From e1f2af6433bfae9b098cc6cdbccda5e635e05c2b Mon Sep 17 00:00:00 2001 From: Megh Bhatt Date: Sat, 11 Jun 2016 01:11:32 -0700 Subject: [PATCH] 1. Add provisioning of cloud_admin_access_only Enable cloud_admin_access_only by default. Add a parameter --no_multi_tenancy to setup-vnc-collector to disable cloud_admin_access_only. Remove templates for ini files for contrail-analytics-api, contrail-collector, and contrail-query-engine and for conf file of contrail-analytics-api Partial-Bug: #1461175 (cherry picked from commit ec3c1741b5a2f7b49bc18a6b85421e0584c2494e) Conflicts: contrail_provisioning/collector/setup.py 2. Rename multi_tenancy to aaa_mode for analytics API Partial-Bug: #1599654 (cherry picked from commit 97c3c396de54d118dc63a278ae9ecc0cad3a2c5d) Conflicts: contrail_provisioning/collector/setup.py 3. Fix provisioning failure in setup-vnc-collector Configure memcache servers in /etc/contrail/contrail-keystone-auth.conf only from config node setup Closes-Bug: #1606654 (cherry picked from commit 98de6812efad7c44e342dfa5d4105c82107826a4) Conflicts: contrail_provisioning/common/base.py 4. Rename multi_tenancy to aaa_mode in upgrade path for analytics node Closes-Bug: #1607469 (cherry picked from commit b8f4c6906a6f643873436d31f630c155f4d1d07e) 5. Changes to bring analytics authenticated access in sync with config 1. Rename aaa_mode value cloud-admin-only to cloud-admin 2. CLOUD_ADMIN_ROLE defaults to admin instead of cloud-admin Partial-Bug: #1607563 (cherry picked from commit 3e8d8412dc8f9e52f12261a173bff34202366f8b) Conflicts: contrail_provisioning/collector/setup.py Change-Id: I56dd3e14a7a2ad8d676decf3dbbb2170170a957b --- contrail_provisioning/collector/setup.py | 121 ++++++++++-------- .../templates/contrail_analytics_api_conf.py | 34 ----- .../templates/contrail_analytics_api_ini.py | 17 --- .../templates/contrail_collector_ini.py | 17 --- .../templates/contrail_query_engine_ini.py | 17 --- contrail_provisioning/collector/upgrade.py | 18 ++- contrail_provisioning/common/base.py | 4 +- contrail_provisioning/config/openstack.py | 2 +- 8 files changed, 89 insertions(+), 141 deletions(-) delete mode 100644 contrail_provisioning/collector/templates/contrail_analytics_api_conf.py delete mode 100644 contrail_provisioning/collector/templates/contrail_analytics_api_ini.py delete mode 100644 contrail_provisioning/collector/templates/contrail_collector_ini.py delete mode 100644 contrail_provisioning/collector/templates/contrail_query_engine_ini.py diff --git a/contrail_provisioning/collector/setup.py b/contrail_provisioning/collector/setup.py index 669d06f0..83f509ec 100755 --- a/contrail_provisioning/collector/setup.py +++ b/contrail_provisioning/collector/setup.py @@ -8,13 +8,9 @@ from contrail_provisioning.common.base import ContrailSetup from contrail_provisioning.collector.templates import contrail_query_engine_conf from contrail_provisioning.collector.templates import contrail_collector_conf -from contrail_provisioning.collector.templates import contrail_analytics_api_conf from contrail_provisioning.collector.templates import contrail_analytics_nodemgr_template from contrail_provisioning.collector.templates import redis_server_conf_template from contrail_provisioning.common.templates import contrail_database_template -from contrail_provisioning.collector.templates import contrail_collector_ini -from contrail_provisioning.collector.templates import contrail_query_engine_ini -from contrail_provisioning.collector.templates import contrail_analytics_api_ini class CollectorSetup(ContrailSetup): def __init__(self, args_str = None): @@ -34,7 +30,7 @@ def __init__(self, args_str = None): 'keystone_service_tenant_name' : 'service', 'keystone_auth_protocol': 'http', 'keystone_auth_port': '35357', - 'multi_tenancy': True, + 'aaa_mode': 'cloud-admin', } self.parse_args(args_str) @@ -88,8 +84,10 @@ def parse_args(self, args_str): help = "Connect to keystone in secure or insecure mode if in" + \ "https mode", default = 'False') - parser.add_argument("--multi_tenancy", help = "(Deprecated, defaults to True) Enforce resource permissions (implies token validation)", - action="store_true") + parser.add_argument("--aaa_mode", help="AAA mode", + choices=['no-auth', 'cloud-admin']) + parser.add_argument("--cloud_admin_role", + help="Name of cloud-admin role") parser.add_argument("--cassandra_user", help="Cassandra user name", default= None) parser.add_argument("--cassandra_password", help="Cassandra password", @@ -104,29 +102,35 @@ def fixup_config_files(self): self.fixup_contrail_topology() self.fixup_contrail_analytics_nodemgr() if not os.path.exists('/etc/contrail/contrail-keystone-auth.conf'): - self.fixup_keystone_auth_config_file() + self.fixup_keystone_auth_config_file(False) self.fixup_contrail_alarm_gen() - if self._args.cassandra_user is not None: - self.fixup_cassandra_config() - self.fixup_ini_files() + self.fixup_cassandra_config() + self.fixup_ini_files() - def fixup_ini_files(self): - collector_conf_files = ['/etc/contrail/contrail-collector.conf','/etc/contrail/contrail-database.conf'] - query_engine_conf_files = ['/etc/contrail/contrail-query-engine.conf','/etc/contrail/contrail-database.conf'] - analytics_api_conf_files = ['/etc/contrail/contrail-analytics-api.conf','/etc/contrail/contrail-database.conf'] - collector_template_vals = {'__contrail_collector_conf__': ' --conf_file '.join(collector_conf_files)} - query_engine_template_vals = {'__contrail_query_engine_conf__': ' --conf_file '.join(query_engine_conf_files)} - analytics_api_template_vals = {'__contrail_analytics_api_conf__': ' --conf_file '.join(analytics_api_conf_files)} - self._template_substitute_write(contrail_collector_ini.template, - collector_template_vals, self._temp_dir_name + '/contrail-collector.ini') - local("sudo mv %s/contrail-collector.ini /etc/contrail/supervisord_analytics_files/contrail-collector.ini" %(self._temp_dir_name)) - self._template_substitute_write(contrail_query_engine_ini.template, - query_engine_template_vals, self._temp_dir_name + '/contrail-query-engine.ini') - local("sudo mv %s/contrail-query-engine.ini /etc/contrail/supervisord_analytics_files/contrail-query-engine.ini" %(self._temp_dir_name)) - self._template_substitute_write(contrail_analytics_api_ini.template, - analytics_api_template_vals, self._temp_dir_name + '/contrail-analytics-api.ini') - local("sudo mv %s/contrail-analytics-api.ini /etc/contrail/supervisord_analytics_files/contrail-analytics-api.ini" %(self._temp_dir_name)) + def fixup_analytics_daemon_ini_file(self, daemon_name, conf_files=None): + dconf_files = [] + if conf_files: + dconf_files.extend(conf_files) + daemon_conf_file = '/etc/contrail/' + daemon_name + '.conf' + dconf_files.append(daemon_conf_file) + if self._args.cassandra_user: + database_conf = '/etc/contrail/contrail-database.conf' + dconf_files.append(database_conf) + ini_conf_cmd = ''.join([' --conf_file ' + conf_file for \ + conf_file in dconf_files]) + supervisor_dir = '/etc/contrail/supervisord_analytics_files' + bin_dir = '/usr/bin' + self.set_config(os.path.join(supervisor_dir, daemon_name + '.ini'), + 'program:' + daemon_name, 'command', + os.path.join(bin_dir, daemon_name) + ini_conf_cmd) + # end fixup_analytics_daemon_ini_file + def fixup_ini_files(self): + self.fixup_analytics_daemon_ini_file('contrail-collector') + self.fixup_analytics_daemon_ini_file('contrail-query-engine') + self.fixup_analytics_daemon_ini_file('contrail-analytics-api', + ['/etc/contrail/contrail-keystone-auth.conf']) + # end fixup_ini_files def fixup_cassandra_config(self): if self._args.cassandra_user: @@ -138,7 +142,7 @@ def fixup_cassandra_config(self): self._template_substitute_write(contrail_database_template.template, template_vals, self._temp_dir_name + '/contrail-collector-database.conf') local("sudo mv %s/contrail-collector-database.conf /etc/contrail/contrail-database.conf" %(self._temp_dir_name)) - + # end fixup_cassandra_config def fixup_contrail_alarm_gen(self): ALARM_GEN_CONF_FILE = '/etc/contrail/contrail-alarm-gen.conf' @@ -278,41 +282,54 @@ def fixup_contrail_query_engine(self): def fixup_contrail_analytics_api(self): ALARM_GEN_CONF_FILE = '/etc/contrail/contrail-alarm-gen.conf' conf_file = '/etc/contrail/contrail-analytics-api.conf' + with settings(warn_only=True): + local("[ -f %s ] || > %s" % (conf_file, conf_file)) rest_api_port = '8081' if self._args.internal_vip: rest_api_port = '9081' - template_vals = {'__contrail_log_file__' : '/var/log/contrail/contrail-analytics-api.log', - '__contrail_log_local__': '1', - '__contrail_log_category__': '', - '__contrail_log_level__': 'SYS_NOTICE', - '__contrail_redis_server_port__' : '6379', - '__contrail_redis_query_port__' : '6379', - '__contrail_http_server_port__' : '8090', - '__contrail_rest_api_port__' : rest_api_port, - '__contrail_host_ip__' : self._args.self_collector_ip, - '__contrail_discovery_ip__' : self._args.cfgm_ip, - '__contrail_discovery_port__' : 5998, - '__contrail_cassandra_server_list__' : ' '.join('%s:%s' % cassandra_server for cassandra_server in self.cassandra_server_list), - '__contrail_analytics_data_ttl__' : self._args.analytics_data_ttl, - '__contrail_config_audit_ttl__' : self._args.analytics_config_audit_ttl, - '__contrail_statistics_ttl__' : self._args.analytics_statistics_ttl, - '__contrail_flow_ttl__' : self._args.analytics_flow_ttl, - '__contrail_redis_password__' : ''} + config_vals = \ + { 'DEFAULTS' : { + 'log_file' : '/var/log/contrail/contrail-analytics-api.log', + 'log_local': 1, + 'log_category': '', + 'log_level': 'SYS_NOTICE', + 'http_server_port' : 8090, + 'rest_api_port' : rest_api_port, + 'host_ip' : self._args.self_collector_ip, + 'cassandra_server_list' : ' '.join('%s:%s' % cassandra_server for \ + cassandra_server in self.cassandra_server_list), + 'analytics_data_ttl' : self._args.analytics_data_ttl, + 'analytics_config_audit_ttl' : self._args.analytics_config_audit_ttl, + 'analytics_statistics_ttl' : self._args.analytics_statistics_ttl, + 'analytics_flow_ttl' : self._args.analytics_flow_ttl, + 'api_server' : self._args.cfgm_ip + ':8082', + 'aaa_mode' : self._args.aaa_mode, + }, + 'REDIS' : { + 'redis_server_port' : 6379, + 'redis_query_port' : 6379, + }, + 'DISCOVERY' : { + 'disc_server_ip' : self._args.cfgm_ip, + 'disc_server_port' : 5998, + }, + } if self._args.redis_password: - template_vals['__contrail_redis_password__'] = 'redis_password = '+ self._args.redis_password - self._template_substitute_write(contrail_analytics_api_conf.template, - template_vals, self._temp_dir_name + '/contrail-analytics-api.conf') - local("sudo mv %s/contrail-analytics-api.conf %s" % \ - (self._temp_dir_name, conf_file)) + config_vals['REDIS']['redis_password'] = self._args.redis_password + if self._args.cloud_admin_role: + config_vals['DEFAULTS']['cloud_admin_role'] = self._args.cloud_admin_role # pickup the number of partitions from alarmgen conf # if it isn't there, analytics-api conf should use defaults too try: pstr = self.get_config(ALARM_GEN_CONF_FILE, 'DEFAULTS', 'partitions') pint = int(pstr) - self.set_config(conf_file, 'DEFAULTS', 'partitions', pstr) + config_vals['DEFAULTS']['partitions'] = pstr except: - self.replace_in_file(conf_file, 'partitions', '') + config_vals['DEFAULTS']['partitions'] = '' + for section, parameter_values in config_vals.items(): + for parameter, value in parameter_values.items(): + self.set_config(conf_file, section, parameter, value) def load_redis_upstart_file(self): #copy the redis-server conf to init diff --git a/contrail_provisioning/collector/templates/contrail_analytics_api_conf.py b/contrail_provisioning/collector/templates/contrail_analytics_api_conf.py deleted file mode 100644 index 2439be67..00000000 --- a/contrail_provisioning/collector/templates/contrail_analytics_api_conf.py +++ /dev/null @@ -1,34 +0,0 @@ -import string - -template = string.Template(""" -[DEFAULTS] -host_ip = $__contrail_host_ip__ -cassandra_server_list=$__contrail_cassandra_server_list__ -#collectors = 127.0.0.1:8086 -http_server_port = $__contrail_http_server_port__ -rest_api_port = $__contrail_rest_api_port__ -rest_api_ip = 0.0.0.0 -log_local = $__contrail_log_local__ -log_level = $__contrail_log_level__ -log_category = $__contrail_log_category__ -log_file = $__contrail_log_file__ - -# Time-to-live in hours of the various data stored by collector into -# cassandra -# analytics_config_audit_ttl, if not set (or set to -1), defaults to analytics_data_ttl -# analytics_statistics_ttl, if not set (or set to -1), defaults to analytics_data_ttl -# analytics_flow_ttl, if not set (or set to -1), defaults to analytics_statsdata_ttl -analytics_data_ttl=$__contrail_analytics_data_ttl__ -analytics_config_audit_ttl=$__contrail_config_audit_ttl__ -analytics_statistics_ttl=$__contrail_statistics_ttl__ -analytics_flow_ttl=$__contrail_flow_ttl__ - -[DISCOVERY] -disc_server_ip = $__contrail_discovery_ip__ -disc_server_port = $__contrail_discovery_port__ - -[REDIS] -redis_server_port = $__contrail_redis_server_port__ -redis_query_port = $__contrail_redis_query_port__ -$__contrail_redis_password__ -""") diff --git a/contrail_provisioning/collector/templates/contrail_analytics_api_ini.py b/contrail_provisioning/collector/templates/contrail_analytics_api_ini.py deleted file mode 100644 index 2052abe4..00000000 --- a/contrail_provisioning/collector/templates/contrail_analytics_api_ini.py +++ /dev/null @@ -1,17 +0,0 @@ -import string - -template = string.Template(""" -[program:contrail-analytics-api] -command=/usr/bin/contrail-analytics-api --conf_file $__contrail_analytics_api_conf__ -priority=440 -autostart=true -killasgroup=true -stopsignal=KILL -stdout_capture_maxbytes=1MB -redirect_stderr=true -stdout_logfile=/var/log/contrail/contrail-analytics-api-stdout.log -stderr_logfile=/var/log/contrail/contrail-analytics-api-stderr.log -startsecs=5 -exitcodes=0 ; 'expected' exit codes for process (default 0,2) -user=contrail -""") diff --git a/contrail_provisioning/collector/templates/contrail_collector_ini.py b/contrail_provisioning/collector/templates/contrail_collector_ini.py deleted file mode 100644 index 5c52c81c..00000000 --- a/contrail_provisioning/collector/templates/contrail_collector_ini.py +++ /dev/null @@ -1,17 +0,0 @@ -import string - -template = string.Template(""" -[program:contrail-collector] -command=/usr/bin/contrail-collector --conf_file $__contrail_collector_conf__ -priority=420 -autostart=true -killasgroup=true -stopsignal=KILL -stdout_capture_maxbytes=1MB -redirect_stderr=true -stdout_logfile=/var/log/contrail/contrail-collector-stdout.log -stderr_logfile=/dev/null -startsecs=5 -exitcodes=0 ; 'expected' exit codes for process (default 0,2) -user=contrail -""") diff --git a/contrail_provisioning/collector/templates/contrail_query_engine_ini.py b/contrail_provisioning/collector/templates/contrail_query_engine_ini.py deleted file mode 100644 index 45c69176..00000000 --- a/contrail_provisioning/collector/templates/contrail_query_engine_ini.py +++ /dev/null @@ -1,17 +0,0 @@ -import string - -template = string.Template(""" -[program:contrail-query-engine] -command=/usr/bin/contrail-query-engine --conf_file $__contrail_query_engine_conf__ -priority=430 -autostart=true -killasgroup=true -stopsignal=KILL -stdout_capture_maxbytes=1MB -redirect_stderr=true -stdout_logfile=/var/log/contrail/contrail-query-engine-stdout.log -stderr_logfile=/dev/null -startsecs=5 -exitcodes=0 ; 'expected' exit codes for process (default 0,2) -user=contrail -""") diff --git a/contrail_provisioning/collector/upgrade.py b/contrail_provisioning/collector/upgrade.py index 2f467033..e4b5300c 100644 --- a/contrail_provisioning/collector/upgrade.py +++ b/contrail_provisioning/collector/upgrade.py @@ -60,7 +60,7 @@ def update_config(self): self.fixup_contrail_topology() # Create contrail-keystone-auth.conf if not os.path.exists('/etc/contrail/contrail-keystone-auth.conf'): - self.fixup_keystone_auth_config_file() + self.fixup_keystone_auth_config_file(False) # From 3.0: # 1. Alarmgen is enabled by default. @@ -126,6 +126,22 @@ def update_config(self): ' '.join('%s:%s' % (server.split(':')[0], '9042') for server \ in analytics_api_cass_server_list.split())) + # From 3.10: + # 1. contrail-analytics-api.conf provides access to only cloud admin + # role, API server VIP needs to be specified + # 2. contrail-keystone-auth.conf needs to be passed to + # contrail-analytics-api via contrail-analytics-api.ini + if (self._args.from_rel < LooseVersion('3.1') and + self._args.to_rel >= LooseVersion('3.1')): + analytics_api_conf = '/etc/contrail/contrail-analytics-api.conf' + self.set_config(analytics_api_conf, 'DEFAULTS', + 'aaa_mode', self._args.aaa_mode) + self.set_config(analytics_api_conf, 'DEFAULTS', 'api_server', + self._args.cfgm_ip + ':8082') + self.fixup_analytics_daemon_ini_file('contrail-analytics-api', + ['/etc/contrail/contrail-keystone-auth.conf']) + # end update_config + def main(): collector = CollectorUpgrade() collector.upgrade() diff --git a/contrail_provisioning/common/base.py b/contrail_provisioning/common/base.py index 389e126f..f36f0734 100644 --- a/contrail_provisioning/common/base.py +++ b/contrail_provisioning/common/base.py @@ -281,7 +281,7 @@ def setup_coredump(self): print "Ignoring failure when enabling kdump" print "Exception: %s" % str(e) - def fixup_keystone_auth_config_file(self): + def fixup_keystone_auth_config_file(self, configure_memcache): # Keystone auth config ini template_vals = { '__contrail_keystone_ip__': self._args.keystone_ip, @@ -291,7 +291,7 @@ def fixup_keystone_auth_config_file(self): '__contrail_ks_auth_protocol__': self._args.keystone_auth_protocol, '__contrail_ks_auth_port__': self._args.keystone_auth_port, '__keystone_insecure_flag__': self._args.keystone_insecure, - '__contrail_memcached_opt__': 'memcache_servers=127.0.0.1:11211' if self._args.multi_tenancy else '', + '__contrail_memcached_opt__': 'memcache_servers=127.0.0.1:11211' if configure_memcache else '', } self._template_substitute_write(contrail_keystone_auth_conf.template, template_vals, self._temp_dir_name + '/contrail-keystone-auth.conf') diff --git a/contrail_provisioning/config/openstack.py b/contrail_provisioning/config/openstack.py index 39019e5d..6758aa15 100755 --- a/contrail_provisioning/config/openstack.py +++ b/contrail_provisioning/config/openstack.py @@ -23,7 +23,7 @@ def __init__(self, config_args, args_str=None): def fixup_config_files(self): self.fixup_cassandra_config() - self.fixup_keystone_auth_config_file() + self.fixup_keystone_auth_config_file(self._args.multi_tenancy) self.fixup_ifmap_config_files() self.fixup_contrail_api_config_file() config_files = [