Newer
Older
#!/usr/bin/env python
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
import logging
import os
import sys
import keystoneclient.exceptions as kc_exception
from keystoneclient.v3 import client
#Costa
#from oslo_config import cfg
from oslo.config import cfg
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
from heat import version
logger = logging.getLogger(__name__)
DEBUG = False
USERNAME = os.environ.get('OS_USERNAME')
PASSWORD = os.environ.get('OS_PASSWORD')
AUTH_URL = os.environ.get('OS_AUTH_URL', '').replace('v2.0', 'v3')
TENANT_NAME = os.environ.get('OS_TENANT_NAME')
opts = [
cfg.StrOpt('stack-user-domain-name',
default="heat",
help="Name of domain to create for stack users."),
cfg.StrOpt('stack-domain-admin',
default="heat_stack_admin",
help="Keystone username with roles sufficient to manage users"
" and projects in the stack-user-domain"),
cfg.StrOpt('stack-domain-admin-password',
secret=True,
help="Password to set for stack-domain-admin"),
cfg.BoolOpt('insecure',
default=False,
help="If set, then the server's certificate will not "
"be verified."),
cfg.StrOpt('os-cacert',
help='Optional CA cert file to use in SSL connections.'),
cfg.StrOpt('os-cert',
help='Optional PEM-formatted certificate chain file.'),
cfg.StrOpt('os-key',
help='Optional PEM-formatted file that contains the '
'private key.'),
]
cfg.CONF.register_cli_opts(opts)
cfg.CONF(sys.argv[1:],
project='heat',
prog='heat-keystone-setup-domain',
version=version.version_info.version_string())
HEAT_DOMAIN_NAME = os.environ.get(
'HEAT_DOMAIN', cfg.CONF.stack_user_domain_name)
HEAT_DOMAIN_ADMIN = os.environ.get('HEAT_DOMAIN_ADMIN',
cfg.CONF.stack_domain_admin)
HEAT_DOMAIN_PASSWORD = os.environ.get('HEAT_DOMAIN_PASSWORD',
cfg.CONF.stack_domain_admin_password)
HEAT_DOMAIN_DESCRIPTION = 'Contains users and projects created by heat'
logger.debug("USERNAME=%s" % USERNAME)
logger.debug("AUTH_URL=%s" % AUTH_URL)
CACERT = os.environ.get('OS_CACERT', cfg.CONF.os_cacert)
CERT = os.environ.get('OS_CERT', cfg.CONF.os_cert)
KEY = os.environ.get('OS_KEY', cfg.CONF.os_key)
insecure = cfg.CONF.insecure
def main():
log_lvl = logging.DEBUG if DEBUG else logging.WARNING
logging.basicConfig(
format="%(levelname)s (%(module)s:%(lineno)d) %(message)s",
level=log_lvl)
logging.getLogger('urllib3.connectionpool').setLevel(logging.WARNING)
client_kwargs = {
'debug': DEBUG,
'username': USERNAME,
'password': PASSWORD,
'auth_url': AUTH_URL,
'endpoint': AUTH_URL,
'tenant_name': TENANT_NAME
}
if insecure:
client_kwargs['verify'] = False
else:
client_kwargs.update({
'cacert': CACERT,
'cert': CERT,
'key': KEY
})
c = client.Client(**client_kwargs)
c.authenticate()
# Create the heat domain
logger.info("Creating domain %s" % HEAT_DOMAIN_NAME)
try:
heat_domain = c.domains.create(name=HEAT_DOMAIN_NAME,
description=HEAT_DOMAIN_DESCRIPTION)
except kc_exception.Conflict:
logger.warning("Domain %s already exists" % HEAT_DOMAIN_NAME)
heat_domain = c.domains.list(name=HEAT_DOMAIN_NAME)[0]
if heat_domain.name != HEAT_DOMAIN_NAME:
logger.error("Unexpected filtered list response, please upgrade "
"keystoneclient to >= 0.5")
sys.exit(1)
except kc_exception.Forbidden:
logger.error("User '%s' is not authorized to perform this "
"operation, please try with other OS_USERNAME setting." %
USERNAME)
sys.exit(1)
# Create heat domain admin user
if not HEAT_DOMAIN_PASSWORD:
logger.error("Must export HEAT_DOMAIN_PASSWORD or use"
" --stack-domain-admin-password")
sys.exit(1)
try:
domain_admin = c.users.create(name=HEAT_DOMAIN_ADMIN,
password=HEAT_DOMAIN_PASSWORD,
domain=heat_domain,
description="Heat domain admin")
except kc_exception.Conflict:
logger.warning("User %s already exists" % HEAT_DOMAIN_ADMIN)
domain_admin = c.users.list(name=HEAT_DOMAIN_ADMIN)[0]
# Make the user a domain admin
roles_list = c.roles.list()
# FIXME(shardy): seems filtering roles by name currently doesn't work
admin_role = [r for r in roles_list
if r.name == 'admin'][0]
c.roles.grant(role=admin_role, user=domain_admin, domain=heat_domain)
print("\nPlease update your heat.conf with the following in [DEFAULT]\n")
print("stack_user_domain_id=%s" % heat_domain.id)
print("stack_domain_admin=%s" % HEAT_DOMAIN_ADMIN)
print("stack_domain_admin_password=%s" % HEAT_DOMAIN_PASSWORD)
if __name__ == "__main__":
main()