keystone: rip
part of openstack cleanup
This commit is contained in:
parent
5369400bb0
commit
d3d94992cf
@ -281,7 +281,7 @@
|
||||
stanchion = 262;
|
||||
riak-cs = 263;
|
||||
infinoted = 264;
|
||||
keystone = 265;
|
||||
# keystone = 265; # unused, removed 2017-12-13
|
||||
glance = 266;
|
||||
couchpotato = 267;
|
||||
gogs = 268;
|
||||
@ -551,7 +551,7 @@
|
||||
stanchion = 262;
|
||||
riak-cs = 263;
|
||||
infinoted = 264;
|
||||
keystone = 265;
|
||||
# keystone = 265; # unused, removed 2017-12-13
|
||||
glance = 266;
|
||||
couchpotato = 267;
|
||||
gogs = 268;
|
||||
|
@ -748,6 +748,5 @@
|
||||
./virtualisation/vmware-guest.nix
|
||||
./virtualisation/xen-dom0.nix
|
||||
./virtualisation/xe-guest-utilities.nix
|
||||
./virtualisation/openstack/keystone.nix
|
||||
./virtualisation/openstack/glance.nix
|
||||
]
|
||||
|
@ -1,220 +0,0 @@
|
||||
{ config, lib, pkgs, ... }:
|
||||
|
||||
with lib; with import ./common.nix {inherit lib;};
|
||||
|
||||
let
|
||||
cfg = config.virtualisation.openstack.keystone;
|
||||
keystoneConfTpl = pkgs.writeText "keystone.conf" ''
|
||||
[DEFAULT]
|
||||
admin_token = ${cfg.adminToken.pattern}
|
||||
policy_file=${cfg.package}/etc/policy.json
|
||||
|
||||
[database]
|
||||
|
||||
connection = "mysql://${cfg.database.user}:${cfg.database.password.pattern}@${cfg.database.host}/${cfg.database.name}"
|
||||
|
||||
[paste_deploy]
|
||||
config_file = ${cfg.package}/etc/keystone-paste.ini
|
||||
|
||||
${cfg.extraConfig}
|
||||
'';
|
||||
keystoneConf = "/var/lib/keystone/keystone.conf";
|
||||
|
||||
in {
|
||||
options.virtualisation.openstack.keystone = {
|
||||
package = mkOption {
|
||||
type = types.package;
|
||||
example = literalExample "pkgs.keystone";
|
||||
description = ''
|
||||
Keystone package to use.
|
||||
'';
|
||||
};
|
||||
|
||||
enable = mkOption {
|
||||
default = false;
|
||||
type = types.bool;
|
||||
description = ''
|
||||
Enable Keystone, the OpenStack Identity Service
|
||||
'';
|
||||
};
|
||||
|
||||
extraConfig = mkOption {
|
||||
default = "";
|
||||
type = types.lines;
|
||||
description = ''
|
||||
Additional text appended to <filename>keystone.conf</filename>,
|
||||
the main Keystone configuration file.
|
||||
'';
|
||||
};
|
||||
|
||||
adminToken = mkSecretOption {
|
||||
name = "adminToken";
|
||||
description = ''
|
||||
This is the admin token used to boostrap keystone,
|
||||
ie. to provision first resources.
|
||||
'';
|
||||
};
|
||||
|
||||
bootstrap = {
|
||||
enable = mkOption {
|
||||
default = false;
|
||||
type = types.bool;
|
||||
description = ''
|
||||
Bootstrap the Keystone service by creating the service
|
||||
tenant, an admin account and a public endpoint. This options
|
||||
provides a ready-to-use admin account. This is only done at
|
||||
the first Keystone execution by the systemd post start.
|
||||
|
||||
Note this option is a helper for setting up development or
|
||||
testing environments.
|
||||
'';
|
||||
};
|
||||
|
||||
endpointPublic = mkOption {
|
||||
type = types.str;
|
||||
default = "http://localhost:5000/v2.0";
|
||||
description = ''
|
||||
The public identity endpoint. The link <link
|
||||
xlink:href="http://docs.openstack.org/liberty/install-guide-rdo/keystone-services.html">
|
||||
create keystone endpoint</link> provides more informations
|
||||
about that.
|
||||
'';
|
||||
};
|
||||
|
||||
adminUsername = mkOption {
|
||||
type = types.str;
|
||||
default = "admin";
|
||||
description = ''
|
||||
A keystone admin username.
|
||||
'';
|
||||
};
|
||||
|
||||
adminPassword = mkSecretOption {
|
||||
name = "keystoneAdminPassword";
|
||||
description = ''
|
||||
The keystone admin user's password.
|
||||
'';
|
||||
};
|
||||
|
||||
adminTenant = mkOption {
|
||||
type = types.str;
|
||||
default = "admin";
|
||||
description = ''
|
||||
A keystone admin tenant name.
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
database = {
|
||||
host = mkOption {
|
||||
type = types.str;
|
||||
default = "localhost";
|
||||
description = ''
|
||||
Host of the database.
|
||||
'';
|
||||
};
|
||||
|
||||
name = mkOption {
|
||||
type = types.str;
|
||||
default = "keystone";
|
||||
description = ''
|
||||
Name of the existing database.
|
||||
'';
|
||||
};
|
||||
|
||||
user = mkOption {
|
||||
type = types.str;
|
||||
default = "keystone";
|
||||
description = ''
|
||||
The database user. The user must exist and has access to
|
||||
the specified database.
|
||||
'';
|
||||
};
|
||||
password = mkSecretOption {
|
||||
name = "mysqlPassword";
|
||||
description = "The database user's password";};
|
||||
};
|
||||
};
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
# Note: when changing the default, make it conditional on
|
||||
# ‘system.stateVersion’ to maintain compatibility with existing
|
||||
# systems!
|
||||
virtualisation.openstack.keystone.package = mkDefault pkgs.keystone;
|
||||
|
||||
users.extraUsers = [{
|
||||
name = "keystone";
|
||||
group = "keystone";
|
||||
uid = config.ids.uids.keystone;
|
||||
}];
|
||||
users.extraGroups = [{
|
||||
name = "keystone";
|
||||
gid = config.ids.gids.keystone;
|
||||
}];
|
||||
|
||||
systemd.services.keystone-all = {
|
||||
description = "OpenStack Keystone Daemon";
|
||||
after = [ "network.target"];
|
||||
path = [ cfg.package pkgs.mysql pkgs.curl pkgs.pythonPackages.keystoneclient pkgs.gawk ];
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
preStart = ''
|
||||
mkdir -m 755 -p /var/lib/keystone
|
||||
|
||||
cp ${keystoneConfTpl} ${keystoneConf};
|
||||
chown keystone:keystone ${keystoneConf};
|
||||
chmod 640 ${keystoneConf}
|
||||
|
||||
${replaceSecret cfg.database.password keystoneConf}
|
||||
${replaceSecret cfg.adminToken keystoneConf}
|
||||
|
||||
# Initialise the database
|
||||
${cfg.package}/bin/keystone-manage --config-file=${keystoneConf} db_sync
|
||||
# Set up the keystone's PKI infrastructure
|
||||
${cfg.package}/bin/keystone-manage --config-file=${keystoneConf} pki_setup --keystone-user keystone --keystone-group keystone
|
||||
'';
|
||||
postStart = optionalString cfg.bootstrap.enable ''
|
||||
set -eu
|
||||
# Wait until the keystone is available for use
|
||||
count=0
|
||||
while ! curl --fail -s http://localhost:35357/v2.0 > /dev/null
|
||||
do
|
||||
if [ $count -eq 30 ]
|
||||
then
|
||||
echo "Tried 30 times, giving up..."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
echo "Keystone not yet started. Waiting for 1 second..."
|
||||
count=$((count++))
|
||||
sleep 1
|
||||
done
|
||||
|
||||
# We use the service token to create a first admin user
|
||||
export OS_SERVICE_ENDPOINT=http://localhost:35357/v2.0
|
||||
export OS_SERVICE_TOKEN=${getSecret cfg.adminToken}
|
||||
|
||||
# If the tenant service doesn't exist, we consider
|
||||
# keystone is not initialized
|
||||
if ! keystone tenant-get service
|
||||
then
|
||||
keystone tenant-create --name service
|
||||
keystone tenant-create --name ${cfg.bootstrap.adminTenant}
|
||||
keystone user-create --name ${cfg.bootstrap.adminUsername} --tenant ${cfg.bootstrap.adminTenant} --pass ${getSecret cfg.bootstrap.adminPassword}
|
||||
keystone role-create --name admin
|
||||
keystone role-create --name Member
|
||||
keystone user-role-add --tenant ${cfg.bootstrap.adminTenant} --user ${cfg.bootstrap.adminUsername} --role admin
|
||||
keystone service-create --type identity --name keystone
|
||||
ID=$(keystone service-get keystone | awk '/ id / { print $4 }')
|
||||
keystone endpoint-create --region RegionOne --service $ID --publicurl ${cfg.bootstrap.endpointPublic} --adminurl http://localhost:35357/v2.0 --internalurl http://localhost:5000/v2.0
|
||||
fi
|
||||
'';
|
||||
serviceConfig = {
|
||||
PermissionsStartOnly = true; # preStart must be run as root
|
||||
TimeoutStartSec = "600"; # 10min for initial db migrations
|
||||
User = "keystone";
|
||||
Group = "keystone";
|
||||
ExecStart = "${cfg.package}/bin/keystone-all --config-file=${keystoneConf}";
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
@ -293,7 +293,6 @@ in rec {
|
||||
tests.kernel-copperhead = callTest tests/kernel-copperhead.nix {};
|
||||
tests.kernel-latest = callTest tests/kernel-latest.nix {};
|
||||
tests.kernel-lts = callTest tests/kernel-lts.nix {};
|
||||
tests.keystone = callTest tests/keystone.nix {};
|
||||
tests.kubernetes = hydraJob (import tests/kubernetes/default.nix { system = "x86_64-linux"; });
|
||||
tests.latestKernel.login = callTest tests/login.nix { latestKernel = true; };
|
||||
tests.ldap = callTest tests/ldap.nix {};
|
||||
|
@ -1,82 +0,0 @@
|
||||
{ system ? builtins.currentSystem }:
|
||||
|
||||
with import ../lib/testing.nix { inherit system; };
|
||||
with pkgs.lib;
|
||||
|
||||
let
|
||||
keystoneMysqlPassword = "keystoneMysqlPassword";
|
||||
keystoneMysqlPasswordFile = "/var/run/keystoneMysqlPassword";
|
||||
keystoneAdminPassword = "keystoneAdminPassword";
|
||||
|
||||
createKeystoneDb = pkgs.writeText "create-keystone-db.sql" ''
|
||||
create database keystone;
|
||||
GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY '${keystoneMysqlPassword}';
|
||||
GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY '${keystoneMysqlPassword}';
|
||||
'';
|
||||
# The admin keystone account
|
||||
adminOpenstackCmd = "OS_TENANT_NAME=admin OS_USERNAME=admin OS_PASSWORD=${keystoneAdminPassword} OS_AUTH_URL=http://localhost:5000/v3 OS_IDENTITY_API_VERSION=3 openstack";
|
||||
# The created demo keystone account
|
||||
demoOpenstackCmd = "OS_TENANT_NAME=demo OS_USERNAME=demo OS_PASSWORD=demo OS_AUTH_URL=http://localhost:5000/v3 OS_IDENTITY_API_VERSION=3 openstack";
|
||||
|
||||
in makeTest {
|
||||
meta = with pkgs.stdenv.lib.maintainers; {
|
||||
maintainers = [ lewo ];
|
||||
};
|
||||
machine =
|
||||
{ config, pkgs, ... }:
|
||||
{
|
||||
# This is to simulate nixops deployment process.
|
||||
# https://nixos.org/nixops/manual/#opt-deployment.keys
|
||||
boot.postBootCommands = "echo ${keystoneMysqlPassword} > ${keystoneMysqlPasswordFile}";
|
||||
|
||||
services.mysql.enable = true;
|
||||
services.mysql.initialScript = createKeystoneDb;
|
||||
|
||||
virtualisation = {
|
||||
|
||||
openstack.keystone = {
|
||||
enable = true;
|
||||
# Check if we can get the secret from a file
|
||||
database.password = {
|
||||
value = keystoneMysqlPasswordFile;
|
||||
storage = "fromFile";
|
||||
};
|
||||
adminToken = {
|
||||
value = "adminToken";
|
||||
storage = "fromNixStore";
|
||||
};
|
||||
|
||||
bootstrap.enable = true;
|
||||
# Check if we can get the secret from the store
|
||||
bootstrap.adminPassword = {
|
||||
value = keystoneAdminPassword;
|
||||
storage = "fromNixStore";
|
||||
};
|
||||
};
|
||||
|
||||
memorySize = 2096;
|
||||
diskSize = 4 * 1024;
|
||||
};
|
||||
|
||||
environment.systemPackages = with pkgs.pythonPackages; with pkgs; [
|
||||
openstackclient
|
||||
];
|
||||
};
|
||||
|
||||
testScript =
|
||||
''
|
||||
$machine->waitForUnit("keystone-all.service");
|
||||
|
||||
# Verify that admin ccount is working
|
||||
$machine->succeed("${adminOpenstackCmd} token issue");
|
||||
|
||||
# Try to create a new user
|
||||
$machine->succeed("${adminOpenstackCmd} project create --domain default --description 'Demo Project' demo");
|
||||
$machine->succeed("${adminOpenstackCmd} user create --domain default --password demo demo");
|
||||
$machine->succeed("${adminOpenstackCmd} role create user");
|
||||
$machine->succeed("${adminOpenstackCmd} role add --project demo --user demo user");
|
||||
|
||||
# Verify this new account is working
|
||||
$machine->succeed("${demoOpenstackCmd} token issue");
|
||||
'';
|
||||
}
|
@ -1,55 +0,0 @@
|
||||
{ stdenv, fetchurl, python2Packages, xmlsec, which, openssl }:
|
||||
|
||||
python2Packages.buildPythonApplication rec {
|
||||
name = "keystone-${version}";
|
||||
version = "8.0.0";
|
||||
namePrefix = "";
|
||||
|
||||
PBR_VERSION = "${version}";
|
||||
|
||||
src = fetchurl {
|
||||
url = "https://github.com/openstack/keystone/archive/${version}.tar.gz";
|
||||
sha256 = "1xbrs7xgwjzrs07zyxxcl2lq18dh582gd6lx1zzzji8c0qmffy0z";
|
||||
};
|
||||
|
||||
# remove on next version bump
|
||||
patches = [ ./remove-oslo-policy-tests.patch ];
|
||||
|
||||
# https://github.com/openstack/keystone/blob/stable/liberty/requirements.txt
|
||||
propagatedBuildInputs = with python2Packages; [
|
||||
pbr webob eventlet greenlet PasteDeploy paste routes cryptography six
|
||||
sqlalchemy sqlalchemy_migrate stevedore passlib keystoneclient memcached
|
||||
keystonemiddleware oauthlib pysaml2 dogpile_cache jsonschema pycadf msgpack
|
||||
xmlsec MySQL_python
|
||||
|
||||
# oslo
|
||||
oslo-cache oslo-concurrency oslo-config oslo-context oslo-messaging oslo-db
|
||||
oslo-i18n oslo-log oslo-middleware oslo-policy oslo-serialization oslo-service
|
||||
oslo-utils
|
||||
];
|
||||
|
||||
buildInputs = with python2Packages; [
|
||||
coverage fixtures mock subunit tempest-lib testtools testrepository
|
||||
ldap ldappool webtest requests oslotest pep8 pymongo which
|
||||
];
|
||||
|
||||
makeWrapperArgs = ["--prefix PATH : '${openssl.bin}/bin:$PATH'"];
|
||||
|
||||
postInstall = ''
|
||||
# install .ini files
|
||||
mkdir -p $out/etc
|
||||
cp etc/* $out/etc
|
||||
|
||||
# check all binaries don't crash
|
||||
for i in $out/bin/*; do
|
||||
$i --help
|
||||
done
|
||||
'';
|
||||
|
||||
meta = with stdenv.lib; {
|
||||
homepage = http://keystone.openstack.org/;
|
||||
description = "Authentication, authorization and service discovery mechanisms via HTTP";
|
||||
license = stdenv.lib.licenses.asl20;
|
||||
platforms = stdenv.lib.platforms.linux;
|
||||
};
|
||||
}
|
@ -16113,7 +16113,6 @@ with pkgs;
|
||||
notmuch-addrlookup = callPackage ../applications/networking/mailreaders/notmuch-addrlookup { };
|
||||
|
||||
# Open Stack
|
||||
keystone = callPackage ../applications/virtualization/openstack/keystone.nix { };
|
||||
neutron = callPackage ../applications/virtualization/openstack/neutron.nix { };
|
||||
glance = callPackage ../applications/virtualization/openstack/glance.nix { };
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user