Skip to content

Instantly share code, notes, and snippets.

@alistairncoles

alistairncoles/example session Secret

Last active August 29, 2015 14:15
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save alistairncoles/f2a99e226bfbc8a1182a to your computer and use it in GitHub Desktop.
Save alistairncoles/f2a99e226bfbc8a1182a to your computer and use it in GitHub Desktop.
Download ZIP
Swift Keystone account setup
Raw
example session
anc@u133:~/devstack$ uname -a
Linux u133 3.2.0-70-generic #105-Ubuntu SMP Wed Sep 24 19:49:16 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
anc@u133:~$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 12.04.5 LTS
Release: 12.04
Codename: precise
anc@u133:~/devstack$ git log --pretty=oneline -n 1
13c7ccc9d5d7ee8b88c2ee7d4af8990a075440a2 Merge "Make swift user an admin"
# use script to remove all swift accounts from keystone...
anc@u133:~/devstack$ ../anc-tools/swift-keystone-setup.sh http://localhost:5000/v3 MY_SECRET --remove
Using keystone admin credentials: {user: admin, password: MY_SECRET, project: admin}
Removed role admin from user swiftusertest1 on project swifttenanttest1
Deleted project swifttenanttest1 in domain Default
Deleted user swiftusertest1 in domain Default
Removed role admin from user swiftusertest2 on project swifttenanttest2
Deleted project swifttenanttest2 in domain Default
Deleted user swiftusertest2 in domain Default
ERROR: openstack No role with a name or ID of 'non_admin_role' exists.
Removed role non_admin_role from user swiftusertest3 on project swifttenanttest2
ERROR: openstack No project with a name or ID of 'swifttenanttest2' exists.
Deleted project swifttenanttest2 in domain Default
Deleted user swiftusertest3 in domain Default
Removed role admin from user swiftusertest4 on project swifttenanttest4
Deleted project swifttenanttest4 in domain swift_test
Deleted user swiftusertest4 in domain swift_test
Removed role swiftservice from user swiftusertest5 on project swifttenanttest5
Deleted project swifttenanttest5 in domain Default
Deleted user swiftusertest5 in domain Default
# verify keystone state...
anc@u133:~/devstack$ openstack --os-auth-url http://192.168.58.133:5000/v3 --os-identity-api-version 3 --os-username admin --os-project-name admin --os-password MY_SECRET user list
+----------------------------------+--------------+
| ID | Name |
+----------------------------------+--------------+
| 11f09cb8200d4e8dab037e95b4354204 | demo |
| 2ab4f4e9124944d18900f166094112eb | admin |
| 2fd8c7145be7458dad3e2e4f705195ec | swift |
| 4f7e3f2ca51b42298a75379ad6feeba8 | glance |
| 66121699f0f74e0fad82a7a7f47eb4d8 | foo |
| 6b4cc304dada493caf56c60ecab71d6e | alt_demo |
| a8393dd55d1841e2962b4730c40d4542 | glance-swift |
| cb9ba9a4abd940e1b0d70341a43e134f | cinder |
| cf505016be1947a9ad029020264d7e18 | nova |
| d2e4b571d9cc4ed7a0d7bcd12a5023fd | junk |
+----------------------------------+--------------+
anc@u133:~/devstack$ openstack --os-auth-url http://192.168.58.133:5000/v3 --os-identity-api-version 3 --os-username admin --os-project-name admin --os-password MY_SECRET project list
+----------------------------------+--------------------+
| ID | Name |
+----------------------------------+--------------------+
| 0b6b892676324e9397dbafd3a48442fc | junk |
| 21a5c26e52774dd69207659f1dd18105 | demo |
| 53ca860be12f41f89167aa5fa2c5b6e2 | admin |
| 5e6e4e442eb6406dbddcba3f52fd8cf8 | foo |
| ccdd906971bc42a5910b02ccd6b4a06c | service |
| d059b5dc2a5a4de7b1520994de1dcb53 | invisible_to_admin |
| f11d952cc3d848d3931a83bddc443dbd | alt_demo |
+----------------------------------+--------------------+
# use script to create swift accounts in keystone...
anc@u133:~/devstack$ ../anc-tools/swift-keystone-setup.sh http://localhost:5000/v3 MY_SECRET
Using keystone admin credentials: {user: admin, password: MY_SECRET, project: admin}
Created role swiftservice with id 7916e49ea4f74c0b8e106646c953d075
Created project swifttenanttest1 with id 3913041a49e5407c9e6c0b4611ea4e6b
Created user swiftusertest1 with id 61d55b328b204d0cb506fc2c9fcfbefe
Assigned role admin to user swiftusertest1 on project swifttenanttest1
Created project swifttenanttest2 with id 74fc956ec83b489ca81d08d5b2fb3742
Created user swiftusertest2 with id 0c0496a6ff0b44f78204a3f16c435b36
Assigned role admin to user swiftusertest2 on project swifttenanttest2
Created project swifttenanttest1 with id 3913041a49e5407c9e6c0b4611ea4e6b
Created user swiftusertest3 with id f71afc5b32c044b88dd206a5a97d74b6
Assigned role not_admin_role to user swiftusertest3 on project swifttenanttest1
Created project swifttenanttest4 with id 1addd45318c54834805452974db16595
Created user swiftusertest4 with id a0648efcdafe40d49b7838b348f3b789
Assigned role admin to user swiftusertest4 on project swifttenanttest4
Created role swiftservice with id 2252f6e1ecc64e47b9e49619b3991f23
Created project swifttenanttest5 with id acf69cde12754b5c8fd211ce79158c4b
Created user swiftusertest5 with id d849d82d3d3c43098d665259b49cf2bd
Assigned role swiftservice to user swiftusertest5 on project swifttenanttest5
# verify keystone state...
anc@u133:~/devstack$ openstack --os-auth-url http://192.168.58.133:5000/v3 --os-identity-api-version 3 --os-username admin --os-project-name admin --os-password MY_SECRET user list
+----------------------------------+----------------+
| ID | Name |
+----------------------------------+----------------+
| 0c0496a6ff0b44f78204a3f16c435b36 | swiftusertest2 |
| 11f09cb8200d4e8dab037e95b4354204 | demo |
| 2ab4f4e9124944d18900f166094112eb | admin |
| 2fd8c7145be7458dad3e2e4f705195ec | swift |
| 4f7e3f2ca51b42298a75379ad6feeba8 | glance |
| 61d55b328b204d0cb506fc2c9fcfbefe | swiftusertest1 |
| 66121699f0f74e0fad82a7a7f47eb4d8 | foo |
| 6b4cc304dada493caf56c60ecab71d6e | alt_demo |
| a0648efcdafe40d49b7838b348f3b789 | swiftusertest4 |
| a8393dd55d1841e2962b4730c40d4542 | glance-swift |
| cb9ba9a4abd940e1b0d70341a43e134f | cinder |
| cf505016be1947a9ad029020264d7e18 | nova |
| d2e4b571d9cc4ed7a0d7bcd12a5023fd | junk |
| d849d82d3d3c43098d665259b49cf2bd | swiftusertest5 |
| f71afc5b32c044b88dd206a5a97d74b6 | swiftusertest3 |
+----------------------------------+----------------+
anc@u133:~/devstack$ openstack --os-auth-url http://192.168.58.133:5000/v3 --os-identity-api-version 3 --os-username admin --os-project-name admin --os-password MY_SECRET project list
+----------------------------------+--------------------+
| ID | Name |
+----------------------------------+--------------------+
| 0b6b892676324e9397dbafd3a48442fc | junk |
| 1addd45318c54834805452974db16595 | swifttenanttest4 |
| 21a5c26e52774dd69207659f1dd18105 | demo |
| 3913041a49e5407c9e6c0b4611ea4e6b | swifttenanttest1 |
| 53ca860be12f41f89167aa5fa2c5b6e2 | admin |
| 5e6e4e442eb6406dbddcba3f52fd8cf8 | foo |
| 74fc956ec83b489ca81d08d5b2fb3742 | swifttenanttest2 |
| acf69cde12754b5c8fd211ce79158c4b | swifttenanttest5 |
| ccdd906971bc42a5910b02ccd6b4a06c | service |
| d059b5dc2a5a4de7b1520994de1dcb53 | invisible_to_admin |
| f11d952cc3d848d3931a83bddc443dbd | alt_demo |
+----------------------------------+--------------------+
# try func tests....devstack /etc/swift/test.conf is set up to run tests against keystone...
anc@u133:~/devstack$ cd /opt/stack/swift
anc@u133:/opt/stack/swift$ tox -e func -r
func recreate: /opt/stack/swift/.tox/func
func installdeps: -r/opt/stack/swift/requirements.txt, -r/opt/stack/swift/test-requirements.txt
func develop-inst: /opt/stack/swift
func runtests: PYTHONHASHSEED='932150618'
func runtests: commands[0] | nosetests test/functional
<snip coverage report>
_________________________________________________ summary _________________________________________________
func: commands succeeded
congratulations :)
# don't get too excited - no tests actually ran due to keystoneclient missing...
# activate virtual env and try running nosetests directly to prove the point...
anc@u133:/opt/stack/swift$ source .tox/func/bin/activate
(func)anc@u133:/opt/stack/swift$ nosetests ./test/functional
ERROR
======================================================================
ERROR: test suite for <module 'test.functional' from '/opt/stack/swift/test/functional/__init__.pyc'>
----------------------------------------------------------------------
Traceback (most recent call last):
File "/opt/stack/swift/.tox/func/local/lib/python2.7/site-packages/nose/suite.py", line 209, in run
self.setUp()
File "/opt/stack/swift/.tox/func/local/lib/python2.7/site-packages/nose/suite.py", line 292, in setUp
self.setupContext(ancestor)
File "/opt/stack/swift/.tox/func/local/lib/python2.7/site-packages/nose/suite.py", line 315, in setupContext
try_run(context, names)
File "/opt/stack/swift/.tox/func/local/lib/python2.7/site-packages/nose/util.py", line 470, in try_run
return func()
File "/opt/stack/swift/test/functional/__init__.py", line 511, in setup_package
get_cluster_info()
File "/opt/stack/swift/test/functional/__init__.py", line 327, in get_cluster_info
conn.authenticate()
File "/opt/stack/swift/test/functional/swift_test_client.py", line 153, in authenticate
os_options={})
File "/opt/stack/swift/.tox/func/local/lib/python2.7/site-packages/swiftclient/client.py", line 406, in get_auth
auth_version=auth_version)
File "/opt/stack/swift/.tox/func/local/lib/python2.7/site-packages/swiftclient/client.py", line 316, in get_auth_keystone
ksclient, exceptions = _import_keystone_client(auth_version)
File "/opt/stack/swift/.tox/func/local/lib/python2.7/site-packages/swiftclient/client.py", line 302, in _import_keystone_client
variables to be set or overridden with -A, -U, or -K.''')
SystemExit:
Auth versions 2.0 and 3 require python-keystoneclient, install it or use Auth
version 1.0 which requires ST_AUTH, ST_USER, and ST_KEY environment
variables to be set or overridden with -A, -U, or -K.
----------------------------------------------------------------------
Ran 0 tests in 0.009s
FAILED (errors=1)
# So we need to install keystoneclient in the venv...
(func)anc@u133:/opt/stack/swift$ pip install python-keystoneclient
Collecting python-keystoneclient
Using cached python_keystoneclient-1.1.0-py2.py3-none-any.whl
<snip install noise>
Successfully installed Babel-1.3 PrettyTable-0.7.2 iso8601-0.1.10 msgpack-python-0.4.5 netaddr-0.7.13 oslo.config-1.6.1 oslo.i18n-1.4.0 oslo.serialization-1.3.0 oslo.utils-1.3.0 python-keystoneclient-1.1.0 pytz-2014.10 stevedore-1.2.0
# try tests again ...
(func)anc@u133:/opt/stack/swift$ nosetests ./test/functional -q
----------------------------------------------------------------------
Ran 328 tests in 284.888s
OK (SKIP=25)
# :)
######## SERVICE TOKEN STUFF ########
# Now to apply the service token patch...
# I have rsync'd my local git repo to my user dir on devstack machine.
# I then checkout branch I want and copy to /opt/stack/swift
anc@u133:~$ git checkout review/donagh_mccabe/feature/resellers
anc@u133:~$ cp /opt/stack/swift/ /opt/stack/swift-orig -R
anc@u133:~$ cp -R ./swift/* /opt/stack/swift/
# make changes to proxy-server.conf...
anc@u133:~$ emacs /etc/swift/proxy-server.conf
[filter:keystoneauth]
operator_roles = Member, admin
use = egg:swift#keystoneauth
# add these lines...
reseller_prefix = AUTH_, SERVICE_
SERVICE_service_roles = swiftservice
# make changes to test.conf ...
anc@u133:~$ emacs /etc/swift/test.conf
[func_test]
# add these lines...
password5 = testing5
username5 = swiftusertest5
account5 = swifttenanttest5
service_prefix = SERVICE
# restart the swift proxy server...
anc@u133:~$ cd devstack
anc@u133:~/devstack$ ./rejoin-stack.sh
# in screen, ctrl-a " (that's ctrl-a followed by double quote key) to show screen window selector
# select number of s-proxy screen (3 for me, so type 3)
# in s-proxy screen, ctrl-c to kill proxy process, then re-execute previous command to restart proxy
# ctrl-a ctrl-d to exit screen
# Now lets try func tests again. Recreate tox env since we copied from local repo.
anc@u133:~/devstack$ cd /opt/stack/swift
anc@u133:~/opt/stack/swift$ tox -e func -r
# remember to activate venv and install keystoneclient again
anc@u133:~/opt/stack/swift$ source .tox/func/bin/activate
(func)anc@u133:/opt/stack/swift$ pip install python-keystoneclient
Collecting python-keystoneclient
Using cached python_keystoneclient-1.1.0-py2.py3-none-any.whl
<snip install noise>
Successfully installed Babel-1.3 PrettyTable-0.7.2 iso8601-0.1.10 msgpack-python-0.4.5 netaddr-0.7.13 oslo.config-1.6.1 oslo.i18n-1.4.0 oslo.serialization-1.3.0 oslo.utils-1.3.0 python-keystoneclient-1.1.0 pytz-2014.10 stevedore-1.2.0
# we can check that we have the service token patch by grabbing swift info and
# looking for the reseller prefix items...
(func)anc@u133:/opt/stack/swift$ swift --os-auth-url http://localhost:5000/v3 --auth-version 3 --os-username swiftusertest1 --os-password testing --os-project-name swifttenanttest1 info
Core: swift
Options:
account_autocreate: True
account_listing_limit: 10000
allow_account_management: False
container_listing_limit: 10000
max_account_name_length: 256
max_container_name_length: 256
max_file_size: 5368709122
max_header_size: 16384
max_meta_count: 90
max_meta_name_length: 128
max_meta_overall_size: 4096
max_meta_value_length: 256
max_object_name_length: 1024
policies: [{'default': True, 'name': 'Policy-0'}]
strict_cors_mode: True
version: 2.2.2.post19
Additional middleware: account_quotas
Additional middleware: bulk_delete
Options:
max_deletes_per_request: 10000
max_failed_deletes: 1000
Additional middleware: bulk_upload
Options:
max_containers_per_extraction: 10000
max_failed_extractions: 1000
Additional middleware: container_quotas
Additional middleware: container_sync
Options:
realms: {'REALM1': {'clusters': {'NAME1': {}}}}
Additional middleware: crossdomain
Additional middleware: formpost
Additional middleware: keystoneauth
Options:
reseller_prefixes: ['AUTH_', 'SERVICE_']
Additional middleware: ratelimit
Options:
account_ratelimit: 0.0
container_listing_ratelimits: []
container_ratelimits: []
max_sleep_time_seconds: 60.0
Additional middleware: slo
Options:
max_manifest_segments: 1000
max_manifest_size: 2097152
min_segment_size: 1048576
Additional middleware: staticweb
Additional middleware: tempauth
Options:
account_acls: True
reseller_prefixes: ['TEMPAUTH_']
Additional middleware: tempurl
Options:
methods: ['GET', 'HEAD', 'PUT', 'POST', 'DELETE']
# run the service token specific tests...
(func)anc@u133:/opt/stack/swift$ nosetests ./test/functional/tests.py:TestServiceToken
test_service_user_denied_with_x_auth_token (test.functional.tests.TestServiceToken) ... ok
test_service_user_denied_with_x_service_token (test.functional.tests.TestServiceToken) ... ok
test_user_access_own_auth_account (test.functional.tests.TestServiceToken) ... ok
test_user_cannot_access_service_account (test.functional.tests.TestServiceToken) ... ok
test_user_plus_service_can_access_service_account (test.functional.tests.TestServiceToken) ... ok
----------------------------------------------------------------------
Ran 5 tests in 1.773s
OK
# run all the functional tests...
(func)anc@u133:/opt/stack/swift$ nosetests ./test/functional/ -q
----------------------------------------------------------------------
Ran 319 tests in 387.545s
OK (SKIP=25)
# Finally, don't forget to reset your proxy-server.conf reseller_prefix options to run on master!
Raw
swift-keystone-setup.sh
#!/bin/bash
usage="<prog> <identity endpoint> [os-password] --remove"
#
# identity endpoint should include /v3 at end of url
# e.g. <prog> http://hostname:5000/v3 ADMIN
#
# hostname could be standalone keystone service or devstack keystone service
# Note: we are using password auth for keystone admin here - previously token
# been just fine but I couldn't get that to auth 'create' commands.
# Following pattern of stack.sh which flips to password auth once initial
# keystone bootstrap is done.
OS_PASSWORD="ADMIN"
OS_URL=$1
shift
OS_PASSWORD=$1
if [ -z $1 ]; then
OS_PASSWORD="ADMIN"
fi
shift
REMOVE=$1
ADMIN_USERNAME=admin
ADMIN_PROJECT_NAME=admin
echo "Using keystone admin credentials: {user: $ADMIN_USERNAME, password: $OS_PASSWORD, project: $ADMIN_PROJECT_NAME}"
# common base command
OS_CMD="openstack --os-auth-url $OS_URL --os-identity-api-version 3 --os-username $ADMIN_USERNAME --os-project-name $ADMIN_PROJECT_NAME --os-password $OS_PASSWORD"
# create_account <user_name> <password> <project_name> <role_name> <domain_name>
function create_account {
local user_name=$1
local password=$2
local project_name=$3
local role_name=$4
local domain_name=$5
local project_id=$($OS_CMD project create $project_name --domain $domain_name --or-show -f value -c id)
if [ -z $project_id ]; then
exit 1
fi
echo "Created project $project_name with id $project_id"
local user_id=$($OS_CMD user create $user_name --password $password --domain $domain_name --or-show -f value -c id)
if [ -z $user_id ]; then
exit 1
fi
echo "Created user $user_name with id $user_id"
$($OS_CMD role add --user $user_id --project $project_id $role_name)
if [ $? -ne 0 ]; then
exit 1
fi
echo "Assigned role $role_name to user $user_name on project $project_name"
}
# create_account <user_name> <password> <project_name> <role_name> <domain_name>
function remove_account {
local user_name=$1
local project_name=$2
local role_name=$3
local domain_name=$4
if [ "$role_name" != "NONE" ]; then
$($OS_CMD role remove --user $user_name --project $project_name $role_name)
echo "Removed role $role_name from user $user_name on project $project_name"
fi
$($OS_CMD project delete $project_name --domain $domain_name)
echo "Deleted project $project_name in domain $domain_name"
$($OS_CMD user delete $user_name --domain $domain_name)
echo "Deleted user $user_name in domain $domain_name"
}
# not pretending this is elegant
if [ "$REMOVE" == "--remove" ]; then
remove_account swiftusertest1 swifttenanttest1 admin Default
remove_account swiftusertest2 swifttenanttest2 admin Default
remove_account swiftusertest3 swifttenanttest2 non_admin_role Default
remove_account swiftusertest4 swifttenanttest4 admin swift_test
remove_account swiftusertest5 swifttenanttest5 swiftservice Default
$($OS_CMD role delete swiftservice)
else
# create a non-admin role for the third account to use
role_id=$($OS_CMD role create not_admin_role --or-show -f value -c id)
if [ -z $role_id ]; then
exit 1
fi
echo "Created role swiftservice with id $role_id"
# create the 'standard' swift accounts
create_account swiftusertest1 testing swifttenanttest1 admin Default
create_account swiftusertest2 testing2 swifttenanttest2 admin Default
# no mistake, third user is in first project, but not admin...
create_account swiftusertest3 testing3 swifttenanttest1 not_admin_role Default
create_account swiftusertest4 testing4 swifttenanttest4 admin swift_test
# create the 'special service role' (avoiding 'service' which is already used in devstack)
role_id=$($OS_CMD role create swiftservice --or-show -f value -c id)
if [ -z $role_id ]; then
exit 1
fi
echo "Created role swiftservice with id $role_id"
#create the 'service account' which only has role swiftservice
create_account swiftusertest5 testing5 swifttenanttest5 swiftservice Default
fi
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment