Merge lp:~dmitriis/charms/trusty/contrail-configuration/trunk into lp:~sdn-charmers/charms/trusty/contrail-configuration/trunk
- Trusty Tahr (14.04)
- trunk
- Merge into trunk
Proposed by
Dmitrii Shcherbakov
Status: | Superseded |
---|---|
Proposed branch: | lp:~dmitriis/charms/trusty/contrail-configuration/trunk |
Merge into: | lp:~sdn-charmers/charms/trusty/contrail-configuration/trunk |
Diff against target: |
674 lines (+210/-70) 4 files modified
config.yaml (+10/-0) hooks/contrail_configuration_hooks.py (+174/-67) hooks/contrail_configuration_utils.py (+16/-2) templates/contrail-api.conf (+10/-1) |
To merge this branch: | bzr merge lp:~dmitriis/charms/trusty/contrail-configuration/trunk |
Related bugs: |
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
Ante Karamatić (community) | Needs Fixing | ||
Review via email: mp+320149@code.launchpad.net |
This proposal has been superseded by a proposal from 2017-03-19.
Commit message
Description of the change
rbac support (rebased)
To post a comment you must log in.
Revision history for this message
Ante Karamatić (ivoks) wrote : | # |
One more comment
review:
Needs Fixing
Revision history for this message
Ante Karamatić (ivoks) wrote : | # |
I haven't investigated into detail, but with your patches contrail-analytics never populates 'api_server' in /etc/contrail/
- 67. By Dmitrii Shcherbakov
-
enable rbac configuration support
- add an action to create roles which may then be configured for use by
contrail rbac mechanism
- render the required config file with the additional data provided via
config.yaml
- set relation data for use by other contrail charms
Unmerged revisions
Preview Diff
[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1 | === modified file 'config.yaml' |
2 | --- config.yaml 2017-03-10 12:49:07 +0000 |
3 | +++ config.yaml 2017-03-19 16:48:41 +0000 |
4 | @@ -59,3 +59,13 @@ |
5 | type: int |
6 | default: 1 |
7 | description: Minimum number of units required in cassandra relation |
8 | + rbac: |
9 | + type: boolean |
10 | + default: true |
11 | + description: enable/disable role-based authentication - only supported in Contrail 3.2 and newer |
12 | + cloud-admin-role: |
13 | + type: string |
14 | + description: A user who is assigned the cloud_admin_role has full access to everything. |
15 | + global-read-only-role: |
16 | + type: string |
17 | + description: This role allows read-only access to all Contrail resources. Must be configured in keystone. |
18 | |
19 | === modified file 'hooks/contrail_configuration_hooks.py' |
20 | --- hooks/contrail_configuration_hooks.py 2017-03-10 12:49:07 +0000 |
21 | +++ hooks/contrail_configuration_hooks.py 2017-03-19 16:48:41 +0000 |
22 | @@ -1,6 +1,5 @@ |
23 | #!/usr/bin/env python |
24 | |
25 | -from socket import gethostbyname |
26 | import sys |
27 | |
28 | from apt_pkg import version_compare |
29 | @@ -24,7 +23,6 @@ |
30 | relation_ids, |
31 | relation_set, |
32 | remote_unit, |
33 | - unit_get |
34 | ) |
35 | |
36 | from charmhelpers.core.host import ( |
37 | @@ -68,17 +66,45 @@ |
38 | write_ifmap_config, |
39 | write_nodemgr_config, |
40 | write_ssl_ca_certificate, |
41 | - write_vnc_api_config |
42 | + write_vnc_api_config, |
43 | + write_admin_oscreds_config, |
44 | ) |
45 | |
46 | -PACKAGES = [ "ifmap-server", "contrail-config", "contrail-config-openstack", |
47 | - "neutron-common", "contrail-utils", "contrail-nodemgr" ] |
48 | - |
49 | -PACKAGES_BARBICAN = [ "python-barbicanclient" ] |
50 | +PACKAGES = ["ifmap-server", "contrail-config", "contrail-config-openstack", |
51 | + "neutron-common", "contrail-utils", "contrail-nodemgr"] |
52 | + |
53 | +PACKAGES_BARBICAN = ["python-barbicanclient"] |
54 | + |
55 | +CONFIG_ROLES = ['cloud-admin-role', 'global-read-only-role'] |
56 | |
57 | hooks = Hooks() |
58 | config = config() |
59 | |
60 | + |
61 | +def get_rbac_roles(): |
62 | + rid = relation_ids("identity-admin")[0] |
63 | + unit = related_units(rid)[0] |
64 | + default_role = relation_get(attribute='service_tenant_name', |
65 | + rid=rid, unit=unit) |
66 | + rbac_roles = {} |
67 | + for r in CONFIG_ROLES: |
68 | + val = config.get(r) |
69 | + rbac_roles[r] = val if val else default_role |
70 | + return rbac_roles |
71 | + |
72 | + |
73 | +def add_rbac_settings(d): |
74 | + rbac = config.get('rbac') |
75 | + # update the rbac settings unconditionally |
76 | + # we do need to signal the change of relation data |
77 | + if rbac: |
78 | + d['rbac'] = rbac |
79 | + d.update(get_rbac_roles()) |
80 | + else: |
81 | + d['rbac'] = None |
82 | + d.update({k: None for k in CONFIG_ROLES}) |
83 | + |
84 | + |
85 | def add_contrail_api(): |
86 | # check relation dependencies |
87 | if not config_get("contrail-api-configured") \ |
88 | @@ -95,14 +121,18 @@ |
89 | config["contrail-api-configured"] = True |
90 | |
91 | # inform relations |
92 | - settings = { "private-address": control_network_ip(), |
93 | - "port": api_port(), |
94 | - "vip": config.get("vip") } |
95 | + settings = {"private-address": control_network_ip(), |
96 | + "port": api_port(), |
97 | + "vip": config.get("vip")} |
98 | + |
99 | + add_rbac_settings(settings) |
100 | + |
101 | for rid in relation_ids("contrail-api"): |
102 | relation_set(relation_id=rid, relation_settings=settings) |
103 | |
104 | configure_floating_ip_pools() |
105 | |
106 | + |
107 | def add_metadata(): |
108 | # check relation dependencies |
109 | if is_leader() \ |
110 | @@ -112,6 +142,7 @@ |
111 | provision_metadata() |
112 | leader_set({"metadata-provisioned": True}) |
113 | |
114 | + |
115 | @hooks.hook("amqp-relation-changed") |
116 | def amqp_changed(): |
117 | if not relation_get("password"): |
118 | @@ -122,6 +153,7 @@ |
119 | add_contrail_api() |
120 | add_metadata() |
121 | |
122 | + |
123 | @hooks.hook("amqp-relation-departed") |
124 | @hooks.hook("amqp-relation-broken") |
125 | def amqp_departed(): |
126 | @@ -131,10 +163,13 @@ |
127 | config["amqp-ready"] = False |
128 | amqp_relation() |
129 | |
130 | -@restart_on_change({"/etc/contrail/contrail-api.conf": ["supervisor-config"], |
131 | - "/etc/contrail/contrail-device-manager.conf": ["supervisor-config"], |
132 | - "/etc/contrail/contrail-schema.conf": ["supervisor-config"], |
133 | - "/etc/contrail/contrail-svc-monitor.conf": ["supervisor-config"]}) |
134 | + |
135 | +@restart_on_change( |
136 | + { |
137 | + "/etc/contrail/contrail-api.conf": ["supervisor-config"], |
138 | + "/etc/contrail/contrail-device-manager.conf": ["supervisor-config"], |
139 | + "/etc/contrail/contrail-schema.conf": ["supervisor-config"], |
140 | + "/etc/contrail/contrail-svc-monitor.conf": ["supervisor-config"]}) |
141 | def amqp_relation(): |
142 | write_contrail_api_config() |
143 | write_contrail_svc_monitor_config() |
144 | @@ -142,10 +177,12 @@ |
145 | if version_compare(CONTRAIL_VERSION, "3.0") >= 0: |
146 | write_contrail_schema_config() |
147 | |
148 | + |
149 | @hooks.hook("amqp-relation-joined") |
150 | def amqp_joined(): |
151 | relation_set(username="contrail", vhost="contrail") |
152 | |
153 | + |
154 | @hooks.hook("cassandra-relation-changed") |
155 | def cassandra_changed(): |
156 | # 'port' is used in legacy precise charm |
157 | @@ -156,13 +193,15 @@ |
158 | units = len(cassandra_units()) |
159 | required = config["cassandra-units"] |
160 | if units < required: |
161 | - log("{} cassandra unit(s) ready, require {} more".format(units, required - units)) |
162 | + log("{} cassandra unit(s) ready, require {} more".format( |
163 | + units, required - units)) |
164 | return |
165 | config["cassandra-ready"] = True |
166 | cassandra_relation() |
167 | add_contrail_api() |
168 | add_metadata() |
169 | |
170 | + |
171 | @hooks.hook("cassandra-relation-departed") |
172 | @hooks.hook("cassandra-relation-broken") |
173 | def cassandra_departed(): |
174 | @@ -172,12 +211,15 @@ |
175 | config["cassandra-ready"] = False |
176 | cassandra_relation() |
177 | |
178 | -@restart_on_change({"/etc/contrail/contrail-api.conf": ["supervisor-config"], |
179 | - "/etc/contrail/contrail-device-manager.conf": ["supervisor-config"], |
180 | - "/etc/contrail/contrail-discovery.conf": ["supervisor-config"], |
181 | - "/etc/contrail/contrail-schema.conf": ["supervisor-config"], |
182 | - "/etc/contrail/contrail-svc-monitor.conf": ["supervisor-config"], |
183 | - "/etc/contrail/discovery.conf": ["supervisor-config"]}) |
184 | + |
185 | +@restart_on_change( |
186 | + { |
187 | + "/etc/contrail/contrail-api.conf": ["supervisor-config"], |
188 | + "/etc/contrail/contrail-device-manager.conf": ["supervisor-config"], |
189 | + "/etc/contrail/contrail-discovery.conf": ["supervisor-config"], |
190 | + "/etc/contrail/contrail-schema.conf": ["supervisor-config"], |
191 | + "/etc/contrail/contrail-svc-monitor.conf": ["supervisor-config"], |
192 | + "/etc/contrail/discovery.conf": ["supervisor-config"]}) |
193 | def cassandra_relation(): |
194 | write_contrail_api_config() |
195 | write_contrail_schema_config() |
196 | @@ -185,6 +227,7 @@ |
197 | write_contrail_svc_monitor_config() |
198 | write_device_manager_config() |
199 | |
200 | + |
201 | @hooks.hook("config-changed") |
202 | def config_changed(): |
203 | write_config() |
204 | @@ -197,8 +240,14 @@ |
205 | |
206 | ip = control_network_ip() |
207 | vip = config.get("vip") |
208 | - settings = { "private-address": ip, |
209 | - "vip": vip } |
210 | + settings = {"private-address": ip, |
211 | + "vip": vip} |
212 | + |
213 | + # a role fetched from keystone is used as a fallback |
214 | + # hence we have to check if this relation is established |
215 | + if config_get("identity-admin-ready"): |
216 | + add_rbac_settings(settings) |
217 | + |
218 | for rid in relation_ids("contrail-api"): |
219 | relation_set(relation_id=rid, relation_settings=settings) |
220 | for rid in relation_ids("contrail-discovery"): |
221 | @@ -217,12 +266,14 @@ |
222 | for rid in relation_ids("http-services"): |
223 | relation_set(relation_id=rid, services=services) |
224 | |
225 | + |
226 | def config_get(key): |
227 | try: |
228 | return config[key] |
229 | except KeyError: |
230 | return None |
231 | |
232 | + |
233 | def configure_control_network(): |
234 | # unprovision/provision configuration on 3.0.2.0+ |
235 | if version_compare(CONTRAIL_VERSION, "3.0.2.0-34") >= 0: |
236 | @@ -230,6 +281,7 @@ |
237 | unprovision_configuration() |
238 | provision_configuration() |
239 | |
240 | + |
241 | def configure_floating_ip_pools(): |
242 | if is_leader(): |
243 | floating_pools = config.get("floating-ip-pools") |
244 | @@ -237,16 +289,19 @@ |
245 | if floating_pools != previous_floating_pools: |
246 | # create/destroy pools, activate/deactivate projects |
247 | # according to new value |
248 | - pools = { (pool["project"], |
249 | - pool["network"], |
250 | - pool["pool-name"]): set(pool["target-projects"]) |
251 | - for pool in yaml.safe_load(floating_pools) } \ |
252 | - if floating_pools else {} |
253 | + pools = {(pool["project"], |
254 | + pool["network"], |
255 | + pool["pool-name"]): set(pool["target-projects"]) |
256 | + for pool in yaml.safe_load(floating_pools)} \ |
257 | + if floating_pools else {} |
258 | previous_pools = {} |
259 | if previous_floating_pools: |
260 | for pool in yaml.safe_load(previous_floating_pools): |
261 | projects = pool["target-projects"] |
262 | - name = (pool["project"], pool["network"], pool["pool-name"]) |
263 | + name = ( |
264 | + pool["project"], |
265 | + pool["network"], |
266 | + pool["pool-name"]) |
267 | if name in pools: |
268 | previous_pools[name] = set(projects) |
269 | else: |
270 | @@ -255,10 +310,12 @@ |
271 | if name not in previous_pools: |
272 | floating_ip_pool_create(name, projects) |
273 | else: |
274 | - floating_ip_pool_update(name, projects, previous_pools[name]) |
275 | + floating_ip_pool_update( |
276 | + name, projects, previous_pools[name]) |
277 | |
278 | leader_set({"floating-ip-pools": floating_pools}) |
279 | |
280 | + |
281 | def configure_ssl(): |
282 | cert = config.get("ssl-ca") |
283 | if cert: |
284 | @@ -268,6 +325,7 @@ |
285 | if remove_ssl_ca_certificate(): |
286 | service_restart("supervisor-config") |
287 | |
288 | + |
289 | @hooks.hook("contrail-analytics-api-relation-changed") |
290 | def contrail_analytics_api_changed(): |
291 | if not relation_get("port"): |
292 | @@ -275,27 +333,33 @@ |
293 | return |
294 | contrail_analytics_api_relation() |
295 | |
296 | + |
297 | @hooks.hook("contrail-analytics-api-relation-departed") |
298 | @hooks.hook("contrail-analytics-api-relation-broken") |
299 | -@restart_on_change({"/etc/contrail/contrail-svc-monitor.conf": ["supervisor-config"]}) |
300 | +@restart_on_change( |
301 | + {"/etc/contrail/contrail-svc-monitor.conf": ["supervisor-config"]}) |
302 | def contrail_analytics_api_relation(): |
303 | write_contrail_svc_monitor_config() |
304 | |
305 | + |
306 | @hooks.hook("contrail-api-relation-joined") |
307 | def contrail_api_joined(): |
308 | if config_get("contrail-api-configured"): |
309 | - settings = { "private-address": control_network_ip(), |
310 | - "port": api_port(), |
311 | - "vip": config.get("vip") } |
312 | + settings = {"private-address": control_network_ip(), |
313 | + "port": api_port(), |
314 | + "vip": config.get("vip")} |
315 | + add_rbac_settings(settings) |
316 | relation_set(relation_settings=settings) |
317 | |
318 | + |
319 | @hooks.hook("contrail-discovery-relation-joined") |
320 | def contrail_discovery_joined(): |
321 | - settings = { "private-address": control_network_ip(), |
322 | - "port": discovery_port(), |
323 | - "vip": config.get("vip") } |
324 | + settings = {"private-address": control_network_ip(), |
325 | + "port": discovery_port(), |
326 | + "vip": config.get("vip")} |
327 | relation_set(relation_settings=settings) |
328 | |
329 | + |
330 | @hooks.hook("contrail-ifmap-relation-joined") |
331 | def contrail_ifmap_joined(): |
332 | if is_leader(): |
333 | @@ -303,12 +367,12 @@ |
334 | creds = json.loads(creds) if creds else {} |
335 | |
336 | # prune credentials because we can't remove them directly lp #1469731 |
337 | - creds = { rid: { unit: units[unit] |
338 | - for unit, units in |
339 | - ((unit, creds[rid]) for unit in related_units(rid)) |
340 | - if unit in units } |
341 | - for rid in relation_ids("contrail-ifmap") |
342 | - if rid in creds } |
343 | + creds = {rid: {unit: units[unit] |
344 | + for unit, units in |
345 | + ((unit, creds[rid]) for unit in related_units(rid)) |
346 | + if unit in units} |
347 | + for rid in relation_ids("contrail-ifmap") |
348 | + if rid in creds} |
349 | |
350 | rid = relation_id() |
351 | if rid not in creds: |
352 | @@ -318,12 +382,13 @@ |
353 | if unit in cs: |
354 | return |
355 | # generate new credentials for unit |
356 | - cs[unit] = { "username": unit, "password": pwgen(32) } |
357 | + cs[unit] = {"username": unit, "password": pwgen(32)} |
358 | leader_set({"ifmap-creds": json.dumps(creds)}) |
359 | write_ifmap_config() |
360 | service_restart("supervisor-config") |
361 | relation_set(creds=json.dumps(cs)) |
362 | |
363 | + |
364 | def floating_ip_pool_create(name, projects): |
365 | # create pool |
366 | fq_network = "default-domain:" + ":".join(name[:2]) |
367 | @@ -335,6 +400,7 @@ |
368 | fq_project = "default-domain:" + project |
369 | contrail_floating_ip_use(fq_project, fq_pool_name) |
370 | |
371 | + |
372 | def floating_ip_pool_delete(name, projects): |
373 | # deactivate pool for projects |
374 | fq_pool_name = "default-domain:" + ":".join(name) |
375 | @@ -346,6 +412,7 @@ |
376 | fq_network = "default-domain:" + ":".join(name[:2]) |
377 | contrail_floating_ip_delete(fq_network, name[2]) |
378 | |
379 | + |
380 | def floating_ip_pool_update(name, projects, previous_projects): |
381 | fq_pool_name = "default-domain:" + ":".join(name) |
382 | |
383 | @@ -359,24 +426,39 @@ |
384 | fq_project = "default-domain:" + project |
385 | contrail_floating_ip_use(fq_project, fq_pool_name) |
386 | |
387 | + |
388 | def http_services(): |
389 | name = local_unit().replace("/", "-") |
390 | addr = control_network_ip() |
391 | - return [ { "service_name": "contrail-api", |
392 | - "service_host": "0.0.0.0", |
393 | - "service_port": 8082, |
394 | - "service_options": [ "mode http", "balance leastconn", "option httpchk GET /Snh_SandeshUVECacheReq?x=NodeStatus HTTP/1.0" ], |
395 | - "servers": [ [ name, addr, api_port(), "check port 8084" ] ] }, |
396 | - { "service_name": "contrail-discovery", |
397 | - "service_host": "0.0.0.0", |
398 | - "service_port": 5998, |
399 | - "service_options": [ "mode http", "balance leastconn", "option httpchk GET /services HTTP/1.0" ], |
400 | - "servers": [ [ name, addr, discovery_port(), "check" ] ] } ] |
401 | + return [{"service_name": "contrail-api", |
402 | + "service_host": "0.0.0.0", |
403 | + "service_port": 8082, |
404 | + "service_options": ["mode http", |
405 | + "balance leastconn", |
406 | + "option httpchk GET " |
407 | + "/Snh_SandeshUVECacheReq?x=NodeStatus " |
408 | + "HTTP/1.0"], |
409 | + "servers": [[name, |
410 | + addr, |
411 | + api_port(), |
412 | + "check port 8084"]]}, |
413 | + {"service_name": "contrail-discovery", |
414 | + "service_host": "0.0.0.0", |
415 | + "service_port": 5998, |
416 | + "service_options": ["mode http", |
417 | + "balance leastconn", |
418 | + "option httpchk GET /services HTTP/1.0"], |
419 | + "servers": [[name, |
420 | + addr, |
421 | + discovery_port(), |
422 | + "check"]]}] |
423 | + |
424 | |
425 | @hooks.hook("http-services-relation-joined") |
426 | def http_services_joined(): |
427 | relation_set(services=yaml.dump(http_services())) |
428 | |
429 | + |
430 | @hooks.hook("identity-admin-relation-changed") |
431 | def identity_admin_changed(): |
432 | if not relation_get("service_hostname"): |
433 | @@ -387,6 +469,7 @@ |
434 | add_contrail_api() |
435 | add_metadata() |
436 | |
437 | + |
438 | @hooks.hook("identity-admin-relation-departed") |
439 | @hooks.hook("identity-admin-relation-broken") |
440 | def identity_admin_departed(): |
441 | @@ -396,19 +479,24 @@ |
442 | config["identity-admin-ready"] = False |
443 | identity_admin_relation() |
444 | |
445 | -@restart_on_change({"/etc/contrail/contrail-api.conf": ["supervisor-config"], |
446 | - "/etc/contrail/contrail-device-manager.conf": ["supervisor-config"], |
447 | - "/etc/contrail/contrail-schema.conf": ["supervisor-config"], |
448 | - "/etc/contrail/contrail-svc-monitor.conf": ["supervisor-config"]}) |
449 | + |
450 | +@restart_on_change( |
451 | + { |
452 | + "/etc/contrail/contrail-api.conf": ["supervisor-config"], |
453 | + "/etc/contrail/contrail-device-manager.conf": ["supervisor-config"], |
454 | + "/etc/contrail/contrail-schema.conf": ["supervisor-config"], |
455 | + "/etc/contrail/contrail-svc-monitor.conf": ["supervisor-config"]}) |
456 | def identity_admin_relation(): |
457 | write_contrail_api_config() |
458 | write_contrail_schema_config() |
459 | write_contrail_svc_monitor_config() |
460 | write_device_manager_config() |
461 | write_vnc_api_config() |
462 | + write_admin_oscreds_config() |
463 | if version_compare(CONTRAIL_VERSION, "3.0.2.0-34") >= 0: |
464 | write_barbican_auth_config() |
465 | |
466 | + |
467 | @hooks.hook("identity-service-relation-joined") |
468 | def identity_service_joined(): |
469 | vip = config.get("vip") |
470 | @@ -419,6 +507,7 @@ |
471 | internal_url=url, |
472 | admin_url=url) |
473 | |
474 | + |
475 | @hooks.hook() |
476 | def install(): |
477 | configure_installation_source(config["openstack-origin"]) |
478 | @@ -437,8 +526,10 @@ |
479 | write_nodemgr_config() |
480 | service_restart("contrail-config-nodemgr") |
481 | |
482 | + |
483 | @hooks.hook("leader-settings-changed") |
484 | -@restart_on_change({"/etc/ifmap-server/basicauthusers.properties": ["supervisor-config"]}) |
485 | +@restart_on_change( |
486 | + {"/etc/ifmap-server/basicauthusers.properties": ["supervisor-config"]}) |
487 | def leader_changed(): |
488 | write_ifmap_config() |
489 | creds = leader_get("ifmap-creds") |
490 | @@ -448,12 +539,14 @@ |
491 | if rid in creds: |
492 | relation_set(relation_id=rid, creds=json.dumps(creds[rid])) |
493 | |
494 | + |
495 | def main(): |
496 | try: |
497 | hooks.execute(sys.argv) |
498 | except UnregisteredHookError as e: |
499 | log("Unknown hook {} - skipping.".format(e)) |
500 | |
501 | + |
502 | @hooks.hook("neutron-metadata-relation-changed") |
503 | def neutron_metadata_changed(): |
504 | if not relation_get("shared-secret"): |
505 | @@ -462,6 +555,7 @@ |
506 | config["neutron-metadata-ready"] = True |
507 | add_metadata() |
508 | |
509 | + |
510 | @hooks.hook("neutron-metadata-relation-departed") |
511 | @hooks.hook("neutron-metadata-relation-broken") |
512 | def neutron_metadata_departed(): |
513 | @@ -469,6 +563,7 @@ |
514 | remove_metadata() |
515 | config["neutron-metadata-ready"] = False |
516 | |
517 | + |
518 | def remove_contrail_api(): |
519 | if config_get("contrail-api-configured"): |
520 | # unprovision configuration on 3.0.2.0+ |
521 | @@ -476,6 +571,7 @@ |
522 | unprovision_configuration() |
523 | config["contrail-api-configured"] = False |
524 | |
525 | + |
526 | def remove_metadata(): |
527 | if is_leader() and leader_get("metadata-provisioned"): |
528 | # impossible to know if current hook is firing because |
529 | @@ -484,6 +580,7 @@ |
530 | unprovision_metadata() |
531 | leader_set({"metadata-provisioned": ""}) |
532 | |
533 | + |
534 | @hooks.hook("upgrade-charm") |
535 | def upgrade_charm(): |
536 | write_ifmap_config() |
537 | @@ -494,14 +591,19 @@ |
538 | write_device_manager_config() |
539 | write_vnc_api_config() |
540 | write_nodemgr_config() |
541 | + write_admin_oscreds_config() |
542 | service_restart("supervisor-config") |
543 | |
544 | -@restart_on_change({"/etc/contrail/contrail-api.conf": ["supervisor-config"], |
545 | - "/etc/contrail/contrail-config-nodemgr.conf": ["supervisor-config"]}) |
546 | + |
547 | +@restart_on_change( |
548 | + { |
549 | + "/etc/contrail/contrail-api.conf": ["supervisor-config"], |
550 | + "/etc/contrail/contrail-config-nodemgr.conf": ["supervisor-config"]}) |
551 | def write_config(): |
552 | write_contrail_api_config() |
553 | write_nodemgr_config() |
554 | |
555 | + |
556 | @hooks.hook("zookeeper-relation-changed") |
557 | def zookeeper_changed(): |
558 | if not relation_get("port"): |
559 | @@ -512,6 +614,7 @@ |
560 | add_contrail_api() |
561 | add_metadata() |
562 | |
563 | + |
564 | @hooks.hook("zookeeper-relation-departed") |
565 | @hooks.hook("zookeeper-relation-broken") |
566 | def zookeeper_departed(): |
567 | @@ -521,12 +624,15 @@ |
568 | config["zookeeper-ready"] = False |
569 | zookeeper_relation() |
570 | |
571 | -@restart_on_change({"/etc/contrail/contrail-api.conf": ["supervisor-config"], |
572 | - "/etc/contrail/contrail-device-manager.conf": ["supervisor-config"], |
573 | - "/etc/contrail/contrail-discovery.conf": ["supervisor-config"], |
574 | - "/etc/contrail/contrail-schema.conf": ["supervisor-config"], |
575 | - "/etc/contrail/contrail-svc-monitor.conf": ["supervisor-config"], |
576 | - "/etc/contrail/discovery.conf": ["supervisor-config"]}) |
577 | + |
578 | +@restart_on_change( |
579 | + { |
580 | + "/etc/contrail/contrail-api.conf": ["supervisor-config"], |
581 | + "/etc/contrail/contrail-device-manager.conf": ["supervisor-config"], |
582 | + "/etc/contrail/contrail-discovery.conf": ["supervisor-config"], |
583 | + "/etc/contrail/contrail-schema.conf": ["supervisor-config"], |
584 | + "/etc/contrail/contrail-svc-monitor.conf": ["supervisor-config"], |
585 | + "/etc/contrail/discovery.conf": ["supervisor-config"]}) |
586 | def zookeeper_relation(): |
587 | write_contrail_api_config() |
588 | write_contrail_schema_config() |
589 | @@ -534,5 +640,6 @@ |
590 | write_contrail_svc_monitor_config() |
591 | write_device_manager_config() |
592 | |
593 | + |
594 | if __name__ == "__main__": |
595 | main() |
596 | |
597 | === modified file 'hooks/contrail_configuration_utils.py' |
598 | --- hooks/contrail_configuration_utils.py 2017-03-10 12:49:07 +0000 |
599 | +++ hooks/contrail_configuration_utils.py 2017-03-19 16:48:41 +0000 |
600 | @@ -40,6 +40,7 @@ |
601 | |
602 | apt_pkg.init() |
603 | |
604 | + |
605 | def dpkg_version(pkg): |
606 | try: |
607 | return check_output(["dpkg-query", "-f", "${Version}\\n", "-W", pkg]).rstrip() |
608 | @@ -155,10 +156,16 @@ |
609 | |
610 | def contrail_ctx(): |
611 | addr = control_network_ip() |
612 | + rbac = config.get("rbac") |
613 | + cloud_admin_role = config.get("cloud-admin-role") |
614 | + global_read_only_role = config.get("global-read-only-role") |
615 | return { "api_port": api_port(), |
616 | "ifmap_server": addr, |
617 | "disc_server": addr, |
618 | - "disc_port": discovery_port() } |
619 | + "disc_port": discovery_port(), |
620 | + "rbac": rbac, |
621 | + "cloud_admin_role": cloud_admin_role, |
622 | + "global_read_only_role": global_read_only_role } |
623 | |
624 | def contrail_floating_ip_create(network, name): |
625 | user, password, tenant = [ (relation_get("service_username", unit, rid), |
626 | @@ -344,7 +351,9 @@ |
627 | "admin_user": relation_get("service_username", unit, rid), |
628 | "admin_password": relation_get("service_password", unit, rid), |
629 | "admin_tenant_name": relation_get("service_tenant_name", unit, rid), |
630 | - "auth_region": relation_get("service_region", unit, rid) } |
631 | + "auth_region": relation_get("service_region", unit, rid), |
632 | + "service_protocol": relation_get("service_protocol", unit, rid), |
633 | + "api_version": relation_get("api_version", unit, rid)} |
634 | for rid in relation_ids("identity-admin") |
635 | for unit, hostname in |
636 | ((unit, relation_get("service_hostname", unit, rid)) for unit in related_units(rid)) |
637 | @@ -555,6 +564,11 @@ |
638 | ctx.update(identity_admin_ctx()) |
639 | render("vnc_api_lib.ini", "/etc/contrail/vnc_api_lib.ini", ctx) |
640 | |
641 | +def write_admin_oscreds_config(): |
642 | + ctx = {} |
643 | + ctx.update(identity_admin_ctx()) |
644 | + render("admin-oscreds-v2.yaml", '/root/admin-oscreds-v2.yaml', ctx) |
645 | + |
646 | def zookeeper_ctx(): |
647 | return { "zk_servers": [ (host if host \ |
648 | else gethostbyname(relation_get("private-address", unit, rid))) |
649 | |
650 | === added symlink 'hooks/identity-credentials-relation-changed' |
651 | === target is u'contrail_configuration_hooks.py' |
652 | === added symlink 'hooks/identity-credentials-relation-joined' |
653 | === target is u'contrail_configuration_hooks.py' |
654 | === modified file 'templates/contrail-api.conf' |
655 | --- templates/contrail-api.conf 2017-01-31 12:51:09 +0000 |
656 | +++ templates/contrail-api.conf 2017-03-19 16:48:41 +0000 |
657 | @@ -10,7 +10,16 @@ |
658 | ifmap_password = api-server |
659 | cassandra_server_list = {{ cassandra_servers|join(" ") }} |
660 | auth = keystone |
661 | -multi_tenancy = True |
662 | + |
663 | +{% if rbac -%} |
664 | +aaa_mode = rbac |
665 | +{% else -%} |
666 | +multi_tenancy = true |
667 | +{% endif -%} |
668 | + |
669 | +cloud_admin_role = {{ cloud_admin_role }} |
670 | +global_read_only_role = {{ global_read_only_role }} |
671 | + |
672 | disc_server_ip = {{ disc_server }} |
673 | disc_server_port = {{ disc_port }} |
674 | zk_server_ip = {{ zk_servers|join(",") }} |
See my comment