def _on_project_create(self, project_id):
LOG.warning("Beginning wmf hooks for project creation: %s" % project_id)
roledict = self._get_role_dict()
if CONF.wmfhooks.observer_role_name not in roledict.keys():
LOG.error("Failed to find id for role %s" % CONF.wmfhooks.observer_role_name)
raise exception.NotImplemented()
if CONF.wmfhooks.admin_role_name not in roledict.keys():
LOG.error("Failed to find id for role %s" % CONF.wmfhooks.admin_role_name)
raise exception.NotImplemented()
if CONF.wmfhooks.user_role_name not in roledict.keys():
LOG.error("Failed to find id for role %s" % CONF.wmfhooks.user_role_name)
raise exception.NotImplemented()
LOG.warning("Adding default users to project %s" % project_id)
self.assignment_api.add_role_to_user_and_project(CONF.wmfhooks.admin_user,
project_id,
roledict[CONF.wmfhooks.admin_role_name])
self.assignment_api.add_role_to_user_and_project(CONF.wmfhooks.admin_user,
project_id,
roledict[CONF.wmfhooks.user_role_name])
self.assignment_api.add_role_to_user_and_project(CONF.wmfhooks.observer_user,
project_id,
roledict[CONF.wmfhooks.observer_role_name])
LOG.warning("Adding security groups to project %s" % project_id)
# Use the neutron api to set up security groups for the new project
auth = v3.Password(
auth_url=CONF.wmfhooks.auth_url,
username=CONF.wmfhooks.admin_user,
password=CONF.wmfhooks.admin_pass,
user_domain_name='Default',
project_domain_name='Default',
project_name=project_id)
session = keystone_session.Session(auth=auth)
client = neutron_client.Client(session=session, connect_retries=5)
allgroups = client.list_security_groups()['security_groups']
defaultgroup = filter(lambda group: group['name'] == 'default', allgroups)
if defaultgroup:
groupid = defaultgroup[0]["id"]
try:
client.create_security_group_rule(
KeystoneHooks._security_group_dict(groupid,
'icmp',
-1,
-1,
cidr='0.0.0.0/0'))
except (exceptions.NeutronClientException):
LOG.warning("icmp security rule already exists.")
try:
client.create_security_group_rule(
KeystoneHooks._security_group_dict(groupid,
'tcp',
22,
22,
cidr='172.16.0.0/21'))
except (exceptions.NeutronClientException):
LOG.warning("Port 22 security rule already exists.")
try:
client.create_security_group_rule(
KeystoneHooks._security_group_dict(groupid,
'tcp',
22,
22,
group=groupid))
except (exceptions.NeutronClientException):
LOG.warning("Project security rule for TCP already exists.")
try:
client.create_security_group_rule(
KeystoneHooks._security_group_dict(groupid,
'udp',
1,
65535,
group=groupid))
except (exceptions.NeutronClientException):
LOG.warning("Project security rule for UDP already exists.")
try:
client.create_security_group_rule(
KeystoneHooks._security_group_dict(groupid,
'icmp',
-1,
-1,
group=groupid))
except (exceptions.NeutronClientException):
LOG.warning("Project security rule for ICMP already exists.")
else:
LOG.warning("Failed to find default security group in new project.")
LOG.warning("Syncing membership with ldap for project %s" % project_id)
assignments = self._get_current_assignments(project_id)
ldapgroups.sync_ldap_project_group(project_id, assignments)
LOG.warning("Setting up default sudoers in ldap for project %s" % project_id)
# Set up default sudoers in ldap
ldapgroups.create_sudo_defaults(project_id)
self._create_project_page(project_id)
# This bit will take a while:
LOG.warning("Creating default designate domain for project %s" % project_id)
designatemakedomain.createDomain(
CONF.wmfhooks.auth_url,
CONF.wmfhooks.admin_user,
CONF.wmfhooks.admin_pass,
project_id,
'{}.wmflabs.org.'.format(project_id),
'wmflabsdotorg'
)
LOG.warning("Completed wmf hooks for project creation: %s" % project_id)
def _on_project_create(self, project_id):
LOG.warning("Beginning wmf hooks for project creation: %s" %
project_id)
roledict = self._get_role_dict()
if CONF.wmfhooks.observer_role_name not in roledict.keys():
LOG.error("Failed to find id for role %s" %
CONF.wmfhooks.observer_role_name)
raise exception.NotImplemented()
if CONF.wmfhooks.admin_role_name not in roledict.keys():
LOG.error("Failed to find id for role %s" %
CONF.wmfhooks.admin_role_name)
raise exception.NotImplemented()
if CONF.wmfhooks.user_role_name not in roledict.keys():
LOG.error("Failed to find id for role %s" %
CONF.wmfhooks.user_role_name)
raise exception.NotImplemented()
self.assignment_api.add_role_to_user_and_project(
CONF.wmfhooks.admin_user, project_id,
roledict[CONF.wmfhooks.admin_role_name])
self.assignment_api.add_role_to_user_and_project(
CONF.wmfhooks.admin_user, project_id,
roledict[CONF.wmfhooks.user_role_name])
self.assignment_api.add_role_to_user_and_project(
CONF.wmfhooks.observer_user, project_id,
roledict[CONF.wmfhooks.observer_role_name])
# Use the nova api to set up security groups for the new project
auth = generic.Password(auth_url=CONF.wmfhooks.auth_url,
username=CONF.wmfhooks.admin_user,
password=CONF.wmfhooks.admin_pass,
user_domain_name='Default',
project_domain_name='Default',
project_name=project_id)
session = keystone_session.Session(auth=auth)
client = nova_client.Client('2', session=session, connect_retries=5)
allgroups = client.security_groups.list()
defaultgroup = filter(lambda group: group.name == 'default', allgroups)
if defaultgroup:
groupid = defaultgroup[0].id
try:
client.security_group_rules.create(groupid,
ip_protocol='icmp',
from_port='-1',
to_port='-1',
cidr='0.0.0.0/0')
except (exceptions.ClientException):
LOG.warning("icmp security rule already exists.")
try:
client.security_group_rules.create(groupid,
ip_protocol='tcp',
from_port='22',
to_port='22',
cidr='10.0.0.0/8')
except (exceptions.ClientException):
LOG.warning("Port 22 security rule already exists.")
try:
client.security_group_rules.create(groupid,
ip_protocol='tcp',
from_port='22',
to_port='22',
cidr='172.16.0.0/21')
except (exceptions.ClientException):
LOG.warning("Port 22 neutron security rule already exists.")
try:
client.security_group_rules.create(groupid,
ip_protocol='tcp',
from_port='1',
to_port='65535',
cidr='',
group_id=groupid)
except (exceptions.ClientException):
LOG.warning("Project security rule for TCP already exists.")
try:
client.security_group_rules.create(groupid,
ip_protocol='udp',
from_port='1',
to_port='65535',
cidr='',
group_id=groupid)
except (exceptions.ClientException):
LOG.warning("Project security rule for UDP already exists.")
try:
client.security_group_rules.create(groupid,
ip_protocol='icmp',
from_port='1',
to_port='65535',
cidr='',
group_id=groupid)
except (exceptions.ClientException):
LOG.warning("Project security rule for ICMP already exists.")
else:
LOG.warning(
"Failed to find default security group in new project.")
assignments = self._get_current_assignments(project_id)
ldapgroups.sync_ldap_project_group(project_id, assignments)
# Set up default sudoers in ldap
ldapgroups.create_sudo_defaults(project_id)
self._create_project_page(project_id)
# This bit will take a while:
designatemakedomain.createDomain(CONF.wmfhooks.auth_url,
CONF.wmfhooks.admin_user,
CONF.wmfhooks.admin_pass, project_id,
'{}.wmflabs.org.'.format(project_id))
def _on_project_create(self, project_id):
LOG.warning("Beginning wmf hooks for project creation: %s" % project_id)
roledict = self._get_role_dict()
if CONF.wmfhooks.observer_role_name not in list(roledict.keys()):
LOG.error("Failed to find id for role %s" % CONF.wmfhooks.observer_role_name)
raise exception.NotImplemented()
if CONF.wmfhooks.admin_role_name not in list(roledict.keys()):
LOG.error("Failed to find id for role %s" % CONF.wmfhooks.admin_role_name)
raise exception.NotImplemented()
if CONF.wmfhooks.user_role_name not in list(roledict.keys()):
LOG.error("Failed to find id for role %s" % CONF.wmfhooks.user_role_name)
raise exception.NotImplemented()
LOG.warning("Adding default users to project %s" % project_id)
self.assignment_api.add_role_to_user_and_project(CONF.wmfhooks.admin_user,
project_id,
roledict[CONF.wmfhooks.admin_role_name])
self.assignment_api.add_role_to_user_and_project(CONF.wmfhooks.admin_user,
project_id,
roledict[CONF.wmfhooks.user_role_name])
self.assignment_api.add_role_to_user_and_project(CONF.wmfhooks.observer_user,
project_id,
roledict[CONF.wmfhooks.observer_role_name])
LOG.warning("Adding security groups to project %s" % project_id)
# Use the neutron api to set up security groups for the new project
auth = v3.Password(
auth_url=CONF.wmfhooks.auth_url,
username=CONF.wmfhooks.admin_user,
password=CONF.wmfhooks.admin_pass,
user_domain_name='Default',
project_domain_name='Default',
project_name=project_id)
session = keystone_session.Session(auth=auth)
client = neutron_client.Client(session=session, connect_retries=5)
allgroups = client.list_security_groups()['security_groups']
defaultgroup = [group for group in allgroups if group['name'] == 'default']
if defaultgroup:
groupid = defaultgroup[0]["id"]
try:
client.create_security_group_rule(
KeystoneHooks._security_group_dict(groupid,
'icmp',
-1,
-1,
cidr='0.0.0.0/0'))
except (exceptions.NeutronClientException):
LOG.warning("icmp security rule already exists.")
try:
client.create_security_group_rule(
KeystoneHooks._security_group_dict(groupid,
'tcp',
22,
22,
cidr=CONF.wmfhooks.instance_ip_range))
except (exceptions.NeutronClientException):
LOG.warning("Port 22 security rule already exists.")
try:
client.create_security_group_rule(
KeystoneHooks._security_group_dict(groupid,
'tcp',
22,
22,
group=groupid))
except (exceptions.NeutronClientException):
LOG.warning("Project security rule for TCP already exists.")
try:
client.create_security_group_rule(
KeystoneHooks._security_group_dict(groupid,
'udp',
1,
65535,
group=groupid))
except (exceptions.NeutronClientException):
LOG.warning("Project security rule for UDP already exists.")
try:
client.create_security_group_rule(
KeystoneHooks._security_group_dict(groupid,
'icmp',
-1,
-1,
group=groupid))
except (exceptions.NeutronClientException):
LOG.warning("Project security rule for ICMP already exists.")
else:
LOG.warning("Failed to find default security group in new project.")
LOG.warning("Syncing membership with ldap for project %s" % project_id)
assignments = self._get_current_assignments(project_id)
ldapgroups.sync_ldap_project_group(project_id, assignments)
LOG.warning("Setting up default sudoers in ldap for project %s" % project_id)
# Set up default sudoers in ldap
ldapgroups.create_sudo_defaults(project_id)
self._create_project_page(project_id)
# This bit will take a while:
if CONF.wmfhooks.region.endswith('-r'):
deployment = CONF.wmfhooks.region[:-2]
LOG.warning("Creating default .wmcloud.org domain for project %s" % project_id)
designatemakedomain.createDomain(
CONF.wmfhooks.auth_url,
CONF.wmfhooks.admin_user,
CONF.wmfhooks.admin_pass,
project_id,
'{}.{}.wmcloud.org.'.format(project_id, deployment),
CONF.wmfhooks.wmcloud_domain_owner,
CONF.wmfhooks.region
)
LOG.warning("Creating default "
"svc.<project>.<deployment>.wikimedia.cloud for project %s" %
project_id)
designatemakedomain.createDomain(
CONF.wmfhooks.auth_url,
CONF.wmfhooks.admin_user,
CONF.wmfhooks.admin_pass,
project_id,
'svc.{}.{}.wikimedia.cloud.'.format(project_id, deployment),
CONF.wmfhooks.wmcloud_domain_owner,
CONF.wmfhooks.region
)
else:
LOG.warning("Unfamiliar region format; "
"unable to create .wmcloud.org domain for %s" % project_id)
if CONF.wmfhooks.region == 'eqiad1-r':
# Special case shortcut domains for eqiad1
LOG.warning("Creating shortcut .wmcloud.org domain for project %s in eqiad1-r" %
project_id)
designatemakedomain.createDomain(
CONF.wmfhooks.auth_url,
CONF.wmfhooks.admin_user,
CONF.wmfhooks.admin_pass,
project_id,
'{}.wmcloud.org.'.format(project_id),
CONF.wmfhooks.wmcloud_domain_owner,
CONF.wmfhooks.region
)
LOG.warning("Creating default .wmflabs.org domain for project %s" % project_id)
designatemakedomain.createDomain(
CONF.wmfhooks.auth_url,
CONF.wmfhooks.admin_user,
CONF.wmfhooks.admin_pass,
project_id,
'{}.wmflabs.org.'.format(project_id),
'wmflabsdotorg',
CONF.wmfhooks.region
)
LOG.warning("Completed wmf hooks for project creation: %s" % project_id)
)
args = argparser.parse_args()
if args.delete and args.all:
if args.domain:
print "--domain should not be specified unless if --delete and --all are true"
exit(1)
else:
if not args.domain:
print "--domain must be specified unless you are doing --delete --all"
exit(1)
else:
if not args.domain.endswith('.'):
args.domain = "%s." % args.domain
if args.delete:
designatemakedomain.deleteDomain(args.keystone_url,
args.designate_user,
args.designate_pass,
args.project,
args.domain,
args.all)
else:
designatemakedomain.createDomain(args.keystone_url,
args.designate_user,
args.designate_pass,
args.project,
args.domain,
args.orig_project)
