9
11
from lib.openstack_common import *
13
import keystone_ssl as ssl
14
import lib.unison as unison
11
16
keystone_conf = "/etc/keystone/keystone.conf"
12
17
stored_passwd = "/var/lib/keystone/keystone.passwd"
13
18
stored_token = "/var/lib/keystone/keystone.token"
14
19
SERVICE_PASSWD_PATH = '/var/lib/keystone/services.passwd'
21
SSL_DIR = '/var/lib/keystone/juju_ssl/'
22
SSL_CA_NAME = 'Ubuntu Cloud'
24
SSH_USER='juju_keystone'
16
26
def execute(cmd, die=False, echo=False):
17
27
""" Executes a command
96
106
subprocess.check_call(cmd)
109
def unit_get(attribute):
114
value = subprocess.check_output(cmd).strip() # IGNORE:E1103
98
121
def relation_get(relation_data):
99
122
""" Obtain all current relation data
100
123
relation_data is a list of options to query from the relation
356
379
create_role("KeystoneAdmin", config["admin-user"], 'admin')
357
380
create_role("KeystoneServiceAdmin", config["admin-user"], 'admin')
358
381
create_service_entry("keystone", "identity", "Keystone Identity Service")
359
# following documentation here, perhaps we should be using juju
360
# public/private addresses for public/internal urls.
361
383
if is_clustered():
362
384
juju_log("Creating endpoint for clustered configuration")
363
385
for region in config['region'].split():
543
565
Broadcast service credentials to peers or consume those that have been
544
566
broadcasted by peer, depending on hook context.
546
if os.path.basename(sys.argv[0]) == 'cluster-relation-changed':
547
r_data = relation_get_dict()
548
if 'service_credentials' in r_data:
549
juju_log('Saving service passwords from peer.')
550
save_stored_passwords(**json.loads(r_data['service_credentials']))
553
creds = load_stored_passwords()
568
if (not eligible_leader() or
569
not os.path.isfile(SERVICE_PASSWD_PATH)):
556
571
juju_log('Synchronizing service passwords to all peers.')
557
creds = json.dumps(creds)
558
for r_id in (relation_ids('cluster') or []):
559
relation_set_2(rid=r_id, service_credentials=creds)
572
unison.sync_to_peers(peer_interface='cluster',
573
paths=[SERVICE_PASSWD_PATH], user=SSH_USER,
577
def get_ca(user='keystone', group='keystone'):
579
Initialize a new CA object if one hasn't already been loaded.
580
This will create a new CA or load an existing one.
583
if not os.path.isdir(SSL_DIR):
585
d_name = '_'.join(SSL_CA_NAME.lower().split(' '))
586
ca = ssl.JujuCA(name=SSL_CA_NAME, user=user, group=group,
587
ca_dir=os.path.join(SSL_DIR,
588
'%s_intermediate_ca' % d_name),
589
root_ca_dir=os.path.join(SSL_DIR,
590
'%s_root_ca' % d_name))
591
# SSL_DIR is synchronized via all peers over unison+ssh, need
592
# to ensure permissions.
593
execute('chown -R %s.%s %s' % (user, group, SSL_DIR))
594
execute('chmod -R g+rwx %s' % SSL_DIR)