def install_hook(): execd_preinstall() utils.configure_source() utils.install(*packages) update_config_block('DEFAULT', public_port=cluster.determine_api_port(config["service-port"])) update_config_block('DEFAULT', admin_port=cluster.determine_api_port(config["admin-port"])) set_admin_token(config['admin-token']) # set all backends to use sql+sqlite, if they are not already by default update_config_block('sql', connection='sqlite:////var/lib/keystone/keystone.db') update_config_block('identity', driver='keystone.identity.backends.sql.Identity') update_config_block('catalog', driver='keystone.catalog.backends.sql.Catalog') update_config_block('token', driver='keystone.token.backends.sql.Token') update_config_block('ec2', driver='keystone.contrib.ec2.backends.sql.Ec2') utils.stop('keystone') execute("keystone-manage db_sync") utils.start('keystone') # ensure user + permissions for peer relations that # may be syncing data there via SSH_USER. unison.ensure_user(user=SSH_USER, group='keystone') execute("chmod -R g+wrx /var/lib/keystone/") time.sleep(5) ensure_initial_admin(config)
def config_changed(): unison.ensure_user(user=SSH_USER, group='keystone') execute("chmod -R g+wrx /var/lib/keystone/") # Determine whether or not we should do an upgrade, based on the # the version offered in keyston-release. available = get_os_codename_install_source(config['openstack-origin']) installed = get_os_codename_package('keystone') if (available and get_os_version_codename(available) > \ get_os_version_codename(installed)): # TODO: fixup this call to work like utils.install() do_openstack_upgrade(config['openstack-origin'], ' '.join(packages)) # Ensure keystone group permissions execute("chmod -R g+wrx /var/lib/keystone/") env_vars = {'OPENSTACK_SERVICE_KEYSTONE': 'keystone', 'OPENSTACK_PORT_ADMIN': cluster.determine_api_port( config['admin-port']), 'OPENSTACK_PORT_PUBLIC': cluster.determine_api_port( config['service-port'])} save_script_rc(**env_vars) set_admin_token(config['admin-token']) if cluster.eligible_leader(CLUSTER_RES): utils.juju_log('INFO', 'Cluster leader - ensuring endpoint configuration' ' is up to date') ensure_initial_admin(config) update_config_block('logger_root', level=config['log-level'], file='/etc/keystone/logging.conf') if get_os_version_package('keystone') >= '2013.1': # PKI introduced in Grizzly configure_pki_tokens(config) if config_dirty(): utils.restart('keystone') if cluster.eligible_leader(CLUSTER_RES): utils.juju_log('INFO', 'Firing identity_changed hook' ' for all related services.') # HTTPS may have been set - so fire all identity relations # again for r_id in utils.relation_ids('identity-service'): for unit in utils.relation_list(r_id): identity_changed(relation_id=r_id, remote_unit=unit)
def __call__(self): from keystone_utils import (api_port, set_admin_token, endpoint_url, resolve_address, PUBLIC, ADMIN, PKI_CERTS_DIR, ensure_pki_cert_paths, get_admin_domain_id) ctxt = {} ctxt['token'] = set_admin_token(config('admin-token')) ctxt['api_version'] = int(config('preferred-api-version')) ctxt['admin_role'] = config('admin-role') if ctxt['api_version'] > 2: ctxt['admin_domain_id'] = (get_admin_domain_id() or 'admin_domain_id') ctxt['admin_port'] = determine_api_port(api_port('keystone-admin'), singlenode_mode=True) ctxt['public_port'] = determine_api_port(api_port('keystone-public'), singlenode_mode=True) ctxt['debug'] = config('debug') ctxt['verbose'] = config('verbose') ctxt['token_expiration'] = config('token-expiration') ctxt['identity_backend'] = config('identity-backend') ctxt['assignment_backend'] = config('assignment-backend') if config('identity-backend') == 'ldap': ctxt['ldap_server'] = config('ldap-server') ctxt['ldap_user'] = config('ldap-user') ctxt['ldap_password'] = config('ldap-password') ctxt['ldap_suffix'] = config('ldap-suffix') ctxt['ldap_readonly'] = config('ldap-readonly') ldap_flags = config('ldap-config-flags') if ldap_flags: flags = context.config_flags_parser(ldap_flags) ctxt['ldap_config_flags'] = flags enable_pki = config('enable-pki') if enable_pki and bool_from_string(enable_pki): log("Enabling PKI", level=DEBUG) ctxt['token_provider'] = 'pki' ensure_pki_cert_paths() certs = os.path.join(PKI_CERTS_DIR, 'certs') privates = os.path.join(PKI_CERTS_DIR, 'privates') ctxt.update({ 'certfile': os.path.join(certs, 'signing_cert.pem'), 'keyfile': os.path.join(privates, 'signing_key.pem'), 'ca_certs': os.path.join(certs, 'ca.pem'), 'ca_key': os.path.join(certs, 'ca_key.pem') }) # Base endpoint URL's which are used in keystone responses # to unauthenticated requests to redirect clients to the # correct auth URL. ctxt['public_endpoint'] = endpoint_url( resolve_address(PUBLIC), api_port('keystone-public')).replace('v2.0', '') ctxt['admin_endpoint'] = endpoint_url( resolve_address(ADMIN), api_port('keystone-admin')).replace('v2.0', '') return ctxt
def __call__(self): from keystone_utils import ( api_port, set_admin_token, endpoint_url, resolve_address, PUBLIC, ADMIN, PKI_CERTS_DIR, ensure_pki_cert_paths, get_admin_domain_id ) ctxt = {} ctxt['token'] = set_admin_token(config('admin-token')) ctxt['api_version'] = int(config('preferred-api-version')) ctxt['admin_role'] = config('admin-role') if ctxt['api_version'] > 2: ctxt['admin_domain_id'] = ( get_admin_domain_id() or 'admin_domain_id') ctxt['admin_port'] = determine_api_port(api_port('keystone-admin'), singlenode_mode=True) ctxt['public_port'] = determine_api_port(api_port('keystone-public'), singlenode_mode=True) ctxt['debug'] = config('debug') ctxt['verbose'] = config('verbose') ctxt['token_expiration'] = config('token-expiration') ctxt['identity_backend'] = config('identity-backend') ctxt['assignment_backend'] = config('assignment-backend') if config('identity-backend') == 'ldap': ctxt['ldap_server'] = config('ldap-server') ctxt['ldap_user'] = config('ldap-user') ctxt['ldap_password'] = config('ldap-password') ctxt['ldap_suffix'] = config('ldap-suffix') ctxt['ldap_readonly'] = config('ldap-readonly') ldap_flags = config('ldap-config-flags') if ldap_flags: flags = context.config_flags_parser(ldap_flags) ctxt['ldap_config_flags'] = flags enable_pki = config('enable-pki') if enable_pki and bool_from_string(enable_pki): log("Enabling PKI", level=DEBUG) ctxt['token_provider'] = 'pki' ensure_pki_cert_paths() certs = os.path.join(PKI_CERTS_DIR, 'certs') privates = os.path.join(PKI_CERTS_DIR, 'privates') ctxt.update({'certfile': os.path.join(certs, 'signing_cert.pem'), 'keyfile': os.path.join(privates, 'signing_key.pem'), 'ca_certs': os.path.join(certs, 'ca.pem'), 'ca_key': os.path.join(certs, 'ca_key.pem')}) # Base endpoint URL's which are used in keystone responses # to unauthenticated requests to redirect clients to the # correct auth URL. ctxt['public_endpoint'] = endpoint_url( resolve_address(PUBLIC), api_port('keystone-public')).replace('v2.0', '') ctxt['admin_endpoint'] = endpoint_url( resolve_address(ADMIN), api_port('keystone-admin')).replace('v2.0', '') return ctxt
def __call__(self): from keystone_utils import ( api_port, set_admin_token, endpoint_url, resolve_address, PUBLIC, ADMIN, PKI_CERTS_DIR, SSH_USER, ensure_permissions, ) ctxt = {} ctxt['token'] = set_admin_token(config('admin-token')) ctxt['admin_port'] = determine_api_port(api_port('keystone-admin'), singlenode_mode=True) ctxt['public_port'] = determine_api_port(api_port('keystone-public'), singlenode_mode=True) debug = config('debug') ctxt['debug'] = debug and bool_from_string(debug) verbose = config('verbose') ctxt['verbose'] = verbose and bool_from_string(verbose) ctxt['token_expiration'] = config('token-expiration') ctxt['identity_backend'] = config('identity-backend') ctxt['assignment_backend'] = config('assignment-backend') if config('identity-backend') == 'ldap': ctxt['ldap_server'] = config('ldap-server') ctxt['ldap_user'] = config('ldap-user') ctxt['ldap_password'] = config('ldap-password') ctxt['ldap_suffix'] = config('ldap-suffix') ctxt['ldap_readonly'] = config('ldap-readonly') ldap_flags = config('ldap-config-flags') if ldap_flags: flags = context.config_flags_parser(ldap_flags) ctxt['ldap_config_flags'] = flags enable_pki = config('enable-pki') if enable_pki and bool_from_string(enable_pki): ctxt['signing'] = True ctxt['token_provider'] = 'pki' if 'token_provider' in ctxt: log("Configuring PKI token cert paths", level=DEBUG) certs = os.path.join(PKI_CERTS_DIR, 'certs') privates = os.path.join(PKI_CERTS_DIR, 'privates') for path in [PKI_CERTS_DIR, certs, privates]: perms = 0o755 if not os.path.isdir(path): mkdir(path=path, owner=SSH_USER, group='keystone', perms=perms) else: # Ensure accessible by ssh user and group (for sync). ensure_permissions(path, user=SSH_USER, group='keystone', perms=perms) signing_paths = { 'certfile': os.path.join(certs, 'signing_cert.pem'), 'keyfile': os.path.join(privates, 'signing_key.pem'), 'ca_certs': os.path.join(certs, 'ca.pem'), 'ca_key': os.path.join(certs, 'ca_key.pem') } for key, val in signing_paths.iteritems(): ctxt[key] = val # Base endpoint URL's which are used in keystone responses # to unauthenticated requests to redirect clients to the # correct auth URL. ctxt['public_endpoint'] = endpoint_url( resolve_address(PUBLIC), api_port('keystone-public')).rstrip('v2.0') ctxt['admin_endpoint'] = endpoint_url( resolve_address(ADMIN), api_port('keystone-admin')).rstrip('v2.0') return ctxt
def __call__(self): from keystone_utils import ( api_port, set_admin_token, endpoint_url, resolve_address, PUBLIC, ADMIN, PKI_CERTS_DIR, ensure_pki_cert_paths, ADMIN_DOMAIN, snap_install_requested, get_api_version, ) ctxt = {} ctxt['token'] = set_admin_token(config('admin-token')) ctxt['api_version'] = get_api_version() ctxt['admin_role'] = config('admin-role') if ctxt['api_version'] > 2: ctxt['service_tenant_id'] = \ leader_get(attribute='service_tenant_id') ctxt['admin_domain_name'] = ADMIN_DOMAIN ctxt['admin_domain_id'] = \ leader_get(attribute='admin_domain_id') ctxt['default_domain_id'] = \ leader_get(attribute='default_domain_id') ctxt['admin_port'] = determine_api_port(api_port('keystone-admin'), singlenode_mode=True) ctxt['public_port'] = determine_api_port(api_port('keystone-public'), singlenode_mode=True) ctxt['debug'] = config('debug') ctxt['verbose'] = config('verbose') ctxt['token_expiration'] = config('token-expiration') ctxt['identity_backend'] = config('identity-backend') ctxt['assignment_backend'] = config('assignment-backend') if config('identity-backend') == 'ldap': ctxt['ldap_server'] = config('ldap-server') ctxt['ldap_user'] = config('ldap-user') ctxt['ldap_password'] = config('ldap-password') ctxt['ldap_suffix'] = config('ldap-suffix') ctxt['ldap_readonly'] = config('ldap-readonly') ldap_flags = config('ldap-config-flags') if ldap_flags: flags = context.config_flags_parser(ldap_flags) ctxt['ldap_config_flags'] = flags enable_pki = config('enable-pki') if enable_pki and bool_from_string(enable_pki): log("Enabling PKI", level=DEBUG) ctxt['token_provider'] = 'pki' # NOTE(jamespage): Only check PKI configuration if the PKI # token format is in use, which has been # removed as of OpenStack Ocata. ensure_pki_cert_paths() certs = os.path.join(PKI_CERTS_DIR, 'certs') privates = os.path.join(PKI_CERTS_DIR, 'privates') ctxt['enable_signing'] = True ctxt.update({ 'certfile': os.path.join(certs, 'signing_cert.pem'), 'keyfile': os.path.join(privates, 'signing_key.pem'), 'ca_certs': os.path.join(certs, 'ca.pem'), 'ca_key': os.path.join(certs, 'ca_key.pem') }) else: ctxt['enable_signing'] = False # Base endpoint URL's which are used in keystone responses # to unauthenticated requests to redirect clients to the # correct auth URL. ctxt['public_endpoint'] = endpoint_url( resolve_address(PUBLIC), api_port('keystone-public')).replace('v2.0', '') ctxt['admin_endpoint'] = endpoint_url( resolve_address(ADMIN), api_port('keystone-admin')).replace('v2.0', '') if snap_install_requested(): ctxt['domain_config_dir'] = ( '/var/snap/keystone/common/etc/keystone/domains') ctxt['log_config'] = ( '/var/snap/keystone/common/etc/keystone/logging.conf') ctxt['paste_config_file'] = ( '/var/snap/keystone/common/etc/keystone/keystone-paste.ini') else: ctxt['domain_config_dir'] = '/etc/keystone/domains' ctxt['log_config'] = ('/etc/keystone/logging.conf') ctxt['paste_config_file'] = '/etc/keystone/keystone-paste.ini' return ctxt
def __call__(self): from keystone_utils import ( api_port, set_admin_token, endpoint_url, resolve_address, PUBLIC, ADMIN, ADMIN_DOMAIN, snap_install_requested, get_api_version, ) ctxt = {} ctxt['token'] = set_admin_token(config('admin-token')) ctxt['api_version'] = get_api_version() ctxt['admin_role'] = config('admin-role') if ctxt['api_version'] > 2: ctxt['service_tenant_id'] = \ leader_get(attribute='service_tenant_id') ctxt['admin_domain_name'] = ADMIN_DOMAIN ctxt['admin_domain_id'] = \ leader_get(attribute='admin_domain_id') ctxt['default_domain_id'] = \ leader_get(attribute='default_domain_id') ctxt['admin_port'] = determine_api_port(api_port('keystone-admin'), singlenode_mode=True) ctxt['public_port'] = determine_api_port(api_port('keystone-public'), singlenode_mode=True) ctxt['debug'] = config('debug') ctxt['verbose'] = config('verbose') ctxt['token_expiration'] = config('token-expiration') ctxt['identity_backend'] = config('identity-backend') ctxt['assignment_backend'] = config('assignment-backend') ctxt['token_provider'] = config('token-provider') ctxt['fernet_max_active_keys'] = config('fernet-max-active-keys') if config('identity-backend') == 'ldap': ctxt['ldap_server'] = config('ldap-server') ctxt['ldap_user'] = config('ldap-user') ctxt['ldap_password'] = config('ldap-password') ctxt['ldap_suffix'] = config('ldap-suffix') ctxt['ldap_readonly'] = config('ldap-readonly') ldap_flags = config('ldap-config-flags') if ldap_flags: flags = context.config_flags_parser(ldap_flags) ctxt['ldap_config_flags'] = flags # Base endpoint URL's which are used in keystone responses # to unauthenticated requests to redirect clients to the # correct auth URL. ctxt['public_endpoint'] = endpoint_url( resolve_address(PUBLIC), api_port('keystone-public')).replace('v2.0', '') ctxt['admin_endpoint'] = endpoint_url( resolve_address(ADMIN), api_port('keystone-admin')).replace('v2.0', '') if snap_install_requested(): ctxt['domain_config_dir'] = ( '/var/snap/keystone/common/etc/keystone/domains') ctxt['log_config'] = ( '/var/snap/keystone/common/etc/keystone/logging.conf') ctxt['paste_config_file'] = ( '/var/snap/keystone/common/etc/keystone/keystone-paste.ini') else: ctxt['domain_config_dir'] = '/etc/keystone/domains' ctxt['log_config'] = ('/etc/keystone/logging.conf') ctxt['paste_config_file'] = '/etc/keystone/keystone-paste.ini' return ctxt
def __call__(self): from keystone_utils import ( api_port, set_admin_token, endpoint_url, resolve_address, PUBLIC, ADMIN, PKI_CERTS_DIR, SSH_USER, ensure_permissions, ) ctxt = {} ctxt['token'] = set_admin_token(config('admin-token')) ctxt['admin_port'] = determine_api_port(api_port('keystone-admin'), singlenode_mode=True) ctxt['public_port'] = determine_api_port(api_port('keystone-public'), singlenode_mode=True) debug = config('debug') ctxt['debug'] = debug and bool_from_string(debug) verbose = config('verbose') ctxt['verbose'] = verbose and bool_from_string(verbose) ctxt['token_expiration'] = config('token-expiration') ctxt['identity_backend'] = config('identity-backend') ctxt['assignment_backend'] = config('assignment-backend') if config('identity-backend') == 'ldap': ctxt['ldap_server'] = config('ldap-server') ctxt['ldap_user'] = config('ldap-user') ctxt['ldap_password'] = config('ldap-password') ctxt['ldap_suffix'] = config('ldap-suffix') ctxt['ldap_readonly'] = config('ldap-readonly') ldap_flags = config('ldap-config-flags') if ldap_flags: flags = context.config_flags_parser(ldap_flags) ctxt['ldap_config_flags'] = flags enable_pki = config('enable-pki') if enable_pki and bool_from_string(enable_pki): ctxt['signing'] = True ctxt['token_provider'] = 'pki' if 'token_provider' in ctxt: log("Configuring PKI token cert paths", level=DEBUG) certs = os.path.join(PKI_CERTS_DIR, 'certs') privates = os.path.join(PKI_CERTS_DIR, 'privates') for path in [PKI_CERTS_DIR, certs, privates]: perms = 0o755 if not os.path.isdir(path): mkdir(path=path, owner=SSH_USER, group='keystone', perms=perms) else: # Ensure accessible by ssh user and group (for sync). ensure_permissions(path, user=SSH_USER, group='keystone', perms=perms) signing_paths = {'certfile': os.path.join(certs, 'signing_cert.pem'), 'keyfile': os.path.join(privates, 'signing_key.pem'), 'ca_certs': os.path.join(certs, 'ca.pem'), 'ca_key': os.path.join(certs, 'ca_key.pem')} for key, val in signing_paths.iteritems(): ctxt[key] = val # Base endpoint URL's which are used in keystone responses # to unauthenticated requests to redirect clients to the # correct auth URL. ctxt['public_endpoint'] = endpoint_url( resolve_address(PUBLIC), api_port('keystone-public')).rstrip('v2.0') ctxt['admin_endpoint'] = endpoint_url( resolve_address(ADMIN), api_port('keystone-admin')).rstrip('v2.0') return ctxt