Beispiel #1
0
    def _on_project_create(self, project_id):

        LOG.warning("Beginning wmf hooks for project creation: %s" %
                    project_id)

        roledict = self._get_role_dict()

        if CONF.wmfhooks.observer_role_name not in roledict.keys():
            LOG.error("Failed to find id for role %s" %
                      CONF.wmfhooks.observer_role_name)
            raise exception.NotImplemented()
        if CONF.wmfhooks.admin_role_name not in roledict.keys():
            LOG.error("Failed to find id for role %s" %
                      CONF.wmfhooks.admin_role_name)
            raise exception.NotImplemented()
        if CONF.wmfhooks.user_role_name not in roledict.keys():
            LOG.error("Failed to find id for role %s" %
                      CONF.wmfhooks.user_role_name)
            raise exception.NotImplemented()

        self.assignment_api.add_role_to_user_and_project(
            CONF.wmfhooks.admin_user, project_id,
            roledict[CONF.wmfhooks.admin_role_name])
        self.assignment_api.add_role_to_user_and_project(
            CONF.wmfhooks.admin_user, project_id,
            roledict[CONF.wmfhooks.user_role_name])
        self.assignment_api.add_role_to_user_and_project(
            CONF.wmfhooks.observer_user, project_id,
            roledict[CONF.wmfhooks.observer_role_name])

        # Use the nova api to set up security groups for the new project
        auth = generic.Password(auth_url=CONF.wmfhooks.auth_url,
                                username=CONF.wmfhooks.admin_user,
                                password=CONF.wmfhooks.admin_pass,
                                user_domain_name='Default',
                                project_domain_name='Default',
                                project_name=project_id)
        session = keystone_session.Session(auth=auth)
        client = nova_client.Client('2', session=session, connect_retries=5)
        allgroups = client.security_groups.list()
        defaultgroup = filter(lambda group: group.name == 'default', allgroups)
        if defaultgroup:
            groupid = defaultgroup[0].id
            try:
                client.security_group_rules.create(groupid,
                                                   ip_protocol='icmp',
                                                   from_port='-1',
                                                   to_port='-1',
                                                   cidr='0.0.0.0/0')
            except (exceptions.ClientException):
                LOG.warning("icmp security rule already exists.")
            try:
                client.security_group_rules.create(groupid,
                                                   ip_protocol='tcp',
                                                   from_port='22',
                                                   to_port='22',
                                                   cidr='10.0.0.0/8')
            except (exceptions.ClientException):
                LOG.warning("Port 22 security rule already exists.")
            try:
                client.security_group_rules.create(groupid,
                                                   ip_protocol='tcp',
                                                   from_port='5666',
                                                   to_port='5666',
                                                   cidr='10.0.0.0/8')
            except (exceptions.ClientException):
                LOG.warning("Port 5666 security rule already exists.")
            try:
                client.security_group_rules.create(groupid,
                                                   ip_protocol='tcp',
                                                   from_port='1',
                                                   to_port='65535',
                                                   cidr='',
                                                   group_id=groupid)
            except (exceptions.ClientException):
                LOG.warning("Project security rule for TCP already exists.")

            try:
                client.security_group_rules.create(groupid,
                                                   ip_protocol='udp',
                                                   from_port='1',
                                                   to_port='65535',
                                                   cidr='',
                                                   group_id=groupid)
            except (exceptions.ClientException):
                LOG.warning("Project security rule for UDP already exists.")

            try:
                client.security_group_rules.create(groupid,
                                                   ip_protocol='icmp',
                                                   from_port='1',
                                                   to_port='65535',
                                                   cidr='',
                                                   group_id=groupid)
            except (exceptions.ClientException):
                LOG.warning("Project security rule for ICMP already exists.")
        else:
            LOG.warning(
                "Failed to find default security group in new project.")

        assignments = self._get_current_assignments(project_id)
        ldapgroups.sync_ldap_project_group(project_id, assignments)

        # Set up default sudoers in ldap
        ldapgroups.create_sudo_defaults(project_id)
        self._create_project_page(project_id)
    def _on_project_create(self, project_id):

        LOG.warning("Beginning wmf hooks for project creation: %s" % project_id)

        roledict = self._get_role_dict()

        if CONF.wmfhooks.observer_role_name not in roledict.keys():
            LOG.error("Failed to find id for role %s" % CONF.wmfhooks.observer_role_name)
            raise exception.NotImplemented()
        if CONF.wmfhooks.admin_role_name not in roledict.keys():
            LOG.error("Failed to find id for role %s" % CONF.wmfhooks.admin_role_name)
            raise exception.NotImplemented()
        if CONF.wmfhooks.user_role_name not in roledict.keys():
            LOG.error("Failed to find id for role %s" % CONF.wmfhooks.user_role_name)
            raise exception.NotImplemented()

        self.assignment_api.add_role_to_user_and_project(CONF.wmfhooks.admin_user,
                                                         project_id,
                                                         roledict[CONF.wmfhooks.admin_role_name])
        self.assignment_api.add_role_to_user_and_project(CONF.wmfhooks.admin_user,
                                                         project_id,
                                                         roledict[CONF.wmfhooks.user_role_name])
        self.assignment_api.add_role_to_user_and_project(CONF.wmfhooks.observer_user,
                                                         project_id,
                                                         roledict[CONF.wmfhooks.observer_role_name])

        # Use the nova api to set up security groups for the new project
        auth = generic.Password(
            auth_url=CONF.wmfhooks.auth_url,
            username=CONF.wmfhooks.admin_user,
            password=CONF.wmfhooks.admin_pass,
            user_domain_name='Default',
            project_domain_name='Default',
            project_name=project_id)
        session = keystone_session.Session(auth=auth)
        client = nova_client.Client('2', session=session, connect_retries=5)
        allgroups = client.security_groups.list()
        defaultgroup = filter(lambda group: group.name == 'default', allgroups)
        if defaultgroup:
            groupid = defaultgroup[0].id
            try:
                client.security_group_rules.create(groupid,
                                                   ip_protocol='icmp',
                                                   from_port='-1',
                                                   to_port='-1',
                                                   cidr='0.0.0.0/0')
            except (exceptions.ClientException):
                LOG.warning("icmp security rule already exists.")
            try:
                client.security_group_rules.create(groupid,
                                                   ip_protocol='tcp',
                                                   from_port='22',
                                                   to_port='22',
                                                   cidr='10.0.0.0/8')
            except (exceptions.ClientException):
                LOG.warning("Port 22 security rule already exists.")
            try:
                client.security_group_rules.create(groupid,
                                                   ip_protocol='tcp',
                                                   from_port='5666',
                                                   to_port='5666',
                                                   cidr='10.0.0.0/8')
            except (exceptions.ClientException):
                LOG.warning("Port 5666 security rule already exists.")
            try:
                client.security_group_rules.create(groupid,
                                                   ip_protocol='tcp',
                                                   from_port='1',
                                                   to_port='65535',
                                                   cidr='',
                                                   group_id=groupid)
            except (exceptions.ClientException):
                LOG.warning("Project security rule for TCP already exists.")

            try:
                client.security_group_rules.create(groupid,
                                                   ip_protocol='udp',
                                                   from_port='1',
                                                   to_port='65535',
                                                   cidr='',
                                                   group_id=groupid)
            except (exceptions.ClientException):
                LOG.warning("Project security rule for UDP already exists.")

            try:
                client.security_group_rules.create(groupid,
                                                   ip_protocol='icmp',
                                                   from_port='1',
                                                   to_port='65535',
                                                   cidr='',
                                                   group_id=groupid)
            except (exceptions.ClientException):
                LOG.warning("Project security rule for ICMP already exists.")
        else:
            LOG.warning("Failed to find default security group in new project.")

        assignments = self._get_current_assignments(project_id)
        ldapgroups.sync_ldap_project_group(project_id, assignments)

        # Set up default sudoers in ldap
        ldapgroups.create_sudo_defaults(project_id)
Beispiel #3
0
    def _on_project_create(self, project_id):

        LOG.warning("Beginning wmf hooks for project creation: %s" % project_id)

        roledict = self._get_role_dict()

        if CONF.wmfhooks.observer_role_name not in roledict.keys():
            LOG.error("Failed to find id for role %s" % CONF.wmfhooks.observer_role_name)
            raise exception.NotImplemented()
        if CONF.wmfhooks.admin_role_name not in roledict.keys():
            LOG.error("Failed to find id for role %s" % CONF.wmfhooks.admin_role_name)
            raise exception.NotImplemented()
        if CONF.wmfhooks.user_role_name not in roledict.keys():
            LOG.error("Failed to find id for role %s" % CONF.wmfhooks.user_role_name)
            raise exception.NotImplemented()

        LOG.warning("Adding default users to project %s" % project_id)
        self.assignment_api.add_role_to_user_and_project(CONF.wmfhooks.admin_user,
                                                         project_id,
                                                         roledict[CONF.wmfhooks.admin_role_name])
        self.assignment_api.add_role_to_user_and_project(CONF.wmfhooks.admin_user,
                                                         project_id,
                                                         roledict[CONF.wmfhooks.user_role_name])
        self.assignment_api.add_role_to_user_and_project(CONF.wmfhooks.observer_user,
                                                         project_id,
                                                         roledict[CONF.wmfhooks.observer_role_name])

        LOG.warning("Adding security groups to project %s" % project_id)
        # Use the neutron api to set up security groups for the new project
        auth = v3.Password(
            auth_url=CONF.wmfhooks.auth_url,
            username=CONF.wmfhooks.admin_user,
            password=CONF.wmfhooks.admin_pass,
            user_domain_name='Default',
            project_domain_name='Default',
            project_name=project_id)
        session = keystone_session.Session(auth=auth)
        client = neutron_client.Client(session=session, connect_retries=5)
        allgroups = client.list_security_groups()['security_groups']
        defaultgroup = filter(lambda group: group['name'] == 'default', allgroups)
        if defaultgroup:
            groupid = defaultgroup[0]["id"]
            try:
                client.create_security_group_rule(
                    KeystoneHooks._security_group_dict(groupid,
                                                       'icmp',
                                                       -1,
                                                       -1,
                                                       cidr='0.0.0.0/0'))
            except (exceptions.NeutronClientException):
                LOG.warning("icmp security rule already exists.")

            try:
                client.create_security_group_rule(
                    KeystoneHooks._security_group_dict(groupid,
                                                       'tcp',
                                                       22,
                                                       22,
                                                       cidr='172.16.0.0/21'))
            except (exceptions.NeutronClientException):
                LOG.warning("Port 22 security rule already exists.")

            try:
                client.create_security_group_rule(
                    KeystoneHooks._security_group_dict(groupid,
                                                       'tcp',
                                                       22,
                                                       22,
                                                       group=groupid))
            except (exceptions.NeutronClientException):
                LOG.warning("Project security rule for TCP already exists.")

            try:
                client.create_security_group_rule(
                    KeystoneHooks._security_group_dict(groupid,
                                                       'udp',
                                                       1,
                                                       65535,
                                                       group=groupid))
            except (exceptions.NeutronClientException):
                LOG.warning("Project security rule for UDP already exists.")

            try:
                client.create_security_group_rule(
                    KeystoneHooks._security_group_dict(groupid,
                                                       'icmp',
                                                       -1,
                                                       -1,
                                                       group=groupid))
            except (exceptions.NeutronClientException):
                LOG.warning("Project security rule for ICMP already exists.")
        else:
            LOG.warning("Failed to find default security group in new project.")

        LOG.warning("Syncing membership with ldap for project %s" % project_id)
        assignments = self._get_current_assignments(project_id)
        ldapgroups.sync_ldap_project_group(project_id, assignments)

        LOG.warning("Setting up default sudoers in ldap for project %s" % project_id)
        # Set up default sudoers in ldap
        ldapgroups.create_sudo_defaults(project_id)
        self._create_project_page(project_id)

        # This bit will take a while:
        LOG.warning("Creating default designate domain for project %s" % project_id)
        designatemakedomain.createDomain(
            CONF.wmfhooks.auth_url,
            CONF.wmfhooks.admin_user,
            CONF.wmfhooks.admin_pass,
            project_id,
            '{}.wmflabs.org.'.format(project_id),
            'wmflabsdotorg'
        )

        LOG.warning("Completed wmf hooks for project creation: %s" % project_id)