From bf51fa4f053a6aecb816ed7b4dcca64e9bd5b9b3 Mon Sep 17 00:00:00 2001 From: "Liam R. Howlett" Date: Fri, 19 Sep 2014 15:51:17 -0400 Subject: python-keystone: Add apache vhost server. This patch set configures an apache vhost server on port 8081 which will serve as the main authentication method and documents the change in README.keystone. Signed-off-by: Liam R. Howlett --- meta-openstack/Documentation/README.keystone | 83 ++++++++++++++++++++++ .../python/python-keystone/wsgi-keystone.conf | 25 +++++++ .../recipes-devtools/python/python-keystone_git.bb | 69 +++++++++++++----- 3 files changed, 161 insertions(+), 16 deletions(-) create mode 100644 meta-openstack/Documentation/README.keystone create mode 100644 meta-openstack/recipes-devtools/python/python-keystone/wsgi-keystone.conf diff --git a/meta-openstack/Documentation/README.keystone b/meta-openstack/Documentation/README.keystone new file mode 100644 index 0000000..f8da890 --- /dev/null +++ b/meta-openstack/Documentation/README.keystone @@ -0,0 +1,83 @@ +Summary +======= + +This document is not intended to provide detail of how Keystone in general +works, but rather it highlights how Keystone is integrated/configured into +meta-cloud-services and also describes how Keystone is tested to ensure that +Keystone Verification and Benchmarking components are working correctly. + + +Keystone Overview +============== + +Keystone provides authentication, authorization and service discovery +mechanisms via HTTP primarily for use by projects in the OpenStack family. It +is most commonly deployed as an HTTP interface to existing identity systems, +such as LDAP. + +Keystone Deployment +================ + +Keystone is configured to use existing deployment (by using deployment +configuration file /etc/keystone/keystone{.conf,paste.ini}). In addition to the +default configuration files, meta-cloud-services installs a custom httpd file +apache configuration as /etc/apache2/conf.d/wsgi-keystone.conf along with +adding the 8081 port to the default /etc/apache2/httpd.conf. This file +starts a vhost on port 8081 which will be the replacement for the default server +running on port 35357 and 5000 in the future. + + +Keystone Verification +================== + +By default, Keystone verification performs the following steps: + +* git clone tempest source from upstream +* setup virtualenv for this tempest +* setup testr environment with virtualenv created above +* create tempest.conf for this tempest +* use testr and subunit.run module to run tempest + +However, meta-cloud-services already includes tempest which is also +configured/modified to have low failure/error testcases, therefore it's desired +to use this tempest (without using virtualenv) instead of letting Rally to +download tempest and running it on virtualenv. + + +The option "existing_tempest_config" in /etc/keystone/keystone.conf can be used +to configure Keystone to either use the existing tempest or to download from +upstream. + +If the option "existing_tempest_config" is not set then Keystone follows the +default path. If "existing_tempest_config" is set to absolute path of tempest +config folder (which contains tempest "tools" and .testr.conf, e.g. +/etc/tempest) then Rally uses this existing tempest. By default, +"existing_tempest_config" is set to "/etc/tempest/". + + +Build Configuration Options +=========================== + +To have Keystone and tempest included in final built image, include layer +meta-openstack-controller-test-config into Controller build and +layer meta-openstack-compute-test-config into Compute build. + + +Keystone Built-In Unit Tests +========================= + +This section describes how to run Keystone built-in unit +tests which are located at: + + /usr/lib64/python2.7/site-packages/keystone/tests + +To run Keystone built-in unit test with nosetests: + + $ cd /usr/lib64/python2.7/site-packages/keystone/tests + $ nosetests -v + + +References +========== + +https://wiki.openstack.org/wiki/Keystone diff --git a/meta-openstack/recipes-devtools/python/python-keystone/wsgi-keystone.conf b/meta-openstack/recipes-devtools/python/python-keystone/wsgi-keystone.conf new file mode 100644 index 0000000..91b95f6 --- /dev/null +++ b/meta-openstack/recipes-devtools/python/python-keystone/wsgi-keystone.conf @@ -0,0 +1,25 @@ +Listen 8081 + + ServerAdmin webmaster@localhost + WSGIApplicationGroup %{RESOURCE} + WSGIDaemonProcess keystone threads=15 display-name=%{GROUP} + WSGIProcessGroup keystone + WSGIScriptAlias /keystone/main /var/www/cgi-bin/keystone/main + WSGIScriptAlias /keystone/admin /var/www/cgi-bin/keystone/admin + + + + Authtype none + + + + + Order allow,deny + Allow from all + + + = 2.3> + Require all granted + + + diff --git a/meta-openstack/recipes-devtools/python/python-keystone_git.bb b/meta-openstack/recipes-devtools/python/python-keystone_git.bb index a3511db..49aa278 100644 --- a/meta-openstack/recipes-devtools/python/python-keystone_git.bb +++ b/meta-openstack/recipes-devtools/python/python-keystone_git.bb @@ -14,6 +14,7 @@ SRC_URI = "git://github.com/openstack/${SRCNAME}.git;branch=master \ file://keystone-search-in-etc-directory-for-config-files.patch \ file://keystone-remove-git-commands-in-tests.patch \ file://convert_keystone_backend.py \ + file://wsgi-keystone.conf \ " SRCREV="73ad4036d62b3aa7cf50e11ddf7bee8278bbe4d0" @@ -51,9 +52,9 @@ SERVICECREATE_PARAM_${SRCNAME}-setup = "name type description region publicurl a python () { flags = {'type':'identity',\ 'description':'OpenStack Identity',\ - 'publicurl':"'http://${KEYSTONE_HOST}:5000/v2.0'",\ - 'adminurl':"'http://${KEYSTONE_HOST}:35357/v2.0'",\ - 'internalurl':"'http://${KEYSTONE_HOST}:5000/v2.0'"} + 'publicurl':"'http://${KEYSTONE_HOST}:8081/keystone/main/v2.0'",\ + 'adminurl':"'http://${KEYSTONE_HOST}:8081/keystone/admin/v2.0'",\ + 'internalurl':"'http://${KEYSTONE_HOST}:8081/keystone/main/v2.0'"} d.setVarFlags("SERVICECREATE_PARAM_%s-setup" % d.getVar('SRCNAME',True), flags) } @@ -62,19 +63,38 @@ do_install_append() { KEYSTONE_CONF_DIR=${D}${sysconfdir}/keystone KEYSTONE_PACKAGE_DIR=${D}${PYTHON_SITEPACKAGES_DIR}/keystone - install -m 750 -d ${KEYSTONE_CONF_DIR} + APACHE_CONF_DIR=${D}${sysconfdir}/apache2/conf.d/ + KEYSTONE_PY_DIR=${D}${datadir}/openstack-dashboard/openstack_dashboard/api/ + KEYSTONE_CGI_DIR=${D}${localstatedir}/www/cgi-bin/keystone/ + + # Apache needs to read the configs. + install -m 755 -d ${KEYSTONE_CONF_DIR} + install -m 755 -d ${APACHE_CONF_DIR} install -d ${D}${localstatedir}/log/${SRCNAME} + install -g users -m 755 -d ${KEYSTONE_CGI_DIR} + install -g users -m 755 -d ${KEYSTONE_PY_DIR} - install -m 600 ${WORKDIR}/keystone.conf ${KEYSTONE_CONF_DIR}/ + # Apache needs to read the keystone.conf + install -m 644 ${WORKDIR}/keystone.conf ${KEYSTONE_CONF_DIR}/ + # Apache needs to read the wsgi-keystone.conf + install -m 644 ${WORKDIR}/wsgi-keystone.conf ${APACHE_CONF_DIR} install -m 755 ${WORKDIR}/identity.sh ${KEYSTONE_CONF_DIR}/ - install -m 600 ${S}/etc/logging.conf.sample \ + install -m 600 ${S}${sysconfdir}/logging.conf.sample \ ${KEYSTONE_CONF_DIR}/logging.conf - install -m 600 ${S}/etc/policy.json ${KEYSTONE_CONF_DIR}/policy.json - install -m 600 ${S}/etc/keystone.conf.sample \ + install -m 600 ${S}${sysconfdir}/keystone.conf.sample \ ${KEYSTONE_CONF_DIR}/keystone.conf.sample - install -m 600 ${S}/etc/keystone-paste.ini \ + # Apache user needs to read these files. + install -m 644 ${S}${sysconfdir}/policy.json \ + ${KEYSTONE_CONF_DIR}/policy.json + install -m 644 ${S}${sysconfdir}/keystone-paste.ini \ ${KEYSTONE_CONF_DIR}/keystone-paste.ini + install -g users -m 644 ${S}/httpd/keystone.py \ + ${KEYSTONE_PY_DIR}/keystone-httpd.py + install -g users -m 644 ${S}/httpd/keystone.py \ + ${KEYSTONE_CGI_DIR}/admin + install -g users -m 644 ${S}/httpd/keystone.py \ + ${KEYSTONE_CGI_DIR}/main cp -r ${S}/examples ${KEYSTONE_PACKAGE_DIR} @@ -92,6 +112,14 @@ do_install_append() { sed -e "s:%TOKEN_FORMAT%:${TOKEN_FORMAT}:g" \ -i ${KEYSTONE_CONF_DIR}/keystone.conf + sed "/# admin_endpoint = .*/a \ + public_endpoint = http://${CONTROLLER_IP}:8081/keystone/main/ " \ + -i ${KEYSTONE_CONF_DIR}/keystone.conf + + sed "/# admin_endpoint = .*/a \ + admin_endpoint = http://${CONTROLLER_IP}:8081/keystone/admin/ " \ + -i ${KEYSTONE_CONF_DIR}/keystone.conf + if ${@base_contains('DISTRO_FEATURES', 'sysvinit', 'true', 'false', d)}; then install -d ${D}${sysconfdir}/init.d @@ -121,7 +149,7 @@ driver = keystone.identity.backends.hybrid_identity.Identity \ \ [assignment]\ driver = keystone.assignment.backends.hybrid_assignment.Assignment\ -' ${D}/etc/keystone/keystone.conf +' ${D}${sysconfdir}/keystone/keystone.conf sed -i -e '/^\[ldap\]/a \ url = ldap://localhost \ @@ -152,7 +180,7 @@ role_member_attribute = member \ role_id_attribute = cn \ role_name_attribute = ou \ role_tree_dn = ou=Roles,${LDAP_DN} \ -' ${D}/etc/keystone/keystone.conf +' ${D}${sysconfdir}/keystone/keystone.conf install -m 0755 ${WORKDIR}/convert_keystone_backend.py \ ${D}${sysconfdir}/keystone/convert_keystone_backend.py @@ -177,10 +205,9 @@ pkg_postinst_${SRCNAME}-setup () { if [ -z `cat $PIDFILE 2>/dev/null` ]; then sudo -u postgres createdb keystone keystone-manage db_sync - keystone-manage pki_setup --keystone-user=root --keystone-group=root + keystone-manage pki_setup --keystone-user=root --keystone-group=daemon - if ${@base_contains('DISTRO_FEATURES', 'OpenLDAP', 'true', 'false', d)}; - then + if ${@base_contains('DISTRO_FEATURES', 'OpenLDAP', 'true', 'false', d)}; then /etc/init.d/openldap start fi /etc/init.d/keystone start @@ -203,7 +230,8 @@ ALLOW_EMPTY_${SRCNAME}-setup = "1" ALLOW_EMPTY_${SRCNAME}-cronjobs = "1" -FILES_${PN} = "${libdir}/*" +FILES_${PN} = "${libdir}/* \ + " FILES_${SRCNAME}-tests = "${sysconfdir}/${SRCNAME}/run_tests.sh" @@ -211,6 +239,8 @@ FILES_${SRCNAME} = "${bindir}/* \ ${sysconfdir}/${SRCNAME}/* \ ${sysconfdir}/init.d/* \ ${localstatedir}/* \ + ${datadir}/openstack-dashboard/openstack_dashboard/api/keystone-httpd.py \ + ${sysconfdir}/apache2/conf.d/wsgi-keystone.conf \ " DEPENDS += " \ @@ -248,7 +278,14 @@ PACKAGECONFIG[OpenLDAP] = ",,,python-ldap python-keystone-hybrid-backend" # TODO: # if DISTRO_FEATURE contains "tempest" then add *-tests to the main RDEPENDS -RDEPENDS_${SRCNAME} = "${PN} postgresql postgresql-client python-psycopg2" +RDEPENDS_${SRCNAME} = " \ + ${PN} \ + postgresql \ + postgresql-client \ + python-psycopg2 \ + apache2 \ + " + RDEPENDS_${SRCNAME}-setup = "postgresql sudo ${SRCNAME}" RDEPENDS_${SRCNAME}-cronjobs = "cronie ${SRCNAME}" -- cgit v1.2.3-54-g00ecf