Use keystone-manage bootstrap command

https://review.openstack.org/#/c/255599/ implemented a keystone-manage bootstrap command as an alternative to using an admin token when bootstrapping the keystone service. Admin tokens have been deprecated as of Mitaka and will be removed in Ocata. The use of this command replaces tasks to create the admin user, its password, role, and project and the keystone service endpoints. The keystone_auth_admin_token variable has been removed and its use in any tasks against the keystone library have been replaced with login credentials for the admin user. The functional test has been updated to use the current head of stable/mitaka and master for keystone and requirements respectively. The policy and api-paste files have also been updated from the head of keystone stable/mitaka. This change will require updates to make use of the same SHAs in the integrated openstack-ansible repo and in a majority of the OpenStack service roles' tests. Change-Id: I720fab85efe11a7512a124e44a73cf67b5f686b5
openstack · Mar 17, 2016 · a08d7b1 · a08d7b1
1 parent dc20745
commit a08d7b1
Show file tree

Hide file tree

Showing 10 changed files with 92 additions and 130 deletions.
diff --git a/README.rst b/README.rst
@@ -32,7 +32,6 @@ details.
     # password used by the keystone service to interact with Galera
     keystone_container_mysql_password: "YourPassword"
 
-    keystone_auth_admin_token: "SuperSecreteTestToken"
     keystone_auth_admin_password: "SuperSecretePassword"
     keystone_service_password: "secrete"
     keystone_rabbitmq_password: "secrete"
@@ -56,7 +55,6 @@ Example Playbook
         keystone_venv_tag: "testing"
         keystone_developer_mode: true
         keystone_git_install_branch: a55128044f763f5cfe2fdc57c738eaca97636448
-        keystone_auth_admin_token: "SuperSecreteTestToken"
         keystone_auth_admin_password: "SuperSecretePassword"
         keystone_service_password: "secrete"
         keystone_rabbitmq_password: "secrete"

diff --git a/tasks/keystone_federation_sp_idp_setup.yml b/tasks/keystone_federation_sp_idp_setup.yml
@@ -28,7 +28,9 @@
   keystone:
     command: ensure_domain
     domain_name: "{{ item.domain }}"
-    token: "{{ keystone_auth_admin_token }}"
+    login_user: "{{ keystone_admin_user_name }}"
+    login_password: "{{ keystone_auth_admin_password }}"
+    login_project_name: "{{ keystone_admin_tenant_name }}"
     endpoint: "{{ keystone_service_adminurl }}"
     insecure: "{{ keystone_service_adminuri_insecure }}"
   when: item.domain is defined
@@ -41,7 +43,9 @@
     command: ensure_project
     project_name: "{{ item.project }}"
     domain_name: "{{ item.domain | default('Default') }}"
-    token: "{{ keystone_auth_admin_token }}"
+    login_user: "{{ keystone_admin_user_name }}"
+    login_password: "{{ keystone_auth_admin_password }}"
+    login_project_name: "{{ keystone_admin_tenant_name }}"
     endpoint: "{{ keystone_service_adminurl }}"
     insecure: "{{ keystone_service_adminuri_insecure }}"
   when: item.project is defined
@@ -56,7 +60,9 @@
     password: "{{ item.password }}"
     project_name: "{{ item.project }}"
     domain_name: "{{ item.domain | default('Default') }}"
-    token: "{{ keystone_auth_admin_token }}"
+    login_user: "{{ keystone_admin_user_name }}"
+    login_password: "{{ keystone_auth_admin_password }}"
+    login_project_name: "{{ keystone_admin_tenant_name }}"
     endpoint: "{{ keystone_service_adminurl }}"
     insecure: "{{ keystone_service_adminuri_insecure }}"
   when: >
@@ -72,7 +78,9 @@
     command: ensure_group
     group_name: "{{ item.group }}"
     domain_name: "{{ item.domain | default('Default') }}"
-    token: "{{ keystone_auth_admin_token }}"
+    login_user: "{{ keystone_admin_user_name }}"
+    login_password: "{{ keystone_auth_admin_password }}"
+    login_project_name: "{{ keystone_admin_tenant_name }}"
     endpoint: "{{ keystone_service_adminurl }}"
     insecure: "{{ keystone_service_adminuri_insecure }}"
   when: item.group is defined
@@ -84,7 +92,9 @@
   keystone:
     command: "ensure_role"
     role_name: "{{ item.role | default('_member_') }}"
-    token: "{{ keystone_auth_admin_token }}"
+    login_user: "{{ keystone_admin_user_name }}"
+    login_password: "{{ keystone_auth_admin_password }}"
+    login_project_name: "{{ keystone_admin_tenant_name }}"
     endpoint: "{{ keystone_service_adminurl }}"
     insecure: "{{ keystone_service_adminuri_insecure }}"
   when: >
@@ -100,7 +110,9 @@
     group_name: "{{ item.group }}"
     project_name: "{{ item.project }}"
     role_name: "{{ item.role | default('_member_') }}"
-    token: "{{ keystone_auth_admin_token }}"
+    login_user: "{{ keystone_admin_user_name }}"
+    login_password: "{{ keystone_auth_admin_password }}"
+    login_project_name: "{{ keystone_admin_tenant_name }}"
     endpoint: "{{ keystone_service_adminurl }}"
     insecure: "{{ keystone_service_adminuri_insecure }}"
   when: >
@@ -115,7 +127,9 @@
     command: ensure_mapping
     mapping_name: "{{ item.protocol.mapping.name }}"
     mapping_rules: "{{ item.protocol.mapping.rules }}"
-    token: "{{ keystone_auth_admin_token }}"
+    login_user: "{{ keystone_admin_user_name }}"
+    login_password: "{{ keystone_auth_admin_password }}"
+    login_project_name: "{{ keystone_admin_tenant_name }}"
     endpoint: "{{ keystone_service_adminurl }}"
     insecure: "{{ keystone_service_adminuri_insecure }}"
   when: item.protocol.mapping.name is defined
@@ -129,7 +143,9 @@
     idp_name: "{{ item.name }}"
     idp_remote_ids: "{{ item.entity_ids }}"
     idp_enabled: true
-    token: "{{ keystone_auth_admin_token }}"
+    login_user: "{{ keystone_admin_user_name }}"
+    login_password: "{{ keystone_auth_admin_password }}"
+    login_project_name: "{{ keystone_admin_tenant_name }}"
     endpoint: "{{ keystone_service_adminurl }}"
     insecure: "{{ keystone_service_adminuri_insecure }}"
   when: item.name is defined
@@ -143,7 +159,9 @@
     protocol_name: "{{ item.protocol.name }}"
     idp_name: "{{ item.idp.name }}"
     mapping_name: "{{ item.protocol.mapping.name }}"
-    token: "{{ keystone_auth_admin_token }}"
+    login_user: "{{ keystone_admin_user_name }}"
+    login_password: "{{ keystone_auth_admin_password }}"
+    login_project_name: "{{ keystone_admin_tenant_name }}"
     endpoint: "{{ keystone_service_adminurl }}"
     insecure: "{{ keystone_service_adminuri_insecure }}"
   when: item.protocol.name is defined

diff --git a/tasks/keystone_idp_sp_setup.yml b/tasks/keystone_idp_sp_setup.yml
@@ -16,7 +16,9 @@
 - name: Register service providers
   keystone:
     command: "ensure_service_provider"
-    token: "{{ keystone_auth_admin_token }}"
+    login_user: "{{ keystone_admin_user_name }}"
+    login_password: "{{ keystone_auth_admin_password }}"
+    login_project_name: "{{ keystone_admin_tenant_name }}"
     endpoint: "{{ keystone_service_adminurl }}"
     sp_name: "{{ item.id }}"
     sp_url: "{{ item.sp_url }}"

diff --git a/tasks/keystone_ldap_setup.yml b/tasks/keystone_ldap_setup.yml
@@ -18,7 +18,9 @@
   keystone:
     command: ensure_domain
     domain_name: "{{ item.key }}"
-    token: "{{ keystone_auth_admin_token }}"
+    login_user: "{{ keystone_admin_user_name }}"
+    login_password: "{{ keystone_auth_admin_password }}"
+    login_project_name: "{{ keystone_admin_tenant_name }}"
     endpoint: "{{ keystone_service_adminurl }}"
     insecure: "{{ keystone_service_adminuri_insecure }}"
   with_dict: keystone_ldap

diff --git a/tasks/keystone_service_setup.yml b/tasks/keystone_service_setup.yml
@@ -42,87 +42,41 @@
     - keystone-db-sync
     - keystone-setup
 
-# Create a service tenant
-- name: Ensure service tenant
-  keystone:
-    command: "ensure_tenant"
-    token: "{{ keystone_auth_admin_token }}"
-    endpoint: "{{ keystone_service_adminurl }}"
-    tenant_name: "{{ keystone_service_tenant_name }}"
-    description: "{{ keystone_service_description }}"
-    insecure: "{{ keystone_service_adminuri_insecure }}"
+- name: Bootstrap keystone admin and endpoint
+  command: |
+     {{ keystone_bin }}/keystone-manage bootstrap \
+     --bootstrap-username {{ keystone_admin_user_name }} \
+     --bootstrap-password {{ keystone_auth_admin_password }} \
+     --bootstrap-project-name {{ keystone_admin_tenant_name }} \
+     --bootstrap-role-name {{ keystone_role_name }} \
+     --bootstrap-service-name {{ keystone_service_name }} \
+     --bootstrap-region-id {{ keystone_service_region }} \
+     --bootstrap-admin-url {{ keystone_service_adminurl }} \
+     --bootstrap-public-url {{ keystone_service_publicurl }} \
+     --bootstrap-internal-url {{ keystone_service_internalurl }}
+  become: yes
+  become_user: "{{ keystone_system_user_name }}"
   register: add_service
   until: add_service|success
   retries: 5
   delay: 10
   tags:
     - keystone-api-setup
+    - keystone-service-add
     - keystone-setup
 
-# Create an admin tenant
-- name: Ensure admin tenant
+# Create a service tenant
+- name: Ensure service tenant
   keystone:
     command: "ensure_tenant"
-    token: "{{ keystone_auth_admin_token }}"
-    endpoint: "{{ keystone_service_adminurl }}"
-    tenant_name: "{{ keystone_admin_tenant_name }}"
-    description: "{{ keystone_admin_description }}"
-    insecure: "{{ keystone_service_adminuri_insecure }}"
-  register: add_service
-  until: add_service|success
-  retries: 5
-  delay: 10
-  tags:
-    - keystone-api-setup
-    - keystone-setup
-
-# Create an admin user
-- name: Ensure Admin user
-  keystone:
-    command: "ensure_user"
-    token: "{{ keystone_auth_admin_token }}"
-    endpoint: "{{ keystone_service_adminurl }}"
-    user_name: "{{ keystone_admin_user_name }}"
-    tenant_name: "{{ keystone_admin_tenant_name }}"
-    password: "{{ keystone_auth_admin_password }}"
-    insecure: "{{ keystone_service_adminuri_insecure }}"
-  register: add_service
-  when: not keystone_service_in_ldap | bool
-  until: add_service|success
-  retries: 5
-  delay: 10
-  tags:
-    - keystone-api-setup
-    - keystone-setup
-
-# Create an admin role
-- name: Ensure Admin role
-  keystone:
-    command: "ensure_role"
-    token: "{{ keystone_auth_admin_token }}"
+    login_user: "{{ keystone_admin_user_name }}"
+    login_password: "{{ keystone_auth_admin_password }}"
+    login_project_name: "{{ keystone_admin_tenant_name }}"
     endpoint: "{{ keystone_service_adminurl }}"
-    role_name: "{{ keystone_role_name }}"
-    insecure: "{{ keystone_service_adminuri_insecure }}"
-  register: add_service
-  until: add_service|success
-  retries: 5
-  delay: 10
-  tags:
-    - keystone-api-setup
-    - keystone-setup
-
-# Add a role to the user
-- name: Ensure Admin user to Admin role
-  keystone:
-    command: "ensure_user_role"
-    token: "{{ keystone_auth_admin_token }}"
-    endpoint: "{{ keystone_service_adminurl }}"
-    user_name: "{{ keystone_admin_user_name }}"
-    tenant_name: "{{ keystone_admin_tenant_name }}"
-    role_name: "{{ keystone_role_name }}"
+    tenant_name: "{{ keystone_service_tenant_name }}"
+    description: "{{ keystone_service_description }}"
     insecure: "{{ keystone_service_adminuri_insecure }}"
   register: add_service
-  when: not keystone_service_in_ldap | bool
   until: add_service|success
   retries: 5
   delay: 10
@@ -134,7 +88,9 @@
 - name: Ensure default keystone user role
   keystone:
     command: "ensure_role"
-    token: "{{ keystone_auth_admin_token }}"
+    login_user: "{{ keystone_admin_user_name }}"
+    login_password: "{{ keystone_auth_admin_password }}"
+    login_project_name: "{{ keystone_admin_tenant_name }}"
     endpoint: "{{ keystone_service_adminurl }}"
     role_name: "{{ keystone_default_role_name }}"
     insecure: "{{ keystone_service_adminuri_insecure }}"
@@ -151,7 +107,9 @@
 - name: Ensure Keystone Service
   keystone:
     command: "ensure_service"
-    token: "{{ keystone_auth_admin_token }}"
+    login_user: "{{ keystone_admin_user_name }}"
+    login_password: "{{ keystone_auth_admin_password }}"
+    login_project_name: "{{ keystone_admin_tenant_name }}"
     endpoint: "{{ keystone_service_adminurl }}"
     service_name: "{{ keystone_service_name }}"
     service_type: "{{ keystone_service_type }}"
@@ -170,7 +128,9 @@
 - name: Ensure Keystone user
   keystone:
     command: "ensure_user"
-    token: "{{ keystone_auth_admin_token }}"
+    login_user: "{{ keystone_admin_user_name }}"
+    login_password: "{{ keystone_auth_admin_password }}"
+    login_project_name: "{{ keystone_admin_tenant_name }}"
     endpoint: "{{ keystone_service_adminurl }}"
     user_name: "{{ keystone_service_user_name }}"
     tenant_name: "{{ keystone_service_tenant_name }}"
@@ -189,7 +149,9 @@
 - name: Ensure Keystone user to Admin role
   keystone:
     command: "ensure_user_role"
-    token: "{{ keystone_auth_admin_token }}"
+    login_user: "{{ keystone_admin_user_name }}"
+    login_password: "{{ keystone_auth_admin_password }}"
+    login_project_name: "{{ keystone_admin_tenant_name }}"
     endpoint: "{{ keystone_service_adminurl }}"
     user_name: "{{ keystone_service_user_name }}"
     tenant_name: "{{ keystone_service_tenant_name }}"
@@ -203,29 +165,3 @@
     - keystone-api-setup
     - keystone-service-add
     - keystone-setup
-
-# Create an endpoint
-- name: Ensure Keystone Endpoint
-  keystone:
-    command: "ensure_endpoint"
-    token: "{{ keystone_auth_admin_token }}"
-    endpoint: "{{ keystone_service_adminurl }}"
-    region_name: "{{ keystone_service_region }}"
-    service_name: "{{ keystone_service_name }}"
-    service_type: "{{ keystone_service_type }}"
-    insecure: "{{ keystone_service_adminuri_insecure }}"
-    endpoint_list:
-      - url: "{{ keystone_service_publicurl }}"
-        interface: "public"
-      - url: "{{ keystone_service_adminurl }}"
-        interface: "admin"
-      - url: "{{ keystone_service_internalurl }}"
-        interface: "internal"
-  register: add_service
-  until: add_service|success
-  retries: 5
-  delay: 10
-  tags:
-    - keystone-api-setup
-    - keystone-service-add
-    - keystone-setup
diff --git a/templates/keystone-paste.ini.j2 b/templates/keystone-paste.ini.j2
@@ -13,16 +13,16 @@ use = egg:keystone#build_auth_context
 use = egg:keystone#token_auth
 
 [filter:admin_token_auth]
+# This is deprecated in the M release and will be removed in the O release.
+# Use `keystone-manage bootstrap` and remove this from the pipelines below.
 use = egg:keystone#admin_token_auth
 
 [filter:json_body]
 use = egg:keystone#json_body
 
-[filter:user_crud_extension]
-use = egg:keystone#user_crud_extension
-
-[filter:crud_extension]
-use = egg:keystone#crud_extension
+[filter:cors]
+use = egg:oslo.middleware#cors
+oslo_config_project = keystone
 
 [filter:ec2_extension]
 use = egg:keystone#ec2_extension
@@ -33,9 +33,6 @@ use = egg:keystone#ec2_extension_v3
 [filter:s3_extension]
 use = egg:keystone#s3_extension
 
-[filter:simple_cert_extension]
-use = egg:keystone#simple_cert_extension
-
 [filter:url_normalize]
 use = egg:keystone#url_normalize
 
@@ -54,17 +51,17 @@ use = egg:keystone#admin_service
 [pipeline:public_api]
 # The last item in this pipeline must be public_service or an equivalent
 # application. It cannot be a filter.
-pipeline = sizelimit url_normalize request_id build_auth_context token_auth admin_token_auth json_body ec2_extension user_crud_extension public_service
+pipeline = cors sizelimit url_normalize request_id admin_token_auth build_auth_context token_auth json_body ec2_extension public_service
 
 [pipeline:admin_api]
 # The last item in this pipeline must be admin_service or an equivalent
 # application. It cannot be a filter.
-pipeline = sizelimit url_normalize request_id build_auth_context token_auth admin_token_auth json_body ec2_extension s3_extension crud_extension admin_service
+pipeline = cors sizelimit url_normalize request_id admin_token_auth build_auth_context token_auth json_body ec2_extension s3_extension admin_service
 
 [pipeline:api_v3]
 # The last item in this pipeline must be service_v3 or an equivalent
 # application. It cannot be a filter.
-pipeline = sizelimit url_normalize request_id build_auth_context token_auth admin_token_auth json_body ec2_extension_v3 s3_extension simple_cert_extension service_v3
+pipeline = cors sizelimit url_normalize request_id admin_token_auth build_auth_context token_auth json_body ec2_extension_v3 s3_extension service_v3
 
 [app:public_version_service]
 use = egg:keystone#public_version_service
@@ -73,10 +70,10 @@ use = egg:keystone#public_version_service
 use = egg:keystone#admin_version_service
 
 [pipeline:public_version_api]
-pipeline = sizelimit url_normalize public_version_service
+pipeline = cors sizelimit url_normalize public_version_service
 
 [pipeline:admin_version_api]
-pipeline = sizelimit url_normalize admin_version_service
+pipeline = cors sizelimit url_normalize admin_version_service
 
 [composite:main]
 use = egg:Paste#urlmap

diff --git a/templates/keystone.conf.j2 b/templates/keystone.conf.j2
@@ -3,7 +3,6 @@
 [DEFAULT]
 verbose = {{ verbose }}
 debug = {{ debug }}
-admin_token = {{ keystone_auth_admin_token }}
 {% if keystone_public_endpoint is defined %}
 public_endpoint = {{ keystone_public_endpoint }}
 {% endif %}