diff --git a/puppet-modules-wrs/puppet-sysinv/src/sysinv/manifests/api.pp b/puppet-modules-wrs/puppet-sysinv/src/sysinv/manifests/api.pp index 2ba53b7166..b0f1458014 100644 --- a/puppet-modules-wrs/puppet-sysinv/src/sysinv/manifests/api.pp +++ b/puppet-modules-wrs/puppet-sysinv/src/sysinv/manifests/api.pp @@ -22,12 +22,13 @@ # # === Parameters # -# [*keystone_password*] -# The password to use for authentication (keystone) -# # [*keystone_enabled*] # (optional) Use keystone for authentification # Defaults to true +# Applies to both bare metal and pod based keystones +# +# [*keystone_password*] +# The password to use for authentication (keystone) # # [*keystone_tenant*] # (optional) The tenant of the auth user @@ -88,6 +89,58 @@ # (optional) The state of the service # Defaults to true # +# [*openstack_keystone_tenant*] +# (optional) The tenant of the auth user +# Defaults to admin +# For pod based keystone for authentication with openstack services +# +# [*openstack_keystone_user*] +# (optional) The name of the auth user +# Defaults to admin +# For pod based keystone for authentication with openstack services +# +# [*openstack_keyring_service*] +# (optional) The keyring service from which to retrieve the password +# For pod based keystone for authentication with openstack services +# +# [*openstack_keystone_auth_host*] +# (optional) The keystone host +# Defaults to localhost +# For pod based keystone for authentication with openstack services +# +# [*openstack_keystone_auth_port*] +# (optional) The keystone auth port +# Defaults to 5000 +# For pod based keystone for authentication with openstack services +# +# [*openstack_keystone_auth_protocol*] +# (optional) The protocol used to access the auth host +# Defaults to http. +# For pod based keystone for authentication with openstack services +# +# [*openstack_keystone_auth_admin_prefix*] +# (optional) The admin_prefix used to admin endpoint of the auth host +# This allow admin auth URIs like http://auth_host:5000/keystone. +# (where '/keystone' is the admin prefix) +# Defaults to false for empty. If defined, should be a string with a +# leading '/' and no trailing '/'. +# For pod based keystone for authentication with openstack services +# +# [*openstack_keystone_user_domain*] +# (Optional) domain name for auth user. +# Defaults to 'Default'. +# For pod based keystone for authentication with openstack services +# +# [*openstack_keystone_project_domain*] +# (Optional) domain name for auth project. +# Defaults to 'Default'. +# For pod based keystone for authentication with openstack services +# +# [*openstack_auth_type*] +# (Optional) Authentication type to load. +# Defaults to 'password'. +# For pod based keystone for authentication with openstack services +# class sysinv::api ( $keystone_password, $keystone_enabled = true, @@ -103,6 +156,19 @@ class sysinv::api ( $keystone_user_domain = 'Default', $keystone_project_domain = 'Default', $auth_type = 'password', + $openstack_keystone_tenant = 'admin', + $openstack_keystone_user = 'admin', + $openstack_keyring_service = undef, + $openstack_keystone_auth_host = 'localhost', + $openstack_keystone_auth_port = '5000', + $openstack_keystone_auth_protocol = 'http', + $openstack_keystone_auth_admin_prefix = false, + $openstack_keystone_auth_uri = false, + $openstack_keystone_auth_version = false, + $openstack_keystone_identity_uri = false, + $openstack_keystone_user_domain = 'Default', + $openstack_keystone_project_domain = 'Default', + $openstack_auth_type = 'password', $service_port = '5000', $package_ensure = 'latest', $bind_host = '0.0.0.0', @@ -145,6 +211,12 @@ class sysinv::api ( sysinv_api_paste_ini { 'filter:authtoken/auth_url': value => "${keystone_auth_protocol}://${keystone_auth_host}:5000/"; } } + if $openstack_keystone_identity_uri { + sysinv_config { 'openstack_keystone_authtoken/auth_url': value => $openstack_keystone_identity_uri; } + } else { + sysinv_config { 'openstack_keystone_authtoken/auth_url': value => "${openstack_keystone_auth_protocol}://${openstack_keystone_auth_host}:5000/"; } + } + if $keystone_auth_uri { sysinv_config { 'keystone_authtoken/auth_uri': value => $keystone_auth_uri; } sysinv_api_paste_ini { 'filter:authtoken/auth_uri': value => $keystone_auth_uri; } @@ -157,6 +229,14 @@ class sysinv::api ( } } + if $openstack_keystone_auth_uri { + sysinv_config { 'openstack_keystone_authtoken/auth_uri': value => $openstack_keystone_auth_uri; } + } else { + sysinv_config { + 'openstack_keystone_authtoken/auth_uri': value => "${openstack_keystone_auth_protocol}://${openstack_keystone_auth_host}:5000/"; + } + } + if $keystone_auth_version { sysinv_config { 'keystone_authtoken/auth_version': value => $keystone_auth_version; } sysinv_api_paste_ini { 'filter:authtoken/auth_version': value => $keystone_auth_version; } @@ -165,6 +245,12 @@ class sysinv::api ( sysinv_api_paste_ini { 'filter:authtoken/auth_version': ensure => absent; } } + if $openstack_keystone_auth_version { + sysinv_config { 'openstack_keystone_authtoken/auth_version': value => $openstack_keystone_auth_version; } + } else { + sysinv_config { 'openstack_keystone_authtoken/auth_version': ensure => absent; } + } + if $keystone_enabled { sysinv_config { 'DEFAULT/auth_strategy': value => 'keystone' ; @@ -177,6 +263,14 @@ class sysinv::api ( 'keystone_authtoken/user_domain_name': value => $keystone_user_domain; 'keystone_authtoken/project_domain_name': value => $keystone_project_domain; } + sysinv_config { + 'openstack_keystone_authtoken/auth_type': value => $openstack_auth_type; + 'openstack_keystone_authtoken/project_name': value => $openstack_keystone_tenant; + 'openstack_keystone_authtoken/username': value => $openstack_keystone_user; + 'openstack_keystone_authtoken/user_domain_name': value => $openstack_keystone_user_domain; + 'openstack_keystone_authtoken/project_domain_name': value => $openstack_keystone_project_domain; + 'openstack_keystone_authtoken/keyring_service': value => $openstack_keyring_service; + } sysinv_api_paste_ini { 'filter:authtoken/project_name': value => $keystone_tenant; @@ -202,6 +296,18 @@ class sysinv::api ( 'filter:authtoken/auth_admin_prefix': ensure => absent; } } + + if $openstack_keystone_auth_admin_prefix { + validate_re($openstack_keystone_auth_admin_prefix, '^(/.+[^/])?$') + sysinv_config { + 'openstack_keystone_authtoken/auth_admin_prefix': value => $openstack_keystone_auth_admin_prefix; + } + } else { + sysinv_config { + 'openstack_keystone_authtoken/auth_admin_prefix': ensure => absent; + } + } + } else { diff --git a/puppet-modules-wrs/puppet-sysinv/src/sysinv/manifests/init.pp b/puppet-modules-wrs/puppet-sysinv/src/sysinv/manifests/init.pp index 4608fb5f0a..a84581b563 100644 --- a/puppet-modules-wrs/puppet-sysinv/src/sysinv/manifests/init.pp +++ b/puppet-modules-wrs/puppet-sysinv/src/sysinv/manifests/init.pp @@ -195,10 +195,11 @@ class sysinv ( sysinv_config { 'keystone_authtoken/region_name': value => $region_name; - 'keystone_authtoken/neutron_region_name': value => $neutron_region_name; - 'keystone_authtoken/cinder_region_name': value => $cinder_region_name; - 'keystone_authtoken/nova_region_name': value => $nova_region_name; - 'keystone_authtoken/magnum_region_name': value => $magnum_region_name; + 'openstack_keystone_authtoken/region_name': value => $region_name; + 'openstack_keystone_authtoken/neutron_region_name': value => $neutron_region_name; + 'openstack_keystone_authtoken/cinder_region_name': value => $cinder_region_name; + 'openstack_keystone_authtoken/nova_region_name': value => $nova_region_name; + 'openstack_keystone_authtoken/magnum_region_name': value => $magnum_region_name; } sysinv_config { diff --git a/sysinv/sysinv/sysinv/sysinv/conductor/openstack.py b/sysinv/sysinv/sysinv/sysinv/conductor/openstack.py index c80ba692f3..3fc4eefc30 100644 --- a/sysinv/sysinv/sysinv/sysinv/conductor/openstack.py +++ b/sysinv/sysinv/sysinv/sysinv/conductor/openstack.py @@ -11,6 +11,7 @@ """ System Inventory Openstack Utilities and helper functions.""" +import keyring from cinderclient.v2 import client as cinder_client_v2 from sysinv.common import constants from sysinv.common import exception @@ -23,7 +24,6 @@ from neutronclient.v2_0 import client as neutron_client_v2_0 from oslo_config import cfg from keystoneclient.v3 import client as keystone_client from keystoneclient.auth.identity import v3 -from keystoneclient import exceptions as identity_exc from keystoneclient import session from sqlalchemy.orm import exc from magnumclient.v1 import client as magnum_client_v1 @@ -60,18 +60,6 @@ keystone_opts = [ cfg.StrOpt('region_name', default='RegionOne', help=_("Region Name")), - cfg.StrOpt('neutron_region_name', - default='RegionOne', - help=_("Neutron Region Name")), - cfg.StrOpt('cinder_region_name', - default='RegionOne', - help=_("Cinder Region Name")), - cfg.StrOpt('nova_region_name', - default='RegionOne', - help=_("Nova Region Name")), - cfg.StrOpt('magnum_region_name', - default='RegionOne', - help=_("Magnum Region Name")), cfg.StrOpt('username', default='sysinv', help=_("Sysinv keystone user name")), @@ -89,8 +77,52 @@ keystone_opts = [ help=_("Sysinv keystone user project domain name")) ] + +openstack_keystone_opts = [ + cfg.StrOpt('keyring_service', + default='CGCS', + help=_("Keyring service")), + cfg.StrOpt('auth_uri', + default='http://192.168.204.2:5000/', + help=_("Authentication URI")), + cfg.StrOpt('auth_url', + default='http://127.0.0.1:5000/', + help=_("Admin Authentication URI")), + cfg.StrOpt('region_name', + default='RegionOne', + help=_("Region Name")), + cfg.StrOpt('username', + default='admin', + help=_("keystone user name")), + cfg.StrOpt('neutron_region_name', + default='RegionOne', + help=_("Neutron Region Name")), + cfg.StrOpt('cinder_region_name', + default='RegionOne', + help=_("Cinder Region Name")), + cfg.StrOpt('nova_region_name', + default='RegionOne', + help=_("Nova Region Name")), + cfg.StrOpt('magnum_region_name', + default='RegionOne', + help=_("Magnum Region Name")), + cfg.StrOpt('project_name', + default='admin', + help=_("keystone user project name")), + cfg.StrOpt('user_domain_name', + default='Default', + help=_("keystone user domain name")), + cfg.StrOpt('project_domain_name', + default='Default', + help=_("keystone user project domain name")) +] + # Register the configuration options -cfg.CONF.register_opts(keystone_opts, "KEYSTONE_AUTHTOKEN") +PLATFORM_CONFIG = 'KEYSTONE_AUTHTOKEN' +OPENSTACK_CONFIG = 'OPENSTACK_KEYSTONE_AUTHTOKEN' + +cfg.CONF.register_opts(keystone_opts, PLATFORM_CONFIG) +cfg.CONF.register_opts(openstack_keystone_opts, OPENSTACK_CONFIG) class OpenStackOperator(object): @@ -105,7 +137,19 @@ class OpenStackOperator(object): self.nova_client = None self.neutron_client = None self._neutron_extension_list = [] - self.auth_url = cfg.CONF.KEYSTONE_AUTHTOKEN.auth_url + "/v3" + self._auth_url = cfg.CONF[PLATFORM_CONFIG].auth_url + "/v3" + self._openstack_auth_url = cfg.CONF[OPENSTACK_CONFIG].auth_url + "/v3" + + def _get_auth_url(self, service_config): + if service_config == PLATFORM_CONFIG: + return self._auth_url + elif service_config == OPENSTACK_CONFIG: + return self._openstack_auth_url + else: + LOG.error("Unrecognized keystone service configuration. " + "service_config=%s" % (service_config)) + raise exception.InvalidParameterValue( + _("Unrecognized keystone service_config.")) ################# # NEUTRON @@ -116,10 +160,10 @@ class OpenStackOperator(object): # neutronclient doesn't yet support v3 keystone auth # use keystoneauth.session self.neutron_client = neutron_client_v2_0.Client( - session=self._get_keystone_session(), - auth_url=self.auth_url, + session=self._get_keystone_session(OPENSTACK_CONFIG), + auth_url=self._get_auth_url(OPENSTACK_CONFIG), endpoint_type='internalURL', - region_name=cfg.CONF.KEYSTONE_AUTHTOKEN.neutron_region_name) + region_name=cfg.CONF[OPENSTACK_CONFIG].neutron_region_name) return self.neutron_client def get_providernetworksdict(self, pn_names=None, quiet=False): @@ -243,11 +287,11 @@ class OpenStackOperator(object): # novaclient doesn't yet support v3 keystone auth # use keystoneauth.session self.nova_client = nova_client_v2.Client( - session=self._get_keystone_session(), - auth_url=self.auth_url, + session=self._get_keystone_session(OPENSTACK_CONFIG), + auth_url=self._get_auth_url(OPENSTACK_CONFIG), endpoint_type='internalURL', direct_use=False, - region_name=cfg.CONF.KEYSTONE_AUTHTOKEN.nova_region_name) + region_name=cfg.CONF[OPENSTACK_CONFIG].nova_region_name) return self.nova_client def try_interface_get_by_host(self, host_uuid): @@ -639,49 +683,49 @@ class OpenStackOperator(object): ################# # Keystone ################# - def _get_keystone_session(self): + def _get_keystone_session(self, service_config): if not self.keystone_session: - auth = v3.Password(auth_url=self.auth_url, - username=cfg.CONF.KEYSTONE_AUTHTOKEN.username, - password=cfg.CONF.KEYSTONE_AUTHTOKEN.password, - user_domain_name=cfg.CONF.KEYSTONE_AUTHTOKEN. + if service_config == OPENSTACK_CONFIG: + password = keyring.get_password(cfg.CONF[OPENSTACK_CONFIG]. + keyring_service, + cfg.CONF[OPENSTACK_CONFIG]. + username) + else: + password = cfg.CONF[service_config].password + + auth = v3.Password(auth_url=self._get_auth_url(service_config), + username=cfg.CONF[service_config].username, + password=password, + user_domain_name=cfg.CONF[service_config]. user_domain_name, - project_name=cfg.CONF.KEYSTONE_AUTHTOKEN. + project_name=cfg.CONF[service_config]. project_name, - project_domain_name=cfg.CONF.KEYSTONE_AUTHTOKEN. + project_domain_name=cfg.CONF[service_config]. project_domain_name) self.keystone_session = session.Session(auth=auth) return self.keystone_session - def _get_keystoneclient(self): + def _get_keystoneclient(self, service_config): + if service_config == OPENSTACK_CONFIG: + password = keyring.get_password(cfg.CONF[OPENSTACK_CONFIG]. + keyring_service, + cfg.CONF[OPENSTACK_CONFIG]. + username) + else: + password = cfg.CONF[service_config].password + if not self.keystone_client: # should not cache this forever self.keystone_client = keystone_client.Client( - username=cfg.CONF.KEYSTONE_AUTHTOKEN.username, - user_domain_name=cfg.CONF.KEYSTONE_AUTHTOKEN.user_domain_name, - project_name=cfg.CONF.KEYSTONE_AUTHTOKEN.project_name, - project_domain_name=cfg.CONF.KEYSTONE_AUTHTOKEN + username=cfg.CONF[service_config].username, + user_domain_name=cfg.CONF[service_config].user_domain_name, + project_name=cfg.CONF[service_config].project_name, + project_domain_name=cfg.CONF[service_config] .project_domain_name, - password=cfg.CONF.KEYSTONE_AUTHTOKEN.password, - auth_url=self.auth_url, - region_name=cfg.CONF.KEYSTONE_AUTHTOKEN.region_name) + password=password, + auth_url=self._get_auth_url(service_config), + region_name=cfg.CONF[service_config].region_name) return self.keystone_client - def _get_identity_id(self): - try: - LOG.debug("Search service id for : (%s)" % - constants.SERVICE_TYPE_IDENTITY) - service = self._get_keystoneclient().services.find( - type=constants.SERVICE_TYPE_IDENTITY) - except identity_exc.NotFound: - LOG.error("Could not find service id for (%s)" % - constants.SERVICE_TYPE_IDENTITY) - return None - except identity_exc.NoUniqueMatch: - LOG.error("Multiple service matches found for (%s)" % - constants.SERVICE_TYPE_IDENTITY) - return None - return service.id - ################# # Cinder ################# @@ -692,10 +736,10 @@ class OpenStackOperator(object): region1_name = get_region_name('region_1_name') if region1_name is None: region1_name = 'RegionOne' - service_list = self._get_keystoneclient().services.list() + service_list = self._get_keystoneclient(OPENSTACK_CONFIG).services.list() for s in service_list: if s.name.find(constants.SERVICE_TYPE_CINDER) != -1: - endpoint_list += self._get_keystoneclient().endpoints.list( + endpoint_list += self._get_keystoneclient(OPENSTACK_CONFIG).endpoints.list( service=s, region=region1_name) except Exception: LOG.error("Failed to get keystone endpoints for cinder.") @@ -704,10 +748,10 @@ class OpenStackOperator(object): def _get_cinderclient(self): if not self.cinder_client: self.cinder_client = cinder_client_v2.Client( - session=self._get_keystone_session(), - auth_url=self.auth_url, + session=self._get_keystone_session(OPENSTACK_CONFIG), + auth_url=self._get_auth_url(OPENSTACK_CONFIG), endpoint_type='internalURL', - region_name=cfg.CONF.KEYSTONE_AUTHTOKEN.cinder_region_name) + region_name=cfg.CONF[OPENSTACK_CONFIG].cinder_region_name) return self.cinder_client @@ -817,7 +861,7 @@ class OpenStackOperator(object): region1_name = get_region_name('region_1_name') if region1_name is None: region1_name = 'RegionOne' - auth_ref = self._get_keystoneclient().auth_ref + auth_ref = self._get_keystoneclient(PLATFORM_CONFIG).auth_ref if auth_ref is None: raise exception.SysinvException(_("Unable to get auth ref " "from keystone client")) @@ -830,7 +874,7 @@ class OpenStackOperator(object): version = 1 return cgts_client.Client(version=version, endpoint=endpoint['url'], - auth_url=self.auth_url, + auth_url=self._get_auth_url(PLATFORM_CONFIG), token=auth_token['id']) def get_ceph_mon_info(self): @@ -879,11 +923,11 @@ class OpenStackOperator(object): # because neutron and nova client doesn't # and I shamelessly copied them self.magnum_client = magnum_client_v1.Client( - session=self._get_keystone_session(), - auth_url=self.auth_url, + session=self._get_keystone_session(OPENSTACK_CONFIG), + auth_url=self._get_auth_url(OPENSTACK_CONFIG), endpoint_type='internalURL', direct_use=False, - region_name=cfg.CONF.KEYSTONE_AUTHTOKEN.magnum_region_name) + region_name=cfg.CONF[OPENSTACK_CONFIG].magnum_region_name) return self.magnum_client def get_magnum_cluster_count(self): diff --git a/sysinv/sysinv/sysinv/sysinv/puppet/inventory.py b/sysinv/sysinv/sysinv/sysinv/puppet/inventory.py index d762813a28..6db5a3828b 100644 --- a/sysinv/sysinv/sysinv/sysinv/puppet/inventory.py +++ b/sysinv/sysinv/sysinv/sysinv/puppet/inventory.py @@ -16,6 +16,8 @@ class SystemInventoryPuppet(openstack.OpenstackBasePuppet): SERVICE_PORT = 6385 SERVICE_PATH = 'v1' + OPENSTACK_KEYRING_SERVICE = 'CGCS' + def get_static_config(self): dbuser = self._get_database_username(self.SERVICE_NAME) @@ -79,6 +81,21 @@ class SystemInventoryPuppet(openstack.OpenstackBasePuppet): 'openstack::sysinv::params::region_name': self.get_region_name(), 'platform::sysinv::params::service_create': self._to_create_services(), + + 'sysinv::api::openstack_keystone_auth_uri': + self._keystone_auth_uri(), + 'sysinv::api::openstack_keystone_identity_uri': + self._keystone_identity_uri(), + 'sysinv::api::openstack_keystone_user_domain': + self._operator.keystone.get_admin_user_domain(), + 'sysinv::api::openstack_keystone_project_domain': + self._operator.keystone.get_admin_project_domain(), + 'sysinv::api::openstack_keystone_user': + self._operator.keystone.get_admin_user_name(), + 'sysinv::api::openstack_keystone_tenant': + self._operator.keystone.get_admin_project_name(), + 'sysinv::api::openstack_keyring_service': + self.OPENSTACK_KEYRING_SERVICE } def get_secure_system_config(self):