def send_ssl_sync_request(): """Set sync request on cluster relation. Value set equals number of ssl configs currently enabled so that if they change, we ensure that certs are synced. This setting is consumed by cluster-relation-changed ssl master. We also clear the 'synced' set to guarantee that a sync will occur. Note the we do nothing if the setting is already applied. """ unit = local_unit().replace('/', '-') count = 0 use_https = config('use-https') if use_https and bool_from_string(use_https): count += 1 https_service_endpoints = config('https-service-endpoints') if (https_service_endpoints and bool_from_string(https_service_endpoints)): count += 2 enable_pki = config('enable-pki') if enable_pki and bool_from_string(enable_pki): count += 3 key = 'ssl-sync-required-%s' % (unit) settings = {key: count} # If all ssl is disabled ensure this is set to 0 so that cluster hook runs # and endpoints are updated. if not count: log("Setting %s=%s" % (key, count), level=DEBUG) for rid in relation_ids('cluster'): relation_set(relation_id=rid, relation_settings=settings) return prev = 0 rid = None for rid in relation_ids('cluster'): for unit in related_units(rid): _prev = relation_get(rid=rid, unit=unit, attribute=key) or 0 if _prev and _prev > prev: prev = _prev if rid and prev < count: clear_ssl_synced_units() log("Setting %s=%s" % (key, count), level=DEBUG) relation_set(relation_id=rid, relation_settings=settings)
def https(): ''' Determines whether enough data has been provided in configuration or relation data to configure HTTPS . returns: boolean ''' use_https = config_get('use-https') if use_https and bool_from_string(use_https): return True if config_get('ssl_cert') and config_get('ssl_key'): return True for r_id in relation_ids('certificates'): for unit in relation_list(r_id): ca = relation_get('ca', rid=r_id, unit=unit) if ca: return True for r_id in relation_ids('identity-service'): for unit in relation_list(r_id): # TODO - needs fixing for new helper as ssl_cert/key suffixes with CN rel_state = [ relation_get('https_keystone', rid=r_id, unit=unit), relation_get('ca_cert', rid=r_id, unit=unit), ] # NOTE: works around (LP: #1203241) if (None not in rel_state) and ('' not in rel_state): return True return False
def __call__(self): ctxt = {} debug = config('debug') if debug and bool_from_string(debug): ctxt['root_level'] = 'DEBUG' return ctxt
def __call__(self): from keystone_utils import ( api_port, set_admin_token, endpoint_url, resolve_address, PUBLIC, ADMIN, PKI_CERTS_DIR, ensure_pki_cert_paths, get_admin_domain_id ) ctxt = {} ctxt['token'] = set_admin_token(config('admin-token')) ctxt['api_version'] = int(config('preferred-api-version')) ctxt['admin_role'] = config('admin-role') if ctxt['api_version'] > 2: ctxt['admin_domain_id'] = ( get_admin_domain_id() or 'admin_domain_id') ctxt['admin_port'] = determine_api_port(api_port('keystone-admin'), singlenode_mode=True) ctxt['public_port'] = determine_api_port(api_port('keystone-public'), singlenode_mode=True) ctxt['debug'] = config('debug') ctxt['verbose'] = config('verbose') ctxt['token_expiration'] = config('token-expiration') ctxt['identity_backend'] = config('identity-backend') ctxt['assignment_backend'] = config('assignment-backend') if config('identity-backend') == 'ldap': ctxt['ldap_server'] = config('ldap-server') ctxt['ldap_user'] = config('ldap-user') ctxt['ldap_password'] = config('ldap-password') ctxt['ldap_suffix'] = config('ldap-suffix') ctxt['ldap_readonly'] = config('ldap-readonly') ldap_flags = config('ldap-config-flags') if ldap_flags: flags = context.config_flags_parser(ldap_flags) ctxt['ldap_config_flags'] = flags enable_pki = config('enable-pki') if enable_pki and bool_from_string(enable_pki): log("Enabling PKI", level=DEBUG) ctxt['token_provider'] = 'pki' ensure_pki_cert_paths() certs = os.path.join(PKI_CERTS_DIR, 'certs') privates = os.path.join(PKI_CERTS_DIR, 'privates') ctxt.update({'certfile': os.path.join(certs, 'signing_cert.pem'), 'keyfile': os.path.join(privates, 'signing_key.pem'), 'ca_certs': os.path.join(certs, 'ca.pem'), 'ca_key': os.path.join(certs, 'ca_key.pem')}) # Base endpoint URL's which are used in keystone responses # to unauthenticated requests to redirect clients to the # correct auth URL. ctxt['public_endpoint'] = endpoint_url( resolve_address(PUBLIC), api_port('keystone-public')).replace('v2.0', '') ctxt['admin_endpoint'] = endpoint_url( resolve_address(ADMIN), api_port('keystone-admin')).replace('v2.0', '') return ctxt
def enable_serial_console(self): for rid in relation_ids('cloud-compute'): for unit in related_units(rid): _enable_sc = relation_get('enable_serial_console', rid=rid, unit=unit) if _enable_sc and bool_from_string(_enable_sc): return 'true' return 'false'
def send_ssl_sync_request(): """Set sync request on cluster relation. Value set equals number of ssl configs currently enabled so that if they change, we ensure that certs are synced. This setting is consumed by cluster-relation-changed ssl master. We also clear the 'synced' set to guarantee that a sync will occur. Note the we do nothing if the setting is already applied. """ unit = local_unit().replace('/', '-') # Start with core config (e.g. used for signing revoked token list) ssl_config = 0b1 use_https = config('use-https') if use_https and bool_from_string(use_https): ssl_config ^= 0b10 https_service_endpoints = config('https-service-endpoints') if (https_service_endpoints and bool_from_string(https_service_endpoints)): ssl_config ^= 0b100 enable_pki = config('enable-pki') if enable_pki and bool_from_string(enable_pki): ssl_config ^= 0b1000 key = 'ssl-sync-required-%s' % (unit) settings = {key: ssl_config} prev = 0b0 rid = None for rid in relation_ids('cluster'): for unit in related_units(rid): _prev = relation_get(rid=rid, unit=unit, attribute=key) or 0b0 if _prev and _prev > prev: prev = bin(_prev) if rid and prev ^ ssl_config: clear_ssl_synced_units() log("Setting %s=%s" % (key, bin(ssl_config)), level=DEBUG) relation_set(relation_id=rid, relation_settings=settings)
def nova_metadata_requirement(): enable = False secret = None for rid in relation_ids('neutron-plugin'): for unit in related_units(rid): rdata = relation_get(rid=rid, unit=unit) if 'metadata-shared-secret' in rdata: secret = rdata['metadata-shared-secret'] enable = True if bool_from_string(rdata.get('enable-metadata', 'False')): enable = True return enable, secret
def get_neutron_options(self, rdata): settings = {} for nkey in self.neutron_defaults.keys(): defv = self.neutron_defaults[nkey]['default'] rkey = self.neutron_defaults[nkey]['rel_key'] if rkey in rdata.keys(): if type(defv) is bool: settings[nkey] = bool_from_string(rdata[rkey]) else: settings[nkey] = rdata[rkey] else: settings[nkey] = defv return settings
def neutron_plugin_changed(): settings = relation_get() if settings.get('enable-metadata'): enable_metadata = bool_from_string(settings['enable-metadata']) else: enable_metadata = False if 'metadata-shared-secret' in settings or enable_metadata: apt_update() apt_install(filter_installed_packages(['nova-api-metadata']), fatal=True) else: apt_purge('nova-api-metadata', fatal=True) CONFIGS.write(NOVA_CONF)
def __call__(self): ''' Provide all configuration for Horizon ''' ctxt = { 'compress_offline': bool_from_string(config('offline-compression')), 'debug': bool_from_string(config('debug')), 'customization_module': config('customization-module'), "webroot": config('webroot') or '/', "ubuntu_theme": bool_from_string(config('ubuntu-theme')), "default_theme": config('default-theme'), "custom_theme": config('custom-theme'), "secret": config('secret').strip() if config('secret') else pwgen(), 'support_profile': config('profile') if config('profile') in ['cisco'] else None, "neutron_network_dvr": config("neutron-network-dvr"), "neutron_network_l3ha": config("neutron-network-l3ha"), "neutron_network_lb": config("neutron-network-lb"), "neutron_network_firewall": config("neutron-network-firewall"), "neutron_network_vpn": config("neutron-network-vpn"), "cinder_backup": config("cinder-backup"), "allow_password_autocompletion": config("allow-password-autocompletion"), "password_retrieve": config("password-retrieve"), 'default_domain': config('default-domain'), 'multi_domain': False if config('default-domain') else True, "default_create_volume": config("default-create-volume"), 'image_formats': config('image-formats'), 'api_result_limit': config('api-result-limit') or 1000, 'enable_fip_topology_check': config('enable-fip-topology-check'), 'session_timeout': config('session-timeout'), 'dropdown_max_items': config('dropdown-max-items'), 'enable_consistency_groups': config('enable-consistency-groups'), 'disable_instance_snapshot': bool( config('disable-instance-snapshot')), 'disable_password_reveal': config('disable-password-reveal'), } return ctxt
def __call__(self): ''' Provide all configuration for Horizon ''' ctxt = { 'compress_offline': bool_from_string(config('offline-compression')), 'debug': bool_from_string(config('debug')), 'customization_module': config('customization-module'), 'default_role': config('default-role'), "webroot": config('webroot') or '/', "ubuntu_theme": bool_from_string(config('ubuntu-theme')), "default_theme": config('default-theme'), "custom_theme": config('custom-theme'), "secret": config('secret') or pwgen(), 'support_profile': config('profile') if config('profile') in ['cisco'] else None, "neutron_network_dvr": config("neutron-network-dvr"), "neutron_network_l3ha": config("neutron-network-l3ha"), "neutron_network_lb": config("neutron-network-lb"), "neutron_network_firewall": config("neutron-network-firewall"), "neutron_network_vpn": config("neutron-network-vpn"), "cinder_backup": config("cinder-backup"), "allow_password_autocompletion": config("allow-password-autocompletion"), "password_retrieve": config("password-retrieve"), 'default_domain': config('default-domain'), 'multi_domain': False if config('default-domain') else True, "default_create_volume": config("default-create-volume"), 'image_formats': config('image-formats'), 'api_result_limit': config('api-result-limit') or 1000, 'enable_fip_topology_check': config('enable-fip-topology-check'), 'session_timeout': config('session-timeout'), 'dropdown_max_items': config('dropdown-max-items'), 'enable_consistency_groups': config('enable-consistency-groups'), } return ctxt
def https(): ''' Determines whether enough data has been provided in configuration or relation data to configure HTTPS . returns: boolean ''' use_https = config_get('use-https') if use_https and bool_from_string(use_https): return True if config_get('ssl_cert') and config_get('ssl_key'): return True for r_id in relation_ids('identity-service'): for unit in relation_list(r_id): # TODO - needs fixing for new helper as ssl_cert/key suffixes with CN rel_state = [ relation_get('https_keystone', rid=r_id, unit=unit), relation_get('ca_cert', rid=r_id, unit=unit), ] # NOTE: works around (LP: #1203241) if (None not in rel_state) and ('' not in rel_state): return True return False
def __call__(self): from keystone_utils import ( api_port, set_admin_token, endpoint_url, resolve_address, PUBLIC, ADMIN, PKI_CERTS_DIR, SSH_USER, ensure_permissions, ) ctxt = {} ctxt['token'] = set_admin_token(config('admin-token')) ctxt['admin_port'] = determine_api_port(api_port('keystone-admin'), singlenode_mode=True) ctxt['public_port'] = determine_api_port(api_port('keystone-public'), singlenode_mode=True) debug = config('debug') ctxt['debug'] = debug and bool_from_string(debug) verbose = config('verbose') ctxt['verbose'] = verbose and bool_from_string(verbose) ctxt['token_expiration'] = config('token-expiration') ctxt['identity_backend'] = config('identity-backend') ctxt['assignment_backend'] = config('assignment-backend') if config('identity-backend') == 'ldap': ctxt['ldap_server'] = config('ldap-server') ctxt['ldap_user'] = config('ldap-user') ctxt['ldap_password'] = config('ldap-password') ctxt['ldap_suffix'] = config('ldap-suffix') ctxt['ldap_readonly'] = config('ldap-readonly') ldap_flags = config('ldap-config-flags') if ldap_flags: flags = context.config_flags_parser(ldap_flags) ctxt['ldap_config_flags'] = flags enable_pki = config('enable-pki') if enable_pki and bool_from_string(enable_pki): ctxt['signing'] = True ctxt['token_provider'] = 'pki' if 'token_provider' in ctxt: log("Configuring PKI token cert paths", level=DEBUG) certs = os.path.join(PKI_CERTS_DIR, 'certs') privates = os.path.join(PKI_CERTS_DIR, 'privates') for path in [PKI_CERTS_DIR, certs, privates]: perms = 0o755 if not os.path.isdir(path): mkdir(path=path, owner=SSH_USER, group='keystone', perms=perms) else: # Ensure accessible by ssh user and group (for sync). ensure_permissions(path, user=SSH_USER, group='keystone', perms=perms) signing_paths = { 'certfile': os.path.join(certs, 'signing_cert.pem'), 'keyfile': os.path.join(privates, 'signing_key.pem'), 'ca_certs': os.path.join(certs, 'ca.pem'), 'ca_key': os.path.join(certs, 'ca_key.pem') } for key, val in signing_paths.iteritems(): ctxt[key] = val # Base endpoint URL's which are used in keystone responses # to unauthenticated requests to redirect clients to the # correct auth URL. ctxt['public_endpoint'] = endpoint_url( resolve_address(PUBLIC), api_port('keystone-public')).rstrip('v2.0') ctxt['admin_endpoint'] = endpoint_url( resolve_address(ADMIN), api_port('keystone-admin')).rstrip('v2.0') return ctxt
def test_bool_from_string(self): self.assertTrue(strutils.bool_from_string('true')) self.assertTrue(strutils.bool_from_string('True')) self.assertTrue(strutils.bool_from_string('yes')) self.assertTrue(strutils.bool_from_string('Yes')) self.assertTrue(strutils.bool_from_string('y')) self.assertTrue(strutils.bool_from_string('Y')) self.assertTrue(strutils.bool_from_string('on')) # unicode should also work self.assertTrue(strutils.bool_from_string(u'true')) self.assertFalse(strutils.bool_from_string('False')) self.assertFalse(strutils.bool_from_string('false')) self.assertFalse(strutils.bool_from_string('no')) self.assertFalse(strutils.bool_from_string('No')) self.assertFalse(strutils.bool_from_string('n')) self.assertFalse(strutils.bool_from_string('N')) self.assertFalse(strutils.bool_from_string('off')) self.assertRaises(ValueError, strutils.bool_from_string, None) self.assertRaises(ValueError, strutils.bool_from_string, 'foo')
def __call__(self): from keystone_utils import ( api_port, set_admin_token, endpoint_url, resolve_address, PUBLIC, ADMIN, PKI_CERTS_DIR, SSH_USER, ensure_permissions, ) ctxt = {} ctxt['token'] = set_admin_token(config('admin-token')) ctxt['admin_port'] = determine_api_port(api_port('keystone-admin'), singlenode_mode=True) ctxt['public_port'] = determine_api_port(api_port('keystone-public'), singlenode_mode=True) debug = config('debug') ctxt['debug'] = debug and bool_from_string(debug) verbose = config('verbose') ctxt['verbose'] = verbose and bool_from_string(verbose) ctxt['token_expiration'] = config('token-expiration') ctxt['identity_backend'] = config('identity-backend') ctxt['assignment_backend'] = config('assignment-backend') if config('identity-backend') == 'ldap': ctxt['ldap_server'] = config('ldap-server') ctxt['ldap_user'] = config('ldap-user') ctxt['ldap_password'] = config('ldap-password') ctxt['ldap_suffix'] = config('ldap-suffix') ctxt['ldap_readonly'] = config('ldap-readonly') ldap_flags = config('ldap-config-flags') if ldap_flags: flags = context.config_flags_parser(ldap_flags) ctxt['ldap_config_flags'] = flags enable_pki = config('enable-pki') if enable_pki and bool_from_string(enable_pki): ctxt['signing'] = True ctxt['token_provider'] = 'pki' if 'token_provider' in ctxt: log("Configuring PKI token cert paths", level=DEBUG) certs = os.path.join(PKI_CERTS_DIR, 'certs') privates = os.path.join(PKI_CERTS_DIR, 'privates') for path in [PKI_CERTS_DIR, certs, privates]: perms = 0o755 if not os.path.isdir(path): mkdir(path=path, owner=SSH_USER, group='keystone', perms=perms) else: # Ensure accessible by ssh user and group (for sync). ensure_permissions(path, user=SSH_USER, group='keystone', perms=perms) signing_paths = {'certfile': os.path.join(certs, 'signing_cert.pem'), 'keyfile': os.path.join(privates, 'signing_key.pem'), 'ca_certs': os.path.join(certs, 'ca.pem'), 'ca_key': os.path.join(certs, 'ca_key.pem')} for key, val in signing_paths.iteritems(): ctxt[key] = val # Base endpoint URL's which are used in keystone responses # to unauthenticated requests to redirect clients to the # correct auth URL. ctxt['public_endpoint'] = endpoint_url( resolve_address(PUBLIC), api_port('keystone-public')).rstrip('v2.0') ctxt['admin_endpoint'] = endpoint_url( resolve_address(ADMIN), api_port('keystone-admin')).rstrip('v2.0') return ctxt
def __call__(self): from keystone_utils import ( api_port, set_admin_token, endpoint_url, resolve_address, PUBLIC, ADMIN, PKI_CERTS_DIR, ensure_pki_cert_paths, ADMIN_DOMAIN, ) ctxt = {} ctxt['token'] = set_admin_token(config('admin-token')) ctxt['api_version'] = int(config('preferred-api-version')) ctxt['admin_role'] = config('admin-role') if ctxt['api_version'] > 2: ctxt['service_tenant_id'] = \ leader_get(attribute='service_tenant_id') ctxt['admin_domain_name'] = ADMIN_DOMAIN ctxt['admin_domain_id'] = \ leader_get(attribute='admin_domain_id') ctxt['default_domain_id'] = \ leader_get(attribute='default_domain_id') ctxt['admin_port'] = determine_api_port(api_port('keystone-admin'), singlenode_mode=True) ctxt['public_port'] = determine_api_port(api_port('keystone-public'), singlenode_mode=True) ctxt['debug'] = config('debug') ctxt['verbose'] = config('verbose') ctxt['token_expiration'] = config('token-expiration') ctxt['identity_backend'] = config('identity-backend') ctxt['assignment_backend'] = config('assignment-backend') if config('identity-backend') == 'ldap': ctxt['ldap_server'] = config('ldap-server') ctxt['ldap_user'] = config('ldap-user') ctxt['ldap_password'] = config('ldap-password') ctxt['ldap_suffix'] = config('ldap-suffix') ctxt['ldap_readonly'] = config('ldap-readonly') ldap_flags = config('ldap-config-flags') if ldap_flags: flags = context.config_flags_parser(ldap_flags) ctxt['ldap_config_flags'] = flags enable_pki = config('enable-pki') if enable_pki and bool_from_string(enable_pki): log("Enabling PKI", level=DEBUG) ctxt['token_provider'] = 'pki' ensure_pki_cert_paths() certs = os.path.join(PKI_CERTS_DIR, 'certs') privates = os.path.join(PKI_CERTS_DIR, 'privates') ctxt.update({ 'certfile': os.path.join(certs, 'signing_cert.pem'), 'keyfile': os.path.join(privates, 'signing_key.pem'), 'ca_certs': os.path.join(certs, 'ca.pem'), 'ca_key': os.path.join(certs, 'ca_key.pem') }) # Base endpoint URL's which are used in keystone responses # to unauthenticated requests to redirect clients to the # correct auth URL. ctxt['public_endpoint'] = endpoint_url( resolve_address(PUBLIC), api_port('keystone-public')).replace('v2.0', '') ctxt['admin_endpoint'] = endpoint_url( resolve_address(ADMIN), api_port('keystone-admin')).replace('v2.0', '') return ctxt
def __call__(self): from keystone_utils import ( api_port, set_admin_token, endpoint_url, resolve_address, PUBLIC, ADMIN, PKI_CERTS_DIR, ensure_pki_cert_paths, ADMIN_DOMAIN, snap_install_requested, get_api_version, ) ctxt = {} ctxt['token'] = set_admin_token(config('admin-token')) ctxt['api_version'] = get_api_version() ctxt['admin_role'] = config('admin-role') if ctxt['api_version'] > 2: ctxt['service_tenant_id'] = \ leader_get(attribute='service_tenant_id') ctxt['admin_domain_name'] = ADMIN_DOMAIN ctxt['admin_domain_id'] = \ leader_get(attribute='admin_domain_id') ctxt['default_domain_id'] = \ leader_get(attribute='default_domain_id') ctxt['admin_port'] = determine_api_port(api_port('keystone-admin'), singlenode_mode=True) ctxt['public_port'] = determine_api_port(api_port('keystone-public'), singlenode_mode=True) ctxt['debug'] = config('debug') ctxt['verbose'] = config('verbose') ctxt['token_expiration'] = config('token-expiration') ctxt['identity_backend'] = config('identity-backend') ctxt['assignment_backend'] = config('assignment-backend') if config('identity-backend') == 'ldap': ctxt['ldap_server'] = config('ldap-server') ctxt['ldap_user'] = config('ldap-user') ctxt['ldap_password'] = config('ldap-password') ctxt['ldap_suffix'] = config('ldap-suffix') ctxt['ldap_readonly'] = config('ldap-readonly') ldap_flags = config('ldap-config-flags') if ldap_flags: flags = context.config_flags_parser(ldap_flags) ctxt['ldap_config_flags'] = flags enable_pki = config('enable-pki') if enable_pki and bool_from_string(enable_pki): log("Enabling PKI", level=DEBUG) ctxt['token_provider'] = 'pki' # NOTE(jamespage): Only check PKI configuration if the PKI # token format is in use, which has been # removed as of OpenStack Ocata. ensure_pki_cert_paths() certs = os.path.join(PKI_CERTS_DIR, 'certs') privates = os.path.join(PKI_CERTS_DIR, 'privates') ctxt['enable_signing'] = True ctxt.update({ 'certfile': os.path.join(certs, 'signing_cert.pem'), 'keyfile': os.path.join(privates, 'signing_key.pem'), 'ca_certs': os.path.join(certs, 'ca.pem'), 'ca_key': os.path.join(certs, 'ca_key.pem') }) else: ctxt['enable_signing'] = False # Base endpoint URL's which are used in keystone responses # to unauthenticated requests to redirect clients to the # correct auth URL. ctxt['public_endpoint'] = endpoint_url( resolve_address(PUBLIC), api_port('keystone-public')).replace('v2.0', '') ctxt['admin_endpoint'] = endpoint_url( resolve_address(ADMIN), api_port('keystone-admin')).replace('v2.0', '') if snap_install_requested(): ctxt['domain_config_dir'] = ( '/var/snap/keystone/common/etc/keystone/domains') ctxt['log_config'] = ( '/var/snap/keystone/common/etc/keystone/logging.conf') ctxt['paste_config_file'] = ( '/var/snap/keystone/common/etc/keystone/keystone-paste.ini') else: ctxt['domain_config_dir'] = '/etc/keystone/domains' ctxt['log_config'] = ('/etc/keystone/logging.conf') ctxt['paste_config_file'] = '/etc/keystone/keystone-paste.ini' return ctxt