-
-
Save alistairncoles/f2a99e226bfbc8a1182a to your computer and use it in GitHub Desktop.
Swift Keystone account setup
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
anc@u133:~/devstack$ uname -a | |
Linux u133 3.2.0-70-generic #105-Ubuntu SMP Wed Sep 24 19:49:16 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux | |
anc@u133:~$ lsb_release -a | |
No LSB modules are available. | |
Distributor ID: Ubuntu | |
Description: Ubuntu 12.04.5 LTS | |
Release: 12.04 | |
Codename: precise | |
anc@u133:~/devstack$ git log --pretty=oneline -n 1 | |
13c7ccc9d5d7ee8b88c2ee7d4af8990a075440a2 Merge "Make swift user an admin" | |
# use script to remove all swift accounts from keystone... | |
anc@u133:~/devstack$ ../anc-tools/swift-keystone-setup.sh http://localhost:5000/v3 MY_SECRET --remove | |
Using keystone admin credentials: {user: admin, password: MY_SECRET, project: admin} | |
Removed role admin from user swiftusertest1 on project swifttenanttest1 | |
Deleted project swifttenanttest1 in domain Default | |
Deleted user swiftusertest1 in domain Default | |
Removed role admin from user swiftusertest2 on project swifttenanttest2 | |
Deleted project swifttenanttest2 in domain Default | |
Deleted user swiftusertest2 in domain Default | |
ERROR: openstack No role with a name or ID of 'non_admin_role' exists. | |
Removed role non_admin_role from user swiftusertest3 on project swifttenanttest2 | |
ERROR: openstack No project with a name or ID of 'swifttenanttest2' exists. | |
Deleted project swifttenanttest2 in domain Default | |
Deleted user swiftusertest3 in domain Default | |
Removed role admin from user swiftusertest4 on project swifttenanttest4 | |
Deleted project swifttenanttest4 in domain swift_test | |
Deleted user swiftusertest4 in domain swift_test | |
Removed role swiftservice from user swiftusertest5 on project swifttenanttest5 | |
Deleted project swifttenanttest5 in domain Default | |
Deleted user swiftusertest5 in domain Default | |
# verify keystone state... | |
anc@u133:~/devstack$ openstack --os-auth-url http://192.168.58.133:5000/v3 --os-identity-api-version 3 --os-username admin --os-project-name admin --os-password MY_SECRET user list | |
+----------------------------------+--------------+ | |
| ID | Name | | |
+----------------------------------+--------------+ | |
| 11f09cb8200d4e8dab037e95b4354204 | demo | | |
| 2ab4f4e9124944d18900f166094112eb | admin | | |
| 2fd8c7145be7458dad3e2e4f705195ec | swift | | |
| 4f7e3f2ca51b42298a75379ad6feeba8 | glance | | |
| 66121699f0f74e0fad82a7a7f47eb4d8 | foo | | |
| 6b4cc304dada493caf56c60ecab71d6e | alt_demo | | |
| a8393dd55d1841e2962b4730c40d4542 | glance-swift | | |
| cb9ba9a4abd940e1b0d70341a43e134f | cinder | | |
| cf505016be1947a9ad029020264d7e18 | nova | | |
| d2e4b571d9cc4ed7a0d7bcd12a5023fd | junk | | |
+----------------------------------+--------------+ | |
anc@u133:~/devstack$ openstack --os-auth-url http://192.168.58.133:5000/v3 --os-identity-api-version 3 --os-username admin --os-project-name admin --os-password MY_SECRET project list | |
+----------------------------------+--------------------+ | |
| ID | Name | | |
+----------------------------------+--------------------+ | |
| 0b6b892676324e9397dbafd3a48442fc | junk | | |
| 21a5c26e52774dd69207659f1dd18105 | demo | | |
| 53ca860be12f41f89167aa5fa2c5b6e2 | admin | | |
| 5e6e4e442eb6406dbddcba3f52fd8cf8 | foo | | |
| ccdd906971bc42a5910b02ccd6b4a06c | service | | |
| d059b5dc2a5a4de7b1520994de1dcb53 | invisible_to_admin | | |
| f11d952cc3d848d3931a83bddc443dbd | alt_demo | | |
+----------------------------------+--------------------+ | |
# use script to create swift accounts in keystone... | |
anc@u133:~/devstack$ ../anc-tools/swift-keystone-setup.sh http://localhost:5000/v3 MY_SECRET | |
Using keystone admin credentials: {user: admin, password: MY_SECRET, project: admin} | |
Created role swiftservice with id 7916e49ea4f74c0b8e106646c953d075 | |
Created project swifttenanttest1 with id 3913041a49e5407c9e6c0b4611ea4e6b | |
Created user swiftusertest1 with id 61d55b328b204d0cb506fc2c9fcfbefe | |
Assigned role admin to user swiftusertest1 on project swifttenanttest1 | |
Created project swifttenanttest2 with id 74fc956ec83b489ca81d08d5b2fb3742 | |
Created user swiftusertest2 with id 0c0496a6ff0b44f78204a3f16c435b36 | |
Assigned role admin to user swiftusertest2 on project swifttenanttest2 | |
Created project swifttenanttest1 with id 3913041a49e5407c9e6c0b4611ea4e6b | |
Created user swiftusertest3 with id f71afc5b32c044b88dd206a5a97d74b6 | |
Assigned role not_admin_role to user swiftusertest3 on project swifttenanttest1 | |
Created project swifttenanttest4 with id 1addd45318c54834805452974db16595 | |
Created user swiftusertest4 with id a0648efcdafe40d49b7838b348f3b789 | |
Assigned role admin to user swiftusertest4 on project swifttenanttest4 | |
Created role swiftservice with id 2252f6e1ecc64e47b9e49619b3991f23 | |
Created project swifttenanttest5 with id acf69cde12754b5c8fd211ce79158c4b | |
Created user swiftusertest5 with id d849d82d3d3c43098d665259b49cf2bd | |
Assigned role swiftservice to user swiftusertest5 on project swifttenanttest5 | |
# verify keystone state... | |
anc@u133:~/devstack$ openstack --os-auth-url http://192.168.58.133:5000/v3 --os-identity-api-version 3 --os-username admin --os-project-name admin --os-password MY_SECRET user list | |
+----------------------------------+----------------+ | |
| ID | Name | | |
+----------------------------------+----------------+ | |
| 0c0496a6ff0b44f78204a3f16c435b36 | swiftusertest2 | | |
| 11f09cb8200d4e8dab037e95b4354204 | demo | | |
| 2ab4f4e9124944d18900f166094112eb | admin | | |
| 2fd8c7145be7458dad3e2e4f705195ec | swift | | |
| 4f7e3f2ca51b42298a75379ad6feeba8 | glance | | |
| 61d55b328b204d0cb506fc2c9fcfbefe | swiftusertest1 | | |
| 66121699f0f74e0fad82a7a7f47eb4d8 | foo | | |
| 6b4cc304dada493caf56c60ecab71d6e | alt_demo | | |
| a0648efcdafe40d49b7838b348f3b789 | swiftusertest4 | | |
| a8393dd55d1841e2962b4730c40d4542 | glance-swift | | |
| cb9ba9a4abd940e1b0d70341a43e134f | cinder | | |
| cf505016be1947a9ad029020264d7e18 | nova | | |
| d2e4b571d9cc4ed7a0d7bcd12a5023fd | junk | | |
| d849d82d3d3c43098d665259b49cf2bd | swiftusertest5 | | |
| f71afc5b32c044b88dd206a5a97d74b6 | swiftusertest3 | | |
+----------------------------------+----------------+ | |
anc@u133:~/devstack$ openstack --os-auth-url http://192.168.58.133:5000/v3 --os-identity-api-version 3 --os-username admin --os-project-name admin --os-password MY_SECRET project list | |
+----------------------------------+--------------------+ | |
| ID | Name | | |
+----------------------------------+--------------------+ | |
| 0b6b892676324e9397dbafd3a48442fc | junk | | |
| 1addd45318c54834805452974db16595 | swifttenanttest4 | | |
| 21a5c26e52774dd69207659f1dd18105 | demo | | |
| 3913041a49e5407c9e6c0b4611ea4e6b | swifttenanttest1 | | |
| 53ca860be12f41f89167aa5fa2c5b6e2 | admin | | |
| 5e6e4e442eb6406dbddcba3f52fd8cf8 | foo | | |
| 74fc956ec83b489ca81d08d5b2fb3742 | swifttenanttest2 | | |
| acf69cde12754b5c8fd211ce79158c4b | swifttenanttest5 | | |
| ccdd906971bc42a5910b02ccd6b4a06c | service | | |
| d059b5dc2a5a4de7b1520994de1dcb53 | invisible_to_admin | | |
| f11d952cc3d848d3931a83bddc443dbd | alt_demo | | |
+----------------------------------+--------------------+ | |
# try func tests....devstack /etc/swift/test.conf is set up to run tests against keystone... | |
anc@u133:~/devstack$ cd /opt/stack/swift | |
anc@u133:/opt/stack/swift$ tox -e func -r | |
func recreate: /opt/stack/swift/.tox/func | |
func installdeps: -r/opt/stack/swift/requirements.txt, -r/opt/stack/swift/test-requirements.txt | |
func develop-inst: /opt/stack/swift | |
func runtests: PYTHONHASHSEED='932150618' | |
func runtests: commands[0] | nosetests test/functional | |
<snip coverage report> | |
_________________________________________________ summary _________________________________________________ | |
func: commands succeeded | |
congratulations :) | |
# don't get too excited - no tests actually ran due to keystoneclient missing... | |
# activate virtual env and try running nosetests directly to prove the point... | |
anc@u133:/opt/stack/swift$ source .tox/func/bin/activate | |
(func)anc@u133:/opt/stack/swift$ nosetests ./test/functional | |
ERROR | |
====================================================================== | |
ERROR: test suite for <module 'test.functional' from '/opt/stack/swift/test/functional/__init__.pyc'> | |
---------------------------------------------------------------------- | |
Traceback (most recent call last): | |
File "/opt/stack/swift/.tox/func/local/lib/python2.7/site-packages/nose/suite.py", line 209, in run | |
self.setUp() | |
File "/opt/stack/swift/.tox/func/local/lib/python2.7/site-packages/nose/suite.py", line 292, in setUp | |
self.setupContext(ancestor) | |
File "/opt/stack/swift/.tox/func/local/lib/python2.7/site-packages/nose/suite.py", line 315, in setupContext | |
try_run(context, names) | |
File "/opt/stack/swift/.tox/func/local/lib/python2.7/site-packages/nose/util.py", line 470, in try_run | |
return func() | |
File "/opt/stack/swift/test/functional/__init__.py", line 511, in setup_package | |
get_cluster_info() | |
File "/opt/stack/swift/test/functional/__init__.py", line 327, in get_cluster_info | |
conn.authenticate() | |
File "/opt/stack/swift/test/functional/swift_test_client.py", line 153, in authenticate | |
os_options={}) | |
File "/opt/stack/swift/.tox/func/local/lib/python2.7/site-packages/swiftclient/client.py", line 406, in get_auth | |
auth_version=auth_version) | |
File "/opt/stack/swift/.tox/func/local/lib/python2.7/site-packages/swiftclient/client.py", line 316, in get_auth_keystone | |
ksclient, exceptions = _import_keystone_client(auth_version) | |
File "/opt/stack/swift/.tox/func/local/lib/python2.7/site-packages/swiftclient/client.py", line 302, in _import_keystone_client | |
variables to be set or overridden with -A, -U, or -K.''') | |
SystemExit: | |
Auth versions 2.0 and 3 require python-keystoneclient, install it or use Auth | |
version 1.0 which requires ST_AUTH, ST_USER, and ST_KEY environment | |
variables to be set or overridden with -A, -U, or -K. | |
---------------------------------------------------------------------- | |
Ran 0 tests in 0.009s | |
FAILED (errors=1) | |
# So we need to install keystoneclient in the venv... | |
(func)anc@u133:/opt/stack/swift$ pip install python-keystoneclient | |
Collecting python-keystoneclient | |
Using cached python_keystoneclient-1.1.0-py2.py3-none-any.whl | |
<snip install noise> | |
Successfully installed Babel-1.3 PrettyTable-0.7.2 iso8601-0.1.10 msgpack-python-0.4.5 netaddr-0.7.13 oslo.config-1.6.1 oslo.i18n-1.4.0 oslo.serialization-1.3.0 oslo.utils-1.3.0 python-keystoneclient-1.1.0 pytz-2014.10 stevedore-1.2.0 | |
# try tests again ... | |
(func)anc@u133:/opt/stack/swift$ nosetests ./test/functional -q | |
---------------------------------------------------------------------- | |
Ran 328 tests in 284.888s | |
OK (SKIP=25) | |
# :) | |
######## SERVICE TOKEN STUFF ######## | |
# Now to apply the service token patch... | |
# I have rsync'd my local git repo to my user dir on devstack machine. | |
# I then checkout branch I want and copy to /opt/stack/swift | |
anc@u133:~$ git checkout review/donagh_mccabe/feature/resellers | |
anc@u133:~$ cp /opt/stack/swift/ /opt/stack/swift-orig -R | |
anc@u133:~$ cp -R ./swift/* /opt/stack/swift/ | |
# make changes to proxy-server.conf... | |
anc@u133:~$ emacs /etc/swift/proxy-server.conf | |
[filter:keystoneauth] | |
operator_roles = Member, admin | |
use = egg:swift#keystoneauth | |
# add these lines... | |
reseller_prefix = AUTH_, SERVICE_ | |
SERVICE_service_roles = swiftservice | |
# make changes to test.conf ... | |
anc@u133:~$ emacs /etc/swift/test.conf | |
[func_test] | |
# add these lines... | |
password5 = testing5 | |
username5 = swiftusertest5 | |
account5 = swifttenanttest5 | |
service_prefix = SERVICE | |
# restart the swift proxy server... | |
anc@u133:~$ cd devstack | |
anc@u133:~/devstack$ ./rejoin-stack.sh | |
# in screen, ctrl-a " (that's ctrl-a followed by double quote key) to show screen window selector | |
# select number of s-proxy screen (3 for me, so type 3) | |
# in s-proxy screen, ctrl-c to kill proxy process, then re-execute previous command to restart proxy | |
# ctrl-a ctrl-d to exit screen | |
# Now lets try func tests again. Recreate tox env since we copied from local repo. | |
anc@u133:~/devstack$ cd /opt/stack/swift | |
anc@u133:~/opt/stack/swift$ tox -e func -r | |
# remember to activate venv and install keystoneclient again | |
anc@u133:~/opt/stack/swift$ source .tox/func/bin/activate | |
(func)anc@u133:/opt/stack/swift$ pip install python-keystoneclient | |
Collecting python-keystoneclient | |
Using cached python_keystoneclient-1.1.0-py2.py3-none-any.whl | |
<snip install noise> | |
Successfully installed Babel-1.3 PrettyTable-0.7.2 iso8601-0.1.10 msgpack-python-0.4.5 netaddr-0.7.13 oslo.config-1.6.1 oslo.i18n-1.4.0 oslo.serialization-1.3.0 oslo.utils-1.3.0 python-keystoneclient-1.1.0 pytz-2014.10 stevedore-1.2.0 | |
# we can check that we have the service token patch by grabbing swift info and | |
# looking for the reseller prefix items... | |
(func)anc@u133:/opt/stack/swift$ swift --os-auth-url http://localhost:5000/v3 --auth-version 3 --os-username swiftusertest1 --os-password testing --os-project-name swifttenanttest1 info | |
Core: swift | |
Options: | |
account_autocreate: True | |
account_listing_limit: 10000 | |
allow_account_management: False | |
container_listing_limit: 10000 | |
max_account_name_length: 256 | |
max_container_name_length: 256 | |
max_file_size: 5368709122 | |
max_header_size: 16384 | |
max_meta_count: 90 | |
max_meta_name_length: 128 | |
max_meta_overall_size: 4096 | |
max_meta_value_length: 256 | |
max_object_name_length: 1024 | |
policies: [{'default': True, 'name': 'Policy-0'}] | |
strict_cors_mode: True | |
version: 2.2.2.post19 | |
Additional middleware: account_quotas | |
Additional middleware: bulk_delete | |
Options: | |
max_deletes_per_request: 10000 | |
max_failed_deletes: 1000 | |
Additional middleware: bulk_upload | |
Options: | |
max_containers_per_extraction: 10000 | |
max_failed_extractions: 1000 | |
Additional middleware: container_quotas | |
Additional middleware: container_sync | |
Options: | |
realms: {'REALM1': {'clusters': {'NAME1': {}}}} | |
Additional middleware: crossdomain | |
Additional middleware: formpost | |
Additional middleware: keystoneauth | |
Options: | |
reseller_prefixes: ['AUTH_', 'SERVICE_'] | |
Additional middleware: ratelimit | |
Options: | |
account_ratelimit: 0.0 | |
container_listing_ratelimits: [] | |
container_ratelimits: [] | |
max_sleep_time_seconds: 60.0 | |
Additional middleware: slo | |
Options: | |
max_manifest_segments: 1000 | |
max_manifest_size: 2097152 | |
min_segment_size: 1048576 | |
Additional middleware: staticweb | |
Additional middleware: tempauth | |
Options: | |
account_acls: True | |
reseller_prefixes: ['TEMPAUTH_'] | |
Additional middleware: tempurl | |
Options: | |
methods: ['GET', 'HEAD', 'PUT', 'POST', 'DELETE'] | |
# run the service token specific tests... | |
(func)anc@u133:/opt/stack/swift$ nosetests ./test/functional/tests.py:TestServiceToken | |
test_service_user_denied_with_x_auth_token (test.functional.tests.TestServiceToken) ... ok | |
test_service_user_denied_with_x_service_token (test.functional.tests.TestServiceToken) ... ok | |
test_user_access_own_auth_account (test.functional.tests.TestServiceToken) ... ok | |
test_user_cannot_access_service_account (test.functional.tests.TestServiceToken) ... ok | |
test_user_plus_service_can_access_service_account (test.functional.tests.TestServiceToken) ... ok | |
---------------------------------------------------------------------- | |
Ran 5 tests in 1.773s | |
OK | |
# run all the functional tests... | |
(func)anc@u133:/opt/stack/swift$ nosetests ./test/functional/ -q | |
---------------------------------------------------------------------- | |
Ran 319 tests in 387.545s | |
OK (SKIP=25) | |
# Finally, don't forget to reset your proxy-server.conf reseller_prefix options to run on master! |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
usage="<prog> <identity endpoint> [os-password] --remove" | |
# | |
# identity endpoint should include /v3 at end of url | |
# e.g. <prog> http://hostname:5000/v3 ADMIN | |
# | |
# hostname could be standalone keystone service or devstack keystone service | |
# Note: we are using password auth for keystone admin here - previously token | |
# been just fine but I couldn't get that to auth 'create' commands. | |
# Following pattern of stack.sh which flips to password auth once initial | |
# keystone bootstrap is done. | |
OS_PASSWORD="ADMIN" | |
OS_URL=$1 | |
shift | |
OS_PASSWORD=$1 | |
if [ -z $1 ]; then | |
OS_PASSWORD="ADMIN" | |
fi | |
shift | |
REMOVE=$1 | |
ADMIN_USERNAME=admin | |
ADMIN_PROJECT_NAME=admin | |
echo "Using keystone admin credentials: {user: $ADMIN_USERNAME, password: $OS_PASSWORD, project: $ADMIN_PROJECT_NAME}" | |
# common base command | |
OS_CMD="openstack --os-auth-url $OS_URL --os-identity-api-version 3 --os-username $ADMIN_USERNAME --os-project-name $ADMIN_PROJECT_NAME --os-password $OS_PASSWORD" | |
# create_account <user_name> <password> <project_name> <role_name> <domain_name> | |
function create_account { | |
local user_name=$1 | |
local password=$2 | |
local project_name=$3 | |
local role_name=$4 | |
local domain_name=$5 | |
local project_id=$($OS_CMD project create $project_name --domain $domain_name --or-show -f value -c id) | |
if [ -z $project_id ]; then | |
exit 1 | |
fi | |
echo "Created project $project_name with id $project_id" | |
local user_id=$($OS_CMD user create $user_name --password $password --domain $domain_name --or-show -f value -c id) | |
if [ -z $user_id ]; then | |
exit 1 | |
fi | |
echo "Created user $user_name with id $user_id" | |
$($OS_CMD role add --user $user_id --project $project_id $role_name) | |
if [ $? -ne 0 ]; then | |
exit 1 | |
fi | |
echo "Assigned role $role_name to user $user_name on project $project_name" | |
} | |
# create_account <user_name> <password> <project_name> <role_name> <domain_name> | |
function remove_account { | |
local user_name=$1 | |
local project_name=$2 | |
local role_name=$3 | |
local domain_name=$4 | |
if [ "$role_name" != "NONE" ]; then | |
$($OS_CMD role remove --user $user_name --project $project_name $role_name) | |
echo "Removed role $role_name from user $user_name on project $project_name" | |
fi | |
$($OS_CMD project delete $project_name --domain $domain_name) | |
echo "Deleted project $project_name in domain $domain_name" | |
$($OS_CMD user delete $user_name --domain $domain_name) | |
echo "Deleted user $user_name in domain $domain_name" | |
} | |
# not pretending this is elegant | |
if [ "$REMOVE" == "--remove" ]; then | |
remove_account swiftusertest1 swifttenanttest1 admin Default | |
remove_account swiftusertest2 swifttenanttest2 admin Default | |
remove_account swiftusertest3 swifttenanttest2 non_admin_role Default | |
remove_account swiftusertest4 swifttenanttest4 admin swift_test | |
remove_account swiftusertest5 swifttenanttest5 swiftservice Default | |
$($OS_CMD role delete swiftservice) | |
else | |
# create a non-admin role for the third account to use | |
role_id=$($OS_CMD role create not_admin_role --or-show -f value -c id) | |
if [ -z $role_id ]; then | |
exit 1 | |
fi | |
echo "Created role swiftservice with id $role_id" | |
# create the 'standard' swift accounts | |
create_account swiftusertest1 testing swifttenanttest1 admin Default | |
create_account swiftusertest2 testing2 swifttenanttest2 admin Default | |
# no mistake, third user is in first project, but not admin... | |
create_account swiftusertest3 testing3 swifttenanttest1 not_admin_role Default | |
create_account swiftusertest4 testing4 swifttenanttest4 admin swift_test | |
# create the 'special service role' (avoiding 'service' which is already used in devstack) | |
role_id=$($OS_CMD role create swiftservice --or-show -f value -c id) | |
if [ -z $role_id ]; then | |
exit 1 | |
fi | |
echo "Created role swiftservice with id $role_id" | |
#create the 'service account' which only has role swiftservice | |
create_account swiftusertest5 testing5 swifttenanttest5 swiftservice Default | |
fi |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment