/
contrail-keystone-setup.sh
394 lines (341 loc) · 13.8 KB
/
contrail-keystone-setup.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
# Sample initial data for Keystone using python-keystoneclient
#
# This script is based on the original DevStack keystone_data.sh script.
#
# It demonstrates how to bootstrap Keystone with an administrative user
# using the SERVICE_TOKEN and SERVICE_ENDPOINT environment variables
# and the administrative API. It will get the admin_token (SERVICE_TOKEN)
# and admin_port from keystone.conf if available.
#
# There are two environment variables to set passwords that should be set
# prior to running this script. Warnings will appear if they are unset.
# * ADMIN_PASSWORD is used to set the password for the admin and demo accounts.
# * SERVICE_PASSWORD is used to set the password for the service accounts.
#
# Enable the Swift and Quantum accounts by setting ENABLE_SWIFT and/or
# ENABLE_QUANTUM environment variables.
#
# Enable creation of endpoints by setting ENABLE_ENDPOINTS environment variable.
# Works with Catalog SQL backend. Do not use with Catalog Templated backend
# (default).
#
#
# Tenant User Roles
# -------------------------------------------------------
# admin admin admin
# service glance admin
# service nova admin
# service quantum admin # if enabled
# service swift admin # if enabled
# demo admin admin
# demo demo Member,sysadmin,netadmin
# invisible_to_admin demo Member
set -x
ENABLE_ENDPOINTS=yes
#ENABLE_QUANTUM=yes
if [ -f /etc/redhat-release ]; then
rpm -q contrail-heat > /dev/null && ENABLE_HEAT='yes'
is_ubuntu=0
fi
if [ -f /etc/lsb-release ] && egrep -q 'DISTRIB_ID.*Ubuntu' /etc/lsb-release; then
dpkg -l contrail-heat > /dev/null && ENABLE_HEAT='yes'
is_ubuntu=1
keystone_version=`dpkg -l | grep 'ii' | grep keystone | grep -v python | awk '{print $3}'`
fi
if [ -z $ADMIN_PASSWORD ]; then
echo ADMIN_PASSWORD must be defined
exit 1;
fi
if [ -z $SERVICE_PASSWORD ]; then
echo SERVICE_PASSWORD must be defined
exit 1;
fi
CONTROLLER=$1
if [ -z $CONTROLLER ]; then
$CONTROLLER="localhost"
fi
function get_id () {
echo `"$@" | grep ' id ' | awk '{print $4}'`
}
function is_keystone_up() {
for i in {1..36} {
do
keystone tenant-list
if [ $? == 0 ]; then
return 0
fi
echo "Keystone is not up, retrying in 5 secs"
sleep 5
done
return 1
}
function get_tenant() {
id=$(keystone tenant-list | grep ' '$1' ' | awk '{print $2;}')
if [ -z "$id" ]; then
id=$(keystone tenant-create --name=$1 | grep ' id ' | awk '{print $4}')
fi
echo $id
}
# Tenants
is_keystone_up
if [ $? != 0 ]; then
echo "Keystone is not up, Exiting..."
exit 1
fi
ADMIN_TENANT=$(get_tenant admin)
SERVICE_TENANT=$(get_tenant service)
DEMO_TENANT=$(get_tenant demo)
INVIS_TENANT=$(get_tenant invisible_to_admin)
# Users
function get_user() {
id=$(keystone user-list | grep $1 | awk '{print $2;}')
EMAIL="@example.com"
if [ -z $id ]; then
id=$(keystone user-create --name=$1 --pass="$ADMIN_PASSWORD" \
--email=$1$EMAIL | grep ' id ' | awk '{print $4;}')
fi
echo $id
}
ADMIN_USER=$(get_user admin)
DEMO_USER=$(get_user demo)
# Roles
function get_role() {
id=$(keystone role-list | grep ' '$1' ' | awk '{print $2;}')
if [ -z $id ]; then
id=$(keystone role-create --name=$1 | grep ' id ' | awk '{print $4;}')
fi
echo $id
}
ADMIN_ROLE=$(get_role admin)
MEMBER_ROLE=$(get_role Member)
KEYSTONEADMIN_ROLE=$(get_role KeystoneAdmin)
KEYSTONESERVICE_ROLE=$(get_role KeystoneServiceAdmin)
SYSADMIN_ROLE=$(get_role sysadmin)
NETADMIN_ROLE=$(get_role netadmin)
function user_role_lookup() {
echo $(keystone user-role-list --user-id $1 --tenant-id $2 \
| grep ' '$3' ' | awk '{print $4;}')
}
# Add Roles to Users in Tenants
if [ -z $(user_role_lookup $ADMIN_USER $ADMIN_TENANT admin) ]; then
keystone user-role-add --user-id $ADMIN_USER --role-id $ADMIN_ROLE --tenant-id $ADMIN_TENANT
fi
if [ -z $(user_role_lookup $DEMO_USER $DEMO_TENANT Member) ]; then
keystone user-role-add --user-id $DEMO_USER --role-id $MEMBER_ROLE --tenant-id $DEMO_TENANT
fi
if [ -z $(user_role_lookup $DEMO_USER $DEMO_TENANT sysadmin) ]; then
keystone user-role-add --user-id $DEMO_USER --role-id $SYSADMIN_ROLE --tenant-id $DEMO_TENANT
fi
if [ -z $(user_role_lookup $DEMO_USER $DEMO_TENANT netadmin) ]; then
keystone user-role-add --user-id $DEMO_USER --role-id $NETADMIN_ROLE --tenant-id $DEMO_TENANT
fi
if [ -z $(user_role_lookup $DEMO_USER $INVIS_TENANT Member) ]; then
keystone user-role-add --user-id $DEMO_USER --role-id $MEMBER_ROLE --tenant-id $INVIS_TENANT
fi
if [ -z $(user_role_lookup $ADMIN_USER $DEMO_TENANT admin) ]; then
keystone user-role-add --user-id $ADMIN_USER --role-id $ADMIN_ROLE --tenant-id $DEMO_TENANT
fi
# TODO(termie): these two might be dubious
if [ -z $(user_role_lookup $ADMIN_USER $ADMIN_TENANT KeystoneAdmin) ]; then
keystone user-role-add --user-id $ADMIN_USER --role-id $KEYSTONEADMIN_ROLE --tenant-id $ADMIN_TENANT
fi
if [ -z $(user_role_lookup $ADMIN_USER $ADMIN_TENANT KeystoneServiceAdmin) ]; then
keystone user-role-add --user-id $ADMIN_USER --role-id $KEYSTONESERVICE_ROLE --tenant-id $ADMIN_TENANT
fi
# Services
function get_service() {
id=$(keystone service-list | grep ' '$1' ' | awk '{print $2;}')
if [ -z $id ]; then
id=$(get_id keystone service-create --name=$1 \
--type=$2 --description=$2)
fi
echo $id
}
function get_service_user() {
id=$(keystone user-list | grep $1 | awk '{print $2;}')
EMAIL="@example.com"
if [ -z $id ]; then
id=$(keystone user-create --name=$1 --pass="$SERVICE_PASSWORD" \
--tenant-id $SERVICE_TENANT \
--email=$1$EMAIL | grep ' id ' | awk '{print $4;}')
fi
echo $id
}
function endpoint_lookup() {
echo $(keystone --os-region-name $OS_REGION_NAME endpoint-list | grep ' '$1' ' | awk '{print $2;}' )
}
NOVA_SERVICE=$(get_service nova compute "Nova Compute Service")
NOVA_USER=$(get_service_user nova)
if [ -z $(user_role_lookup $NOVA_USER $SERVICE_TENANT admin) ]; then
keystone user-role-add --tenant-id $SERVICE_TENANT \
--user-id $NOVA_USER \
--role-id $ADMIN_ROLE
fi
ubuntu_liberty=0
if [ $is_ubuntu -eq 1 ]; then
if [[ $keystone_version == *"8.0.0"* ]]; then
ubuntu_liberty=1
fi
fi
+source /etc/contrail/openstackrc
if [[ -n "$ENABLE_ENDPOINTS" ]]; then
if [ -z $(endpoint_lookup $NOVA_SERVICE) ]; then
if [ $ubuntu_liberty -eq 1 ]; then
openstack endpoint create --region RegionOne $NOVA_SERVICE \
--publicurl http://$CONTROLLER:8774/v1.1/%\(tenant_id\)s \
--adminurl http://$CONTROLLER:8774/v1.1/%\(tenant_id\)s \
--internalurl http://$CONTROLLER:8774/v1.1/%\(tenant_id\)s
else
keystone endpoint-create --region RegionOne --service-id $NOVA_SERVICE \
--publicurl 'http://'$CONTROLLER':$(compute_port)s/v1.1/$(tenant_id)s' \
--adminurl 'http://'$CONTROLLER:'$(compute_port)s/v1.1/$(tenant_id)s' \
--internalurl 'http://'$CONTROLLER:'$(compute_port)s/v1.1/$(tenant_id)s'
fi
fi
fi
EC2_SERVICE=$(get_service ec2 ec2 "EC2 Compatibility Layer")
if [[ -n "$ENABLE_ENDPOINTS" ]]; then
if [ -z $(endpoint_lookup $EC2_SERVICE) ]; then
keystone endpoint-create --region $OS_REGION_NAME --service-id $EC2_SERVICE \
--publicurl http://localhost:8773/services/Cloud \
--adminurl http://localhost:8773/services/Admin \
--internalurl http://localhost:8773/services/Cloud
fi
fi
GLANCE_SERVICE=$(get_service glance image "Glance Image Service")
GLANCE_USER=$(get_service_user glance)
if [ -z $(user_role_lookup $GLANCE_USER $SERVICE_TENANT admin) ]; then
keystone user-role-add --tenant-id $SERVICE_TENANT \
--user-id $GLANCE_USER \
--role-id $ADMIN_ROLE
fi
if [[ -n "$ENABLE_ENDPOINTS" ]]; then
if [ -z $(endpoint_lookup $GLANCE_SERVICE) ]; then
keystone endpoint-create --region $OS_REGION_NAME --service-id $GLANCE_SERVICE \
--publicurl http://$CONTROLLER:9292/v1 \
--adminurl http://$CONTROLLER:9292/v1 \
--internalurl http://$CONTROLLER:9292/v1
fi
fi
KEYSTONE_SERVICE=$(get_service keystone identity "Keystone Identity Service")
if [[ -n "$ENABLE_ENDPOINTS" ]]; then
if [ -z $(endpoint_lookup $KEYSTONE_SERVICE) ]; then
keystone endpoint-create --region $OS_REGION_NAME --service-id $KEYSTONE_SERVICE \
--publicurl 'http://'$CONTROLLER':$(public_port)s/v2.0' \
--adminurl 'http://'$CONTROLLER':$(admin_port)s/v2.0' \
--internalurl 'http://'$CONTROLLER':$(admin_port)s/v2.0'
fi
fi
CINDER_SERVICE=""
CINDER_USER=""
CINDER_SERVICE_TYPE=v1
# If cinder is Kilo based, volumev2 services are required
if [ -f /etc/redhat-release ]; then
os_cinder=$(rpm -q --queryformat="%{VERSION}" openstack-cinder)
is_kilo_or_above=$(python -c "from distutils.version import LooseVersion; \
print LooseVersion('$os_cinder') >= LooseVersion('2015.1.1')")
fi
if [ -f /etc/lsb-release ] && egrep -q 'DISTRIB_ID.*Ubuntu' /etc/lsb-release; then
os_cinder=$(dpkg-query -W -f='${Version}' cinder-api)
is_kilo_or_above=$(python -c "from distutils.version import LooseVersion; \
print LooseVersion('$os_cinder') >= LooseVersion('1:2015.1.1')")
fi
if [ "$is_kilo_or_above" == "True" ]; then
CINDER_SERVICE=$(get_service "cinderv2" volumev2 "Cinder V2 Service")
CINDER_USER=$(get_service_user cinderv2)
CINDER_SERVICE_TYPE=v2
fi
# Create cinder service if not created in above steps
if [[ -z "$CINDER_SERVICE" ]]; then
CINDER_SERVICE=$(get_service "cinder" volume "Cinder Service")
fi
# Create CINDER USER if not created in above steps
if [[ -z "$CINDER_USER" ]]; then
CINDER_USER=$(get_service_user cinder)
fi
if [ -z $(user_role_lookup $CINDER_USER $SERVICE_TENANT admin) ]; then
keystone user-role-add --tenant-id $SERVICE_TENANT \
--user-id $CINDER_USER \
--role-id $ADMIN_ROLE
fi
if [[ -n "$ENABLE_ENDPOINTS" ]]; then
if [ -z $(endpoint_lookup $CINDER_SERVICE) ]; then
keystone endpoint-create --region $OS_REGION_NAME --service-id $CINDER_SERVICE \
--publicurl 'http://'$CONTROLLER':8776/'$CINDER_SERVICE_TYPE'/$(tenant_id)s' \
--adminurl 'http://'$CONTROLLER':8776/'$CINDER_SERVICE_TYPE'/$(tenant_id)s' \
--internalurl 'http://'$CONTROLLER':8776/'$CINDER_SERVICE_TYPE'/$(tenant_id)s'
fi
fi
HORIZON_SERVICE=$(get_service "horizon" dashboard "OpenStack Dashboard")
if [[ -n "$ENABLE_SWIFT" ]]; then
SWIFT_SERVICE=$(get_id \
keystone service-create --name=swift \
--type="object-store" \
--description="Swift Service")
SWIFT_USER=$(get_id keystone user-create --name=swift \
--pass="$SERVICE_PASSWORD" \
--tenant-id $SERVICE_TENANT \
--email=swift@example.com)
keystone user-role-add --tenant-id $SERVICE_TENANT \
--user-id $SWIFT_USER \
--role-id $ADMIN_ROLE
if [[ -n "$ENABLE_ENDPOINTS" ]]; then
keystone endpoint-create --region $OS_REGION_NAME --service-id $SWIFT_SERVICE \
--publicurl 'http://localhost:8080/v1/AUTH_$(tenant_id)s' \
--adminurl 'http://localhost:8080/v1/AUTH_$(tenant_id)s' \
--internalurl 'http://localhost:8080/v1/AUTH_$(tenant_id)s'
fi
fi
if [[ -n "$ENABLE_QUANTUM" ]]; then
QUANTUM_SERVICE=$(get_service quantum network "Quantum Service")
QUANTUM_USER=$(get_service_user quantum)
if [ -z $(user_role_lookup $QUANTUM_USER $SERVICE_TENANT admin) ]; then
keystone user-role-add --tenant-id $SERVICE_TENANT \
--user-id $QUANTUM_USER \
--role-id $ADMIN_ROLE
fi
if [[ -n "$ENABLE_ENDPOINTS" ]]; then
if [ -z $(endpoint_lookup $QUANTUM_SERVICE) ]; then
keystone endpoint-create --region $OS_REGION_NAME --service-id $QUANTUM_SERVICE \
--publicurl http://localhost:9696 \
--adminurl http://localhost:9696 \
--internalurl http://localhost:9696
fi
fi
fi
if [[ -n "$ENABLE_HEAT" ]]; then
get_role heat_stack_user
get_role heat_stack_owner
HEAT_SERVICE=$(get_service heat orchestration "Orchestration Service")
HEAT_USER=$(get_service_user heat)
if [ -z $(user_role_lookup $HEAT_USER $SERVICE_TENANT admin) ]; then
keystone user-role-add --tenant-id $SERVICE_TENANT \
--user-id $HEAT_USER \
--role-id $ADMIN_ROLE
fi
if [[ -n "$ENABLE_ENDPOINTS" ]]; then
if [ -z $(endpoint_lookup $HEAT_SERVICE) ]; then
keystone endpoint-create --region $OS_REGION_NAME --service-id $HEAT_SERVICE \
--publicurl 'http://'$CONTROLLER':8004/v1/%(tenant_id)s' \
--adminurl 'http://'$CONTROLLER:'8004/v1/%(tenant_id)s' \
--internalurl 'http://'$CONTROLLER':8004/v1/%(tenant_id)s'
fi
fi
fi
# A set of EC2-compatible credentials is created for both admin and demo
# users and placed in etc/ec2rc.
EC2RC=${EC2RC:-/etc/contrail/ec2rc}
# create ec2 creds and parse the secret and access key returned
RESULT=$(keystone ec2-credentials-create --tenant-id=$ADMIN_TENANT --user-id=$ADMIN_USER)
ADMIN_ACCESS=`echo "$RESULT" | grep access | awk '{print $4}'`
ADMIN_SECRET=`echo "$RESULT" | grep secret | awk '{print $4}'`
RESULT=$(keystone ec2-credentials-create --tenant-id=$DEMO_TENANT --user-id=$DEMO_USER)
DEMO_ACCESS=`echo "$RESULT" | grep access | awk '{print $4}'`
DEMO_SECRET=`echo "$RESULT" | grep secret | awk '{print $4}'`
# write the secret and access to ec2rc
cat > $EC2RC <<EOF
ADMIN_ACCESS=$ADMIN_ACCESS
ADMIN_SECRET=$ADMIN_SECRET
DEMO_ACCESS=$DEMO_ACCESS
DEMO_SECRET=$DEMO_SECRET
EOF