frickler): old function for backwards compatibility, remove in U cycle
459function configure_auth_token_middleware {
460 echo "WARNING: configure_auth_token_middleware is deprecated, use configure_keystone_authtoken_middleware instead"
461 configure_keystone_authtoken_middleware $1 $2 $4
462}
463
Dean Troyerd81a0272012-08-31 18:04:55 -0500[diff] [blame]464# init_keystone() - Initialize databases, etc.
Ian Wienandaee18c72014-02-21 15:35:08 +1100[diff] [blame]465function init_keystone {
Dean Troyerb9e25132013-10-01 14:45:04 -0500[diff] [blame]466 if is_service_enabled ldap; then
467 init_ldap
468 fi
469
Julia Varlamovaea3e87d2016-12-16 14:39:31 +0400[diff] [blame]470 if [[ "$RECREATE_KEYSTONE_DB" == True ]]; then
471 # (Re)create keystone database
472 recreate_database keystone
473 fi
Dean Troyerd81a0272012-08-31 18:04:55 -0500[diff] [blame]474
Clark Boylan633dbc32017-06-14 12:09:21 -0700[diff] [blame]475 time_start "dbsync"
Dean Troyerd81a0272012-08-31 18:04:55 -0500[diff] [blame]476 # Initialize keystone database
Einst Crazy4f55c2d2016-05-04 08:14:01 +0000[diff] [blame]477 $KEYSTONE_BIN_DIR/keystone-manage --config-file $KEYSTONE_CONF db_sync
Clark Boylan633dbc32017-06-14 12:09:21 -0700[diff] [blame]478 time_stop "dbsync"
Dean Troyerd81a0272012-08-31 18:04:55 -0500[diff] [blame]479
Brant Knudsoncef5e402015-06-25 17:57:53 -0500[diff] [blame]480 if [[ "$KEYSTONE_TOKEN_FORMAT" == "fernet" ]]; then
481 rm -rf "$KEYSTONE_CONF_DIR/fernet-keys/"
Einst Crazy4f55c2d2016-05-04 08:14:01 +0000[diff] [blame]482 $KEYSTONE_BIN_DIR/keystone-manage --config-file $KEYSTONE_CONF fernet_setup
Brant Knudsoncef5e402015-06-25 17:57:53 -0500[diff] [blame]483 fi
Lance Bragstad69d4a712016-08-27 01:01:37 +0000[diff] [blame]484 rm -rf "$KEYSTONE_CONF_DIR/credential-keys/"
485 $KEYSTONE_BIN_DIR/keystone-manage --config-file $KEYSTONE_CONF credential_setup
486
Dean Troyerd81a0272012-08-31 18:04:55 -0500[diff] [blame]487}
488
Jamie Lennox21a90772015-07-03 11:54:38 +1000[diff] [blame]489# install_keystoneauth() - Collect source and prepare
490function install_keystoneauth {
491 if use_library_from_git "keystoneauth"; then
492 git_clone_by_name "keystoneauth"
493 setup_dev_lib "keystoneauth"
494 fi
495}
496
Dean Troyerd81a0272012-08-31 18:04:55 -0500[diff] [blame]497# install_keystoneclient() - Collect source and prepare
Ian Wienandaee18c72014-02-21 15:35:08 +1100[diff] [blame]498function install_keystoneclient {
Sean Daguee08ab102014-11-13 17:09:28 -0500[diff] [blame]499 if use_library_from_git "python-keystoneclient"; then
500 git_clone_by_name "python-keystoneclient"
501 setup_dev_lib "python-keystoneclient"
Sean Dague5cb19062014-11-01 01:37:45 +0100[diff] [blame]502 fi
Dean Troyerd81a0272012-08-31 18:04:55 -0500[diff] [blame]503}
504
Morgan Fainberg58936fd2014-06-24 12:26:07 -0700[diff] [blame]505# install_keystonemiddleware() - Collect source and prepare
506function install_keystonemiddleware {
Dean Troyerf8ae6472015-02-17 11:05:06 -0600[diff] [blame]507 # install_keystonemiddleware() is called when keystonemiddleware is needed
508 # to provide an opportunity to install it from the source repo
Sean Dague658312c2014-11-14 11:35:56 -0500[diff] [blame]509 if use_library_from_git "keystonemiddleware"; then
510 git_clone_by_name "keystonemiddleware"
511 setup_dev_lib "keystonemiddleware"
Dean Troyerf8ae6472015-02-17 11:05:06 -0600[diff] [blame]512 else
513 # When not installing from repo, keystonemiddleware is still needed...
Sean Dague60996b12015-04-08 09:06:49 -0400[diff] [blame]514 pip_install_gr keystonemiddleware
Sean Dague658312c2014-11-14 11:35:56 -0500[diff] [blame]515 fi
Morgan Fainberg5997ce32016-01-20 12:43:22 -0800[diff] [blame]516 # Install the memcache library so keystonemiddleware can cache tokens in a
517 # shared location.
518 pip_install_gr python-memcached
Morgan Fainberg58936fd2014-06-24 12:26:07 -0700[diff] [blame]519}
520
Dean Troyerd81a0272012-08-31 18:04:55 -0500[diff] [blame]521# install_keystone() - Collect source and prepare
Ian Wienandaee18c72014-02-21 15:35:08 +1100[diff] [blame]522function install_keystone {
Brad Topolf127e2f2013-01-22 10:17:50 -0600[diff] [blame]523 # only install ldap if the service has been enabled
524 if is_service_enabled ldap; then
525 install_ldap
526 fi
Morgan Fainberg5997ce32016-01-20 12:43:22 -0800[diff] [blame]527
Dean Troyerd81a0272012-08-31 18:04:55 -0500[diff] [blame]528 git_clone $KEYSTONE_REPO $KEYSTONE_DIR $KEYSTONE_BRANCH
Sean Dague1b4b4be2013-04-01 16:44:31 -0400[diff] [blame]529 setup_develop $KEYSTONE_DIR
Brant Knudson6a4d3eb2015-08-01 09:19:18 -0500[diff] [blame]530
531 if is_service_enabled ldap; then
532 setup_develop $KEYSTONE_DIR ldap
533 fi
534
Brant Knudsona0305362016-01-25 13:38:27 -0600[diff] [blame]535 if [ "$KEYSTONE_DEPLOY" == "mod_wsgi" ]; then
Jamie Lennoxa00e5f82013-09-17 12:47:03 +1000[diff] [blame]536 install_apache_wsgi
537 fi
Dean Troyerd81a0272012-08-31 18:04:55 -0500[diff] [blame]538}
539
Sean Dague0eebeb42017-08-30 14:16:58 -0400[diff] [blame]540# start_keystone() - Start running processes
Ian Wienandaee18c72014-02-21 15:35:08 +1100[diff] [blame]541function start_keystone {
Abhishek Kekanef8dbfd32020-07-06 18:42:30 +0000[diff] [blame]542 # Get right service port for testing
543 local service_port=$KEYSTONE_SERVICE_PORT
Jens Harbottc2491ba2020-06-14 18:06:23 +0200[diff] [blame]544 local auth_protocol=$KEYSTONE_SERVICE_PROTOCOL
Abhishek Kekanef8dbfd32020-07-06 18:42:30 +0000[diff] [blame]545 if is_service_enabled tls-proxy; then
546 service_port=$KEYSTONE_SERVICE_PORT_INT
547 auth_protocol="http"
548 fi
549
Brant Knudsona0305362016-01-25 13:38:27 -0600[diff] [blame]550 if [ "$KEYSTONE_DEPLOY" == "mod_wsgi" ]; then
Adam Gandelmanc4b06712014-09-03 11:44:31 -0700[diff] [blame]551 enable_apache_site keystone
Jamie Lennoxa00e5f82013-09-17 12:47:03 +1000[diff] [blame]552 restart_apache_server
Brant Knudson556eeb02016-03-24 14:01:57 -0500[diff] [blame]553 else # uwsgi
Ian Wienand312517d2018-06-22 22:23:29 +1000[diff] [blame]554 run_process keystone "$(which uwsgi) --procname-prefix keystone --ini $KEYSTONE_PUBLIC_UWSGI_CONF" ""
Jamie Lennoxa00e5f82013-09-17 12:47:03 +1000[diff] [blame]555 fi
556
Dean Troyerd835de82012-11-29 17:11:35 -0600[diff] [blame]557 echo "Waiting for keystone to start..."
Abhishek Kekanef8dbfd32020-07-06 18:42:30 +0000[diff] [blame]558 # Check that the keystone service is running. Even if the tls tunnel
559 # should be enabled, make sure the internal port is checked using
560 # unencryted traffic at this point.
561 # If running in Apache, use the path rather than port.
562
Sean Dague6ed53152017-04-13 13:33:16 -0400[diff] [blame]563 local service_uri=$auth_protocol://$KEYSTONE_SERVICE_HOST/identity/v$IDENTITY_API_VERSION/
Brant Knudson841fdaf2015-06-21 10:08:22 -0500[diff] [blame]564
565 if ! wait_for_service $SERVICE_TIMEOUT $service_uri; then
Sean Dague101b4242013-10-22 08:47:11 -0400[diff] [blame]566 die $LINENO "keystone did not start"
Dean Troyerd835de82012-11-29 17:11:35 -0600[diff] [blame]567 fi
Dean Troyerc83a7e12012-11-29 11:47:58 -0600[diff] [blame]568
Abhishek Kekanef8dbfd32020-07-06 18:42:30 +0000[diff] [blame]569 # Start proxies if enabled
570 if is_service_enabled tls-proxy; then
571 start_tls_proxy keystone-service '*' $KEYSTONE_SERVICE_PORT $KEYSTONE_SERVICE_HOST $KEYSTONE_SERVICE_PORT_INT
Abhishek Kekanef8dbfd32020-07-06 18:42:30 +0000[diff] [blame]572 fi
573
Morgan Fainberg5997ce32016-01-20 12:43:22 -0800[diff] [blame]574 # (re)start memcached to make sure we have a clean memcache.
575 restart_service memcached
Dean Troyerd81a0272012-08-31 18:04:55 -0500[diff] [blame]576}
577
578# stop_keystone() - Stop running processes
Ian Wienandaee18c72014-02-21 15:35:08 +1100[diff] [blame]579function stop_keystone {
Brant Knudsona0305362016-01-25 13:38:27 -0600[diff] [blame]580 if [ "$KEYSTONE_DEPLOY" == "mod_wsgi" ]; then
Adam Gandelmanc4b06712014-09-03 11:44:31 -0700[diff] [blame]581 disable_apache_site keystone
582 restart_apache_server
Matthew Treinish9c5ffd82017-03-29 16:47:57 -0400[diff] [blame]583 else
Sean Daguebb443112017-04-19 16:22:42 -0400[diff] [blame]584 stop_process keystone
Adam Gandelmanc4b06712014-09-03 11:44:31 -0700[diff] [blame]585 fi
Dean Troyerd81a0272012-08-31 18:04:55 -0500[diff] [blame]586}
Dean Troyer7903b792012-09-13 17:16:12 -0500[diff] [blame]587
Steve Martinelli923be5f2015-12-20 00:24:19 -0500[diff] [blame]588# bootstrap_keystone() - Initialize user, role and project
589# This function uses the following GLOBAL variables:
590# - ``KEYSTONE_BIN_DIR``
591# - ``ADMIN_PASSWORD``
Abhishek Kekanef8dbfd32020-07-06 18:42:30 +0000[diff] [blame]592# - ``IDENTITY_API_VERSION``
Steve Martinelli923be5f2015-12-20 00:24:19 -0500[diff] [blame]593# - ``REGION_NAME``
Jens Harbottc2491ba2020-06-14 18:06:23 +0200[diff] [blame]594# - ``KEYSTONE_SERVICE_URI``
Steve Martinelli923be5f2015-12-20 00:24:19 -0500[diff] [blame]595function bootstrap_keystone {
Jamie Lennox32bf2c42016-03-08 12:24:52 +1100[diff] [blame]596 $KEYSTONE_BIN_DIR/keystone-manage bootstrap \
597 --bootstrap-username admin \
598 --bootstrap-password "$ADMIN_PASSWORD" \
599 --bootstrap-project-name admin \
600 --bootstrap-role-name admin \
601 --bootstrap-service-name keystone \
602 --bootstrap-region-id "$REGION_NAME" \
Sean Daguebfff93e2017-02-13 16:18:08 -0500[diff] [blame]603 --bootstrap-public-url "$KEYSTONE_SERVICE_URI"
Jens Harbotteb376572021-02-24 10:04:31 +0100[diff] [blame]604 if [ "$KEYSTONE_ADMIN_ENDPOINT" == "True" ]; then
605 openstack endpoint create --region "$REGION_NAME" \
606 --os-username admin \
607 --os-user-domain-id default \
608 --os-password "$ADMIN_PASSWORD" \
609 --os-project-name admin \
610 --os-project-domain-id default \
611 keystone admin "$KEYSTONE_SERVICE_URI"
612 fi
Steve Martinelli923be5f2015-12-20 00:24:19 -0500[diff] [blame]613}
Dean Troyer1a6d4492013-06-03 16:47:36 -0500[diff] [blame]614
Leticia Wanderleycc363972017-06-26 23:52:52 -0300[diff] [blame]615# create_ldap_domain() - Create domain file and initialize domain with a user
616function create_ldap_domain {
617 # Creates domain Users
618 openstack --os-identity-api-version=3 domain create --description "LDAP domain" Users
619
620 # Create domain file inside etc/keystone/domains
621 KEYSTONE_LDAP_DOMAIN_FILE=$KEYSTONE_CONF_DIR/domains/keystone.Users.conf
622 mkdir -p "$KEYSTONE_CONF_DIR/domains"
623 touch "$KEYSTONE_LDAP_DOMAIN_FILE"
624
625 # Set identity driver 'ldap'
626 iniset $KEYSTONE_LDAP_DOMAIN_FILE identity driver "ldap"
627
628 # LDAP settings for Users domain
Leticia Wanderleycc363972017-06-26 23:52:52 -0300[diff] [blame]629 iniset $KEYSTONE_LDAP_DOMAIN_FILE ldap user_tree_dn "ou=Users,$LDAP_BASE_DN"
630 iniset $KEYSTONE_LDAP_DOMAIN_FILE ldap user_objectclass "inetOrgPerson"
631 iniset $KEYSTONE_LDAP_DOMAIN_FILE ldap user_name_attribute "cn"
632 iniset $KEYSTONE_LDAP_DOMAIN_FILE ldap user_mail_attribute "mail"
633 iniset $KEYSTONE_LDAP_DOMAIN_FILE ldap user_id_attribute "uid"
634 iniset $KEYSTONE_LDAP_DOMAIN_FILE ldap user "cn=Manager,dc=openstack,dc=org"
635 iniset $KEYSTONE_LDAP_DOMAIN_FILE ldap url "ldap://localhost"
636 iniset $KEYSTONE_LDAP_DOMAIN_FILE ldap suffix $LDAP_BASE_DN
637 iniset $KEYSTONE_LDAP_DOMAIN_FILE ldap password $LDAP_PASSWORD
638 iniset $KEYSTONE_LDAP_DOMAIN_FILE ldap group_tree_dn "ou=Groups,$LDAP_BASE_DN"
639 iniset $KEYSTONE_LDAP_DOMAIN_FILE ldap group_objectclass "groupOfNames"
640 iniset $KEYSTONE_LDAP_DOMAIN_FILE ldap group_name_attribute "cn"
641 iniset $KEYSTONE_LDAP_DOMAIN_FILE ldap group_id_attribute "cn"
642
643 # Restart apache and identity services to associate domain and conf file
644 sudo service apache2 reload
645 sudo systemctl restart devstack@keystone
646
647 # Create LDAP user.ldif and add user to LDAP backend
648 local tmp_ldap_dir
649 tmp_ldap_dir=$(mktemp -d -t ldap.$$.XXXXXXXXXX)
650
651 _ldap_varsubst $FILES/ldap/user.ldif.in $slappass >$tmp_ldap_dir/user.ldif
652 sudo ldapadd -x -w $LDAP_PASSWORD -D "$LDAP_MANAGER_DN" -H $LDAP_URL -c -f $tmp_ldap_dir/user.ldif
653 rm -rf $tmp_ldap_dir
654
655 local admin_project
656 admin_project=$(get_or_create_project "admin" default)
657 local ldap_user
658 ldap_user=$(openstack user show --domain=Users demo -f value -c id)
659 local admin_role="admin"
660 get_or_create_role $admin_role
661
662 # Grant demo LDAP user access to project and role
663 get_or_add_user_project_role $admin_role $ldap_user $admin_project
664}
665
Dean Troyer7903b792012-09-13 17:16:12 -0500[diff] [blame]666# Restore xtrace
Ian Wienand523f4882015-10-13 11:03:03 +1100[diff] [blame]667$_XTRACE_KEYSTONE
Sean Dague584d90e2013-03-29 14:34:53 -0400[diff] [blame]668
Adam Spiers6a5aa7c2013-10-24 11:27:02 +0100[diff] [blame]669# Tell emacs to use shell-script-mode
670## Local variables:
671## mode: shell-script
672## End: