Merge lp:~dmitriis/charms/trusty/contrail-configuration/trunk into lp:~sdn-charmers/charms/trusty/contrail-configuration/trunk

Proposed by Dmitrii Shcherbakov
Status: Superseded
Proposed branch: lp:~dmitriis/charms/trusty/contrail-configuration/trunk
Merge into: lp:~sdn-charmers/charms/trusty/contrail-configuration/trunk
Diff against target: 674 lines (+210/-70)
4 files modified
config.yaml (+10/-0)
hooks/contrail_configuration_hooks.py (+174/-67)
hooks/contrail_configuration_utils.py (+16/-2)
templates/contrail-api.conf (+10/-1)
To merge this branch: bzr merge lp:~dmitriis/charms/trusty/contrail-configuration/trunk
Reviewer Review Type Date Requested Status
Ante Karamatić (community) Needs Fixing
Review via email: mp+320149@code.launchpad.net

This proposal has been superseded by a proposal from 2017-03-19.

Description of the change

rbac support (rebased)

To post a comment you must log in.
Revision history for this message
Ante Karamatić (ivoks) wrote :

See my comment

review: Needs Fixing
Revision history for this message
Ante Karamatić (ivoks) wrote :

One more comment

review: Needs Fixing
Revision history for this message
Ante Karamatić (ivoks) wrote :

I haven't investigated into detail, but with your patches contrail-analytics never populates 'api_server' in /etc/contrail/contrail-analytics-api.conf, which in turn means that contrail-analytics is not functional.

67. By Dmitrii Shcherbakov

enable rbac configuration support

- add an action to create roles which may then be configured for use by
contrail rbac mechanism
- render the required config file with the additional data provided via
config.yaml
- set relation data for use by other contrail charms

Unmerged revisions

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== modified file 'config.yaml'
2--- config.yaml 2017-03-10 12:49:07 +0000
3+++ config.yaml 2017-03-19 16:48:41 +0000
4@@ -59,3 +59,13 @@
5 type: int
6 default: 1
7 description: Minimum number of units required in cassandra relation
8+ rbac:
9+ type: boolean
10+ default: true
11+ description: enable/disable role-based authentication - only supported in Contrail 3.2 and newer
12+ cloud-admin-role:
13+ type: string
14+ description: A user who is assigned the cloud_admin_role has full access to everything.
15+ global-read-only-role:
16+ type: string
17+ description: This role allows read-only access to all Contrail resources. Must be configured in keystone.
18
19=== modified file 'hooks/contrail_configuration_hooks.py'
20--- hooks/contrail_configuration_hooks.py 2017-03-10 12:49:07 +0000
21+++ hooks/contrail_configuration_hooks.py 2017-03-19 16:48:41 +0000
22@@ -1,6 +1,5 @@
23 #!/usr/bin/env python
24
25-from socket import gethostbyname
26 import sys
27
28 from apt_pkg import version_compare
29@@ -24,7 +23,6 @@
30 relation_ids,
31 relation_set,
32 remote_unit,
33- unit_get
34 )
35
36 from charmhelpers.core.host import (
37@@ -68,17 +66,45 @@
38 write_ifmap_config,
39 write_nodemgr_config,
40 write_ssl_ca_certificate,
41- write_vnc_api_config
42+ write_vnc_api_config,
43+ write_admin_oscreds_config,
44 )
45
46-PACKAGES = [ "ifmap-server", "contrail-config", "contrail-config-openstack",
47- "neutron-common", "contrail-utils", "contrail-nodemgr" ]
48-
49-PACKAGES_BARBICAN = [ "python-barbicanclient" ]
50+PACKAGES = ["ifmap-server", "contrail-config", "contrail-config-openstack",
51+ "neutron-common", "contrail-utils", "contrail-nodemgr"]
52+
53+PACKAGES_BARBICAN = ["python-barbicanclient"]
54+
55+CONFIG_ROLES = ['cloud-admin-role', 'global-read-only-role']
56
57 hooks = Hooks()
58 config = config()
59
60+
61+def get_rbac_roles():
62+ rid = relation_ids("identity-admin")[0]
63+ unit = related_units(rid)[0]
64+ default_role = relation_get(attribute='service_tenant_name',
65+ rid=rid, unit=unit)
66+ rbac_roles = {}
67+ for r in CONFIG_ROLES:
68+ val = config.get(r)
69+ rbac_roles[r] = val if val else default_role
70+ return rbac_roles
71+
72+
73+def add_rbac_settings(d):
74+ rbac = config.get('rbac')
75+ # update the rbac settings unconditionally
76+ # we do need to signal the change of relation data
77+ if rbac:
78+ d['rbac'] = rbac
79+ d.update(get_rbac_roles())
80+ else:
81+ d['rbac'] = None
82+ d.update({k: None for k in CONFIG_ROLES})
83+
84+
85 def add_contrail_api():
86 # check relation dependencies
87 if not config_get("contrail-api-configured") \
88@@ -95,14 +121,18 @@
89 config["contrail-api-configured"] = True
90
91 # inform relations
92- settings = { "private-address": control_network_ip(),
93- "port": api_port(),
94- "vip": config.get("vip") }
95+ settings = {"private-address": control_network_ip(),
96+ "port": api_port(),
97+ "vip": config.get("vip")}
98+
99+ add_rbac_settings(settings)
100+
101 for rid in relation_ids("contrail-api"):
102 relation_set(relation_id=rid, relation_settings=settings)
103
104 configure_floating_ip_pools()
105
106+
107 def add_metadata():
108 # check relation dependencies
109 if is_leader() \
110@@ -112,6 +142,7 @@
111 provision_metadata()
112 leader_set({"metadata-provisioned": True})
113
114+
115 @hooks.hook("amqp-relation-changed")
116 def amqp_changed():
117 if not relation_get("password"):
118@@ -122,6 +153,7 @@
119 add_contrail_api()
120 add_metadata()
121
122+
123 @hooks.hook("amqp-relation-departed")
124 @hooks.hook("amqp-relation-broken")
125 def amqp_departed():
126@@ -131,10 +163,13 @@
127 config["amqp-ready"] = False
128 amqp_relation()
129
130-@restart_on_change({"/etc/contrail/contrail-api.conf": ["supervisor-config"],
131- "/etc/contrail/contrail-device-manager.conf": ["supervisor-config"],
132- "/etc/contrail/contrail-schema.conf": ["supervisor-config"],
133- "/etc/contrail/contrail-svc-monitor.conf": ["supervisor-config"]})
134+
135+@restart_on_change(
136+ {
137+ "/etc/contrail/contrail-api.conf": ["supervisor-config"],
138+ "/etc/contrail/contrail-device-manager.conf": ["supervisor-config"],
139+ "/etc/contrail/contrail-schema.conf": ["supervisor-config"],
140+ "/etc/contrail/contrail-svc-monitor.conf": ["supervisor-config"]})
141 def amqp_relation():
142 write_contrail_api_config()
143 write_contrail_svc_monitor_config()
144@@ -142,10 +177,12 @@
145 if version_compare(CONTRAIL_VERSION, "3.0") >= 0:
146 write_contrail_schema_config()
147
148+
149 @hooks.hook("amqp-relation-joined")
150 def amqp_joined():
151 relation_set(username="contrail", vhost="contrail")
152
153+
154 @hooks.hook("cassandra-relation-changed")
155 def cassandra_changed():
156 # 'port' is used in legacy precise charm
157@@ -156,13 +193,15 @@
158 units = len(cassandra_units())
159 required = config["cassandra-units"]
160 if units < required:
161- log("{} cassandra unit(s) ready, require {} more".format(units, required - units))
162+ log("{} cassandra unit(s) ready, require {} more".format(
163+ units, required - units))
164 return
165 config["cassandra-ready"] = True
166 cassandra_relation()
167 add_contrail_api()
168 add_metadata()
169
170+
171 @hooks.hook("cassandra-relation-departed")
172 @hooks.hook("cassandra-relation-broken")
173 def cassandra_departed():
174@@ -172,12 +211,15 @@
175 config["cassandra-ready"] = False
176 cassandra_relation()
177
178-@restart_on_change({"/etc/contrail/contrail-api.conf": ["supervisor-config"],
179- "/etc/contrail/contrail-device-manager.conf": ["supervisor-config"],
180- "/etc/contrail/contrail-discovery.conf": ["supervisor-config"],
181- "/etc/contrail/contrail-schema.conf": ["supervisor-config"],
182- "/etc/contrail/contrail-svc-monitor.conf": ["supervisor-config"],
183- "/etc/contrail/discovery.conf": ["supervisor-config"]})
184+
185+@restart_on_change(
186+ {
187+ "/etc/contrail/contrail-api.conf": ["supervisor-config"],
188+ "/etc/contrail/contrail-device-manager.conf": ["supervisor-config"],
189+ "/etc/contrail/contrail-discovery.conf": ["supervisor-config"],
190+ "/etc/contrail/contrail-schema.conf": ["supervisor-config"],
191+ "/etc/contrail/contrail-svc-monitor.conf": ["supervisor-config"],
192+ "/etc/contrail/discovery.conf": ["supervisor-config"]})
193 def cassandra_relation():
194 write_contrail_api_config()
195 write_contrail_schema_config()
196@@ -185,6 +227,7 @@
197 write_contrail_svc_monitor_config()
198 write_device_manager_config()
199
200+
201 @hooks.hook("config-changed")
202 def config_changed():
203 write_config()
204@@ -197,8 +240,14 @@
205
206 ip = control_network_ip()
207 vip = config.get("vip")
208- settings = { "private-address": ip,
209- "vip": vip }
210+ settings = {"private-address": ip,
211+ "vip": vip}
212+
213+ # a role fetched from keystone is used as a fallback
214+ # hence we have to check if this relation is established
215+ if config_get("identity-admin-ready"):
216+ add_rbac_settings(settings)
217+
218 for rid in relation_ids("contrail-api"):
219 relation_set(relation_id=rid, relation_settings=settings)
220 for rid in relation_ids("contrail-discovery"):
221@@ -217,12 +266,14 @@
222 for rid in relation_ids("http-services"):
223 relation_set(relation_id=rid, services=services)
224
225+
226 def config_get(key):
227 try:
228 return config[key]
229 except KeyError:
230 return None
231
232+
233 def configure_control_network():
234 # unprovision/provision configuration on 3.0.2.0+
235 if version_compare(CONTRAIL_VERSION, "3.0.2.0-34") >= 0:
236@@ -230,6 +281,7 @@
237 unprovision_configuration()
238 provision_configuration()
239
240+
241 def configure_floating_ip_pools():
242 if is_leader():
243 floating_pools = config.get("floating-ip-pools")
244@@ -237,16 +289,19 @@
245 if floating_pools != previous_floating_pools:
246 # create/destroy pools, activate/deactivate projects
247 # according to new value
248- pools = { (pool["project"],
249- pool["network"],
250- pool["pool-name"]): set(pool["target-projects"])
251- for pool in yaml.safe_load(floating_pools) } \
252- if floating_pools else {}
253+ pools = {(pool["project"],
254+ pool["network"],
255+ pool["pool-name"]): set(pool["target-projects"])
256+ for pool in yaml.safe_load(floating_pools)} \
257+ if floating_pools else {}
258 previous_pools = {}
259 if previous_floating_pools:
260 for pool in yaml.safe_load(previous_floating_pools):
261 projects = pool["target-projects"]
262- name = (pool["project"], pool["network"], pool["pool-name"])
263+ name = (
264+ pool["project"],
265+ pool["network"],
266+ pool["pool-name"])
267 if name in pools:
268 previous_pools[name] = set(projects)
269 else:
270@@ -255,10 +310,12 @@
271 if name not in previous_pools:
272 floating_ip_pool_create(name, projects)
273 else:
274- floating_ip_pool_update(name, projects, previous_pools[name])
275+ floating_ip_pool_update(
276+ name, projects, previous_pools[name])
277
278 leader_set({"floating-ip-pools": floating_pools})
279
280+
281 def configure_ssl():
282 cert = config.get("ssl-ca")
283 if cert:
284@@ -268,6 +325,7 @@
285 if remove_ssl_ca_certificate():
286 service_restart("supervisor-config")
287
288+
289 @hooks.hook("contrail-analytics-api-relation-changed")
290 def contrail_analytics_api_changed():
291 if not relation_get("port"):
292@@ -275,27 +333,33 @@
293 return
294 contrail_analytics_api_relation()
295
296+
297 @hooks.hook("contrail-analytics-api-relation-departed")
298 @hooks.hook("contrail-analytics-api-relation-broken")
299-@restart_on_change({"/etc/contrail/contrail-svc-monitor.conf": ["supervisor-config"]})
300+@restart_on_change(
301+ {"/etc/contrail/contrail-svc-monitor.conf": ["supervisor-config"]})
302 def contrail_analytics_api_relation():
303 write_contrail_svc_monitor_config()
304
305+
306 @hooks.hook("contrail-api-relation-joined")
307 def contrail_api_joined():
308 if config_get("contrail-api-configured"):
309- settings = { "private-address": control_network_ip(),
310- "port": api_port(),
311- "vip": config.get("vip") }
312+ settings = {"private-address": control_network_ip(),
313+ "port": api_port(),
314+ "vip": config.get("vip")}
315+ add_rbac_settings(settings)
316 relation_set(relation_settings=settings)
317
318+
319 @hooks.hook("contrail-discovery-relation-joined")
320 def contrail_discovery_joined():
321- settings = { "private-address": control_network_ip(),
322- "port": discovery_port(),
323- "vip": config.get("vip") }
324+ settings = {"private-address": control_network_ip(),
325+ "port": discovery_port(),
326+ "vip": config.get("vip")}
327 relation_set(relation_settings=settings)
328
329+
330 @hooks.hook("contrail-ifmap-relation-joined")
331 def contrail_ifmap_joined():
332 if is_leader():
333@@ -303,12 +367,12 @@
334 creds = json.loads(creds) if creds else {}
335
336 # prune credentials because we can't remove them directly lp #1469731
337- creds = { rid: { unit: units[unit]
338- for unit, units in
339- ((unit, creds[rid]) for unit in related_units(rid))
340- if unit in units }
341- for rid in relation_ids("contrail-ifmap")
342- if rid in creds }
343+ creds = {rid: {unit: units[unit]
344+ for unit, units in
345+ ((unit, creds[rid]) for unit in related_units(rid))
346+ if unit in units}
347+ for rid in relation_ids("contrail-ifmap")
348+ if rid in creds}
349
350 rid = relation_id()
351 if rid not in creds:
352@@ -318,12 +382,13 @@
353 if unit in cs:
354 return
355 # generate new credentials for unit
356- cs[unit] = { "username": unit, "password": pwgen(32) }
357+ cs[unit] = {"username": unit, "password": pwgen(32)}
358 leader_set({"ifmap-creds": json.dumps(creds)})
359 write_ifmap_config()
360 service_restart("supervisor-config")
361 relation_set(creds=json.dumps(cs))
362
363+
364 def floating_ip_pool_create(name, projects):
365 # create pool
366 fq_network = "default-domain:" + ":".join(name[:2])
367@@ -335,6 +400,7 @@
368 fq_project = "default-domain:" + project
369 contrail_floating_ip_use(fq_project, fq_pool_name)
370
371+
372 def floating_ip_pool_delete(name, projects):
373 # deactivate pool for projects
374 fq_pool_name = "default-domain:" + ":".join(name)
375@@ -346,6 +412,7 @@
376 fq_network = "default-domain:" + ":".join(name[:2])
377 contrail_floating_ip_delete(fq_network, name[2])
378
379+
380 def floating_ip_pool_update(name, projects, previous_projects):
381 fq_pool_name = "default-domain:" + ":".join(name)
382
383@@ -359,24 +426,39 @@
384 fq_project = "default-domain:" + project
385 contrail_floating_ip_use(fq_project, fq_pool_name)
386
387+
388 def http_services():
389 name = local_unit().replace("/", "-")
390 addr = control_network_ip()
391- return [ { "service_name": "contrail-api",
392- "service_host": "0.0.0.0",
393- "service_port": 8082,
394- "service_options": [ "mode http", "balance leastconn", "option httpchk GET /Snh_SandeshUVECacheReq?x=NodeStatus HTTP/1.0" ],
395- "servers": [ [ name, addr, api_port(), "check port 8084" ] ] },
396- { "service_name": "contrail-discovery",
397- "service_host": "0.0.0.0",
398- "service_port": 5998,
399- "service_options": [ "mode http", "balance leastconn", "option httpchk GET /services HTTP/1.0" ],
400- "servers": [ [ name, addr, discovery_port(), "check" ] ] } ]
401+ return [{"service_name": "contrail-api",
402+ "service_host": "0.0.0.0",
403+ "service_port": 8082,
404+ "service_options": ["mode http",
405+ "balance leastconn",
406+ "option httpchk GET "
407+ "/Snh_SandeshUVECacheReq?x=NodeStatus "
408+ "HTTP/1.0"],
409+ "servers": [[name,
410+ addr,
411+ api_port(),
412+ "check port 8084"]]},
413+ {"service_name": "contrail-discovery",
414+ "service_host": "0.0.0.0",
415+ "service_port": 5998,
416+ "service_options": ["mode http",
417+ "balance leastconn",
418+ "option httpchk GET /services HTTP/1.0"],
419+ "servers": [[name,
420+ addr,
421+ discovery_port(),
422+ "check"]]}]
423+
424
425 @hooks.hook("http-services-relation-joined")
426 def http_services_joined():
427 relation_set(services=yaml.dump(http_services()))
428
429+
430 @hooks.hook("identity-admin-relation-changed")
431 def identity_admin_changed():
432 if not relation_get("service_hostname"):
433@@ -387,6 +469,7 @@
434 add_contrail_api()
435 add_metadata()
436
437+
438 @hooks.hook("identity-admin-relation-departed")
439 @hooks.hook("identity-admin-relation-broken")
440 def identity_admin_departed():
441@@ -396,19 +479,24 @@
442 config["identity-admin-ready"] = False
443 identity_admin_relation()
444
445-@restart_on_change({"/etc/contrail/contrail-api.conf": ["supervisor-config"],
446- "/etc/contrail/contrail-device-manager.conf": ["supervisor-config"],
447- "/etc/contrail/contrail-schema.conf": ["supervisor-config"],
448- "/etc/contrail/contrail-svc-monitor.conf": ["supervisor-config"]})
449+
450+@restart_on_change(
451+ {
452+ "/etc/contrail/contrail-api.conf": ["supervisor-config"],
453+ "/etc/contrail/contrail-device-manager.conf": ["supervisor-config"],
454+ "/etc/contrail/contrail-schema.conf": ["supervisor-config"],
455+ "/etc/contrail/contrail-svc-monitor.conf": ["supervisor-config"]})
456 def identity_admin_relation():
457 write_contrail_api_config()
458 write_contrail_schema_config()
459 write_contrail_svc_monitor_config()
460 write_device_manager_config()
461 write_vnc_api_config()
462+ write_admin_oscreds_config()
463 if version_compare(CONTRAIL_VERSION, "3.0.2.0-34") >= 0:
464 write_barbican_auth_config()
465
466+
467 @hooks.hook("identity-service-relation-joined")
468 def identity_service_joined():
469 vip = config.get("vip")
470@@ -419,6 +507,7 @@
471 internal_url=url,
472 admin_url=url)
473
474+
475 @hooks.hook()
476 def install():
477 configure_installation_source(config["openstack-origin"])
478@@ -437,8 +526,10 @@
479 write_nodemgr_config()
480 service_restart("contrail-config-nodemgr")
481
482+
483 @hooks.hook("leader-settings-changed")
484-@restart_on_change({"/etc/ifmap-server/basicauthusers.properties": ["supervisor-config"]})
485+@restart_on_change(
486+ {"/etc/ifmap-server/basicauthusers.properties": ["supervisor-config"]})
487 def leader_changed():
488 write_ifmap_config()
489 creds = leader_get("ifmap-creds")
490@@ -448,12 +539,14 @@
491 if rid in creds:
492 relation_set(relation_id=rid, creds=json.dumps(creds[rid]))
493
494+
495 def main():
496 try:
497 hooks.execute(sys.argv)
498 except UnregisteredHookError as e:
499 log("Unknown hook {} - skipping.".format(e))
500
501+
502 @hooks.hook("neutron-metadata-relation-changed")
503 def neutron_metadata_changed():
504 if not relation_get("shared-secret"):
505@@ -462,6 +555,7 @@
506 config["neutron-metadata-ready"] = True
507 add_metadata()
508
509+
510 @hooks.hook("neutron-metadata-relation-departed")
511 @hooks.hook("neutron-metadata-relation-broken")
512 def neutron_metadata_departed():
513@@ -469,6 +563,7 @@
514 remove_metadata()
515 config["neutron-metadata-ready"] = False
516
517+
518 def remove_contrail_api():
519 if config_get("contrail-api-configured"):
520 # unprovision configuration on 3.0.2.0+
521@@ -476,6 +571,7 @@
522 unprovision_configuration()
523 config["contrail-api-configured"] = False
524
525+
526 def remove_metadata():
527 if is_leader() and leader_get("metadata-provisioned"):
528 # impossible to know if current hook is firing because
529@@ -484,6 +580,7 @@
530 unprovision_metadata()
531 leader_set({"metadata-provisioned": ""})
532
533+
534 @hooks.hook("upgrade-charm")
535 def upgrade_charm():
536 write_ifmap_config()
537@@ -494,14 +591,19 @@
538 write_device_manager_config()
539 write_vnc_api_config()
540 write_nodemgr_config()
541+ write_admin_oscreds_config()
542 service_restart("supervisor-config")
543
544-@restart_on_change({"/etc/contrail/contrail-api.conf": ["supervisor-config"],
545- "/etc/contrail/contrail-config-nodemgr.conf": ["supervisor-config"]})
546+
547+@restart_on_change(
548+ {
549+ "/etc/contrail/contrail-api.conf": ["supervisor-config"],
550+ "/etc/contrail/contrail-config-nodemgr.conf": ["supervisor-config"]})
551 def write_config():
552 write_contrail_api_config()
553 write_nodemgr_config()
554
555+
556 @hooks.hook("zookeeper-relation-changed")
557 def zookeeper_changed():
558 if not relation_get("port"):
559@@ -512,6 +614,7 @@
560 add_contrail_api()
561 add_metadata()
562
563+
564 @hooks.hook("zookeeper-relation-departed")
565 @hooks.hook("zookeeper-relation-broken")
566 def zookeeper_departed():
567@@ -521,12 +624,15 @@
568 config["zookeeper-ready"] = False
569 zookeeper_relation()
570
571-@restart_on_change({"/etc/contrail/contrail-api.conf": ["supervisor-config"],
572- "/etc/contrail/contrail-device-manager.conf": ["supervisor-config"],
573- "/etc/contrail/contrail-discovery.conf": ["supervisor-config"],
574- "/etc/contrail/contrail-schema.conf": ["supervisor-config"],
575- "/etc/contrail/contrail-svc-monitor.conf": ["supervisor-config"],
576- "/etc/contrail/discovery.conf": ["supervisor-config"]})
577+
578+@restart_on_change(
579+ {
580+ "/etc/contrail/contrail-api.conf": ["supervisor-config"],
581+ "/etc/contrail/contrail-device-manager.conf": ["supervisor-config"],
582+ "/etc/contrail/contrail-discovery.conf": ["supervisor-config"],
583+ "/etc/contrail/contrail-schema.conf": ["supervisor-config"],
584+ "/etc/contrail/contrail-svc-monitor.conf": ["supervisor-config"],
585+ "/etc/contrail/discovery.conf": ["supervisor-config"]})
586 def zookeeper_relation():
587 write_contrail_api_config()
588 write_contrail_schema_config()
589@@ -534,5 +640,6 @@
590 write_contrail_svc_monitor_config()
591 write_device_manager_config()
592
593+
594 if __name__ == "__main__":
595 main()
596
597=== modified file 'hooks/contrail_configuration_utils.py'
598--- hooks/contrail_configuration_utils.py 2017-03-10 12:49:07 +0000
599+++ hooks/contrail_configuration_utils.py 2017-03-19 16:48:41 +0000
600@@ -40,6 +40,7 @@
601
602 apt_pkg.init()
603
604+
605 def dpkg_version(pkg):
606 try:
607 return check_output(["dpkg-query", "-f", "${Version}\\n", "-W", pkg]).rstrip()
608@@ -155,10 +156,16 @@
609
610 def contrail_ctx():
611 addr = control_network_ip()
612+ rbac = config.get("rbac")
613+ cloud_admin_role = config.get("cloud-admin-role")
614+ global_read_only_role = config.get("global-read-only-role")
615 return { "api_port": api_port(),
616 "ifmap_server": addr,
617 "disc_server": addr,
618- "disc_port": discovery_port() }
619+ "disc_port": discovery_port(),
620+ "rbac": rbac,
621+ "cloud_admin_role": cloud_admin_role,
622+ "global_read_only_role": global_read_only_role }
623
624 def contrail_floating_ip_create(network, name):
625 user, password, tenant = [ (relation_get("service_username", unit, rid),
626@@ -344,7 +351,9 @@
627 "admin_user": relation_get("service_username", unit, rid),
628 "admin_password": relation_get("service_password", unit, rid),
629 "admin_tenant_name": relation_get("service_tenant_name", unit, rid),
630- "auth_region": relation_get("service_region", unit, rid) }
631+ "auth_region": relation_get("service_region", unit, rid),
632+ "service_protocol": relation_get("service_protocol", unit, rid),
633+ "api_version": relation_get("api_version", unit, rid)}
634 for rid in relation_ids("identity-admin")
635 for unit, hostname in
636 ((unit, relation_get("service_hostname", unit, rid)) for unit in related_units(rid))
637@@ -555,6 +564,11 @@
638 ctx.update(identity_admin_ctx())
639 render("vnc_api_lib.ini", "/etc/contrail/vnc_api_lib.ini", ctx)
640
641+def write_admin_oscreds_config():
642+ ctx = {}
643+ ctx.update(identity_admin_ctx())
644+ render("admin-oscreds-v2.yaml", '/root/admin-oscreds-v2.yaml', ctx)
645+
646 def zookeeper_ctx():
647 return { "zk_servers": [ (host if host \
648 else gethostbyname(relation_get("private-address", unit, rid)))
649
650=== added symlink 'hooks/identity-credentials-relation-changed'
651=== target is u'contrail_configuration_hooks.py'
652=== added symlink 'hooks/identity-credentials-relation-joined'
653=== target is u'contrail_configuration_hooks.py'
654=== modified file 'templates/contrail-api.conf'
655--- templates/contrail-api.conf 2017-01-31 12:51:09 +0000
656+++ templates/contrail-api.conf 2017-03-19 16:48:41 +0000
657@@ -10,7 +10,16 @@
658 ifmap_password = api-server
659 cassandra_server_list = {{ cassandra_servers|join(" ") }}
660 auth = keystone
661-multi_tenancy = True
662+
663+{% if rbac -%}
664+aaa_mode = rbac
665+{% else -%}
666+multi_tenancy = true
667+{% endif -%}
668+
669+cloud_admin_role = {{ cloud_admin_role }}
670+global_read_only_role = {{ global_read_only_role }}
671+
672 disc_server_ip = {{ disc_server }}
673 disc_server_port = {{ disc_port }}
674 zk_server_ip = {{ zk_servers|join(",") }}

Subscribers

People subscribed via source and target branches