summaryrefslogtreecommitdiffstats
path: root/keystone-moon/debian/keystone.postinst.in
blob: 3fd24fe6b5b4d199028562a3b4bc04c301bf620e (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
#!/bin/sh

set -e

#PKGOS-INCLUDE#

KEY_CONF=/etc/keystone/keystone.conf

keystone_get_debconf_admin_credentials () {
	db_get keystone/admin-user
	ADMIN_USER_NAME=${RET:-admin}
	db_get keystone/admin-password
	ADMIN_USER_PW=${RET:-$(gen_password)}
	db_get keystone/admin-email
	ADMIN_USER_EMAIL=${RET:-root@localhost}
	db_get keystone/admin-tenant-name
	ADMIN_TENANT_NAME=${RET:-admin}
	db_get keystone/admin-role-name
	ADMIN_ROLE_NAME=${RET:-admin}

	# We export the retrived credentials for later use
	export OS_PROJECT_DOMAIN_ID=default
	export OS_USER_DOMAIN_ID=default
	export OS_USERNAME=admin
	export OS_PASSWORD=${ADMIN_USER_PW}
	export OS_TENANT_NAME=${ADMIN_TENANT_NAME}
	export OS_PROJECT_NAME=${ADMIN_TENANT_NAME}
	export OS_AUTH_URL=http://127.0.0.1:35357/v3/
	export OS_IDENTITY_API_VERSION=3
	export OS_AUTH_VERSION=3
	export OS_PROJECT_DOMAIN_ID=default
	export OS_USER_DOMAIN_ID=default
	export OS_NO_CACHE=1
}

keystone_bootstrap_admin () {
	# This is the new way to bootstrap the admin user of Keystone
	# and we shouldn't use the admin auth token anymore.
	export OS_BOOTSTRAP_USERNAME=${ADMIN_USER_NAME}
	export OS_BOOTSTRAP_PROJECT_NAME=${ADMIN_TENANT_NAME}
	export OS_BOOTSTRAP_PASSWORD=${ADMIN_USER_PW}
	keystone-manage bootstrap
}

keystone_create_admin_tenant () {
	echo -n "Fixing-up: admin-project-desc "
	openstack project set --description "Default Debian admin project" $ADMIN_TENANT_NAME
	echo -n "service-project "
	openstack project create --or-show service --description "Default Debian service project" >/dev/null
	echo -n "default-admin-email "
	openstack user set --description "Default Debian admin user" --email ${ADMIN_USER_EMAIL} --enable $ADMIN_USER_NAME
	echo "...done!"

	# Note: heat_stack_owner is needed for heat to work, and Member ResellerAdmin
	# are needed for swift auto account creation.
	echo -n "Adding roles: "
	for i in admin KeystoneAdmin KeystoneServiceAdmin heat_stack_owner Member ResellerAdmin ; do
		echo -n "${i} "
		openstack role create --or-show ${i} >/dev/null
		openstack role add --project $ADMIN_TENANT_NAME --user $ADMIN_USER_NAME ${i} >/dev/null
	done
	echo "...done!"
}

keystone_create_endpoint_postinst () {
	local PKG_NAME
	PKG_NAME=${1}

	db_get keystone/endpoint-ip
	# Make sure a valid IP has been entered in Debconf.
	KEYSTONE_ENDPOINT_IP=`echo ${RET} | egrep '^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$'`
	if [ -n ${KEYSTONE_ENDPOINT_IP} ] ; then
		db_get keystone/region-name
		REGION_NAME=${RET}
		if [ -n "${REGION_NAME}" ] ; then
			NUM_LINES=$(OS_TOKEN=`openstack token issue -c id -f value` openstack service list --format=csv --os-url http://localhost:5000/v3 | q -d , -H 'SELECT ID FROM - WHERE `Type`="identity"' | wc -l)
			if [ "${NUM_LINES}" = "0" ] ; then
				echo -n "Setting-up: create-keystone-service "
				OS_TOKEN=`openstack token issue -c id -f value` openstack service create --name=keystone --description="Keystone Identity Service" identity --os-url http://localhost:5000/v3 >/dev/null
				echo -n "create-public-endpoint "
				OS_TOKEN=`openstack token issue -c id -f value` openstack endpoint create --region "${REGION_NAME}" \
					keystone public http://${KEYSTONE_ENDPOINT_IP}:5000/v2.0 --os-url http://localhost:5000/v3 >/dev/null
				echo -n "create-internal-endpoint "
				OS_TOKEN=`openstack token issue -c id -f value` openstack endpoint create --region "${REGION_NAME}" \
					keystone internal http://${KEYSTONE_ENDPOINT_IP}:5000/v2.0 --os-url http://localhost:5000/v3 >/dev/null
				echo -n "create-admin-endpoint "
				OS_TOKEN=`openstack token issue -c id -f value` openstack endpoint create --region "${REGION_NAME}" \
					keystone admin http://${KEYSTONE_ENDPOINT_IP}:35357/v2.0 --os-url http://localhost:5000/v3 >/dev/null
				echo "...done!"
			else
				echo -n "Keystone service already registered..."
			fi
		fi
	fi
}

if [ "$1" = "configure" ] ; then
	. /usr/share/debconf/confmodule
	. /usr/share/dbconfig-common/dpkg/postinst

	# Create user and group keystone, plus /var/log and /var/lib owned by it
	# We need a bash shell so that keystone-manage pkg_setup works, and the
	# Wheezy package doesn't have it, failing upgrades
	pkgos_var_user_group keystone /bin/sh
	# Make sure we have a folder to create certs, that isn't world readable
	mkdir -p /etc/keystone/ssl/certs
	chown keystone:keystone /etc/keystone/ssl/certs
	chmod 750 /etc/keystone/ssl/certs
	chown keystone:keystone /etc/keystone/ssl
	chmod 750 /etc/keystone/ssl

	# Create keystone.conf if it's not there
	pkgos_write_new_conf keystone keystone.conf
	# Set the auth_token directive in in keystone.conf
	db_get keystone/auth-token
	AUTH_TOKEN=${RET}
	if [ -z "${AUTH_TOKEN}" ] ; then
		AUTH_TOKEN=`pkgos_gen_pass`
	fi
	pkgos_inifile set ${KEY_CONF} DEFAULT admin_token ${AUTH_TOKEN}
	OSTACKCLI_PARAMS="--os-url=http://127.0.0.1:35357/v3/ --os-domain-name default --os-identity-api-version=3"

	# Make sure /var/log/keystone/keystone.log is owned by keystone
	# BEFORE any keystone-manage calls.
	chown -R keystone:keystone /var/log/keystone

	# Upgrade or create the db if directed to do so
	db_get keystone/configure_db
	if [ "$RET" = "true" ] ; then
		# Configure the SQL connection of keystone.conf according to dbconfig-common
		pkgos_dbc_postinst ${KEY_CONF} database connection keystone $@
		echo "Running su keystone -s /bin/sh -c 'keystone-manage --noverbose db_sync'..."
		if [ "${PKGOS_VERBOSE}" = "yes" ] ; then
			su keystone -s /bin/sh -c "keystone-manage --verbose db_sync"
		else
			su keystone -s /bin/sh -c "keystone-manage --noverbose db_sync"
		fi
	fi

	# Generate the ssl keys for keystone.
	# It seems that starting it each time this script is launch
	# isn't a problem.
	#su keystone -s /bin/sh -c "keystone-manage pki_setup"

	# Activate the keystone.service
	deb-systemd-helper unmask keystone.service >/dev/null || true
	if deb-systemd-helper --quiet was-enabled keystone.service ; then
		deb-systemd-helper enable keystone.service >/dev/null || true
	else
		deb-systemd-helper update-state keystone.service >/dev/null || true
	fi

	# Setup init script and start keystone
	pkgos_init keystone

	# On first install, create basics configuration and add roles
	if [ -z "$2" ] ; then
		echo -n "Sleeping 5 seconds to make sure the keystone daemon is up and running: 5..."
		sleep 1
		echo -n "4..."
		sleep 1
		echo -n "3..."
		sleep 1
		echo -n "2..."
		sleep 1
		echo -n "1..."
		sleep 1
		echo "0"
		db_get keystone/create-admin-tenant
		if [ "$RET" = "true" ] ; then
			keystone_get_debconf_admin_credentials
			echo "===> Bootstraping tenants with 'keystone-manage bootstrap':"
			keystone_get_debconf_admin_credentials
			keystone_bootstrap_admin
			db_get keystone/register-endpoint
			if [ "$RET" = "true" ] ; then
				echo "===> Registering keystone endpoint"
				keystone_create_endpoint_postinst
			fi
			echo "===> Editing bootstraped tenants and adding default roles"
			keystone_create_admin_tenant

			echo "done!"
		fi
	fi
	db_stop
fi

exit 0