Merge lp:~dmitriis/charms/trusty/contrail-configuration/trunk into lp:~sdn-charmers/charms/trusty/contrail-configuration/trunk

Proposed by Dmitrii Shcherbakov
Status: Merged
Merged at revision: 68
Proposed branch: lp:~dmitriis/charms/trusty/contrail-configuration/trunk
Merge into: lp:~sdn-charmers/charms/trusty/contrail-configuration/trunk
Diff against target: 655 lines (+202/-70)
4 files modified
config.yaml (+10/-0)
hooks/contrail_configuration_hooks.py (+171/-67)
hooks/contrail_configuration_utils.py (+11/-2)
templates/contrail-api.conf (+10/-1)
To merge this branch: bzr merge lp:~dmitriis/charms/trusty/contrail-configuration/trunk
Reviewer Review Type Date Requested Status
Robert Ayres (community) Approve
Ante Karamatić Pending
Review via email: mp+320826@code.launchpad.net

This proposal supersedes a proposal from 2017-03-19.

Description of the change

rbac support (rebased)

To post a comment you must log in.
Revision history for this message
Ante Karamatić (ivoks) wrote : Posted in a previous version of this proposal

See my comment

review: Needs Fixing
Revision history for this message
Ante Karamatić (ivoks) wrote : Posted in a previous version of this proposal

One more comment

review: Needs Fixing
Revision history for this message
Ante Karamatić (ivoks) wrote : Posted in a previous version of this proposal

I haven't investigated into detail, but with your patches contrail-analytics never populates 'api_server' in /etc/contrail/contrail-analytics-api.conf, which in turn means that contrail-analytics is not functional.

Revision history for this message
Dmitrii Shcherbakov (dmitriis) wrote : Posted in a previous version of this proposal

Ante,

Not sure about api_server - no modifications for that in my MP.

https://code.launchpad.net/~dmitriis/charms/trusty/contrail-analytics/trunk/+merge/320154

Have to investigate why.

Have you tried it without my patch or just with the patch?

If not, we can try it without a patch first to figure out if I introduced a regression or not.

Revision history for this message
Bernhard Koessler (bkoessler) wrote : Posted in a previous version of this proposal

I would recommend not using multi_tenancy anymore going forward.

aaa_mode can be set to:

no-auth—No authentication is performed and full access is granted to all.
cloud-admin—Authentication is performed and only the admin role has access.
rbac—Authentication is performed and access is granted based on role.

cloud-admin would be the same behaviour as multi-tenancy=true

Revision history for this message
Ante Karamatić (ivoks) wrote : Posted in a previous version of this proposal

Right, but charms need to support older versions also.

Revision history for this message
Dmitrii Shcherbakov (dmitriis) wrote :

Just noticed a piece of dead code for an action that we wanted to implement originally - uploaded an updated branch.

Revision history for this message
Robert Ayres (robert-ayres) wrote :

For this to get merged, please remove all the unnecessary formatting changes.

This diff should only contain the *actual* code changes.

Revision history for this message
Dmitrii Shcherbakov (dmitriis) wrote :
Revision history for this message
Robert Ayres (robert-ayres) wrote :

I appreciate the lint comment, but it would be better if changes to pass lint tests were in a separate patch.

Revision history for this message
Robert Ayres (robert-ayres) wrote :

To save effort, we can just look at merging r67 here.

Revision history for this message
Robert Ayres (robert-ayres) :
review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== modified file 'config.yaml'
2--- config.yaml 2017-03-10 12:49:07 +0000
3+++ config.yaml 2017-03-23 15:13:02 +0000
4@@ -59,3 +59,13 @@
5 type: int
6 default: 1
7 description: Minimum number of units required in cassandra relation
8+ rbac:
9+ type: boolean
10+ default: true
11+ description: enable/disable role-based authentication - only supported in Contrail 3.2 and newer
12+ cloud-admin-role:
13+ type: string
14+ description: A user who is assigned the cloud_admin_role has full access to everything.
15+ global-read-only-role:
16+ type: string
17+ description: This role allows read-only access to all Contrail resources. Must be configured in keystone.
18
19=== modified file 'hooks/contrail_configuration_hooks.py'
20--- hooks/contrail_configuration_hooks.py 2017-03-10 12:49:07 +0000
21+++ hooks/contrail_configuration_hooks.py 2017-03-23 15:13:02 +0000
22@@ -1,6 +1,5 @@
23 #!/usr/bin/env python
24
25-from socket import gethostbyname
26 import sys
27
28 from apt_pkg import version_compare
29@@ -24,7 +23,6 @@
30 relation_ids,
31 relation_set,
32 remote_unit,
33- unit_get
34 )
35
36 from charmhelpers.core.host import (
37@@ -68,17 +66,44 @@
38 write_ifmap_config,
39 write_nodemgr_config,
40 write_ssl_ca_certificate,
41- write_vnc_api_config
42+ write_vnc_api_config,
43 )
44
45-PACKAGES = [ "ifmap-server", "contrail-config", "contrail-config-openstack",
46- "neutron-common", "contrail-utils", "contrail-nodemgr" ]
47-
48-PACKAGES_BARBICAN = [ "python-barbicanclient" ]
49+PACKAGES = ["ifmap-server", "contrail-config", "contrail-config-openstack",
50+ "neutron-common", "contrail-utils", "contrail-nodemgr"]
51+
52+PACKAGES_BARBICAN = ["python-barbicanclient"]
53+
54+CONFIG_ROLES = ['cloud-admin-role', 'global-read-only-role']
55
56 hooks = Hooks()
57 config = config()
58
59+
60+def get_rbac_roles():
61+ rid = relation_ids("identity-admin")[0]
62+ unit = related_units(rid)[0]
63+ default_role = relation_get(attribute='service_tenant_name',
64+ rid=rid, unit=unit)
65+ rbac_roles = {}
66+ for r in CONFIG_ROLES:
67+ val = config.get(r)
68+ rbac_roles[r] = val if val else default_role
69+ return rbac_roles
70+
71+
72+def add_rbac_settings(d):
73+ rbac = config.get('rbac')
74+ # update the rbac settings unconditionally
75+ # we do need to signal the change of relation data
76+ if rbac:
77+ d['rbac'] = rbac
78+ d.update(get_rbac_roles())
79+ else:
80+ d['rbac'] = None
81+ d.update({k: None for k in CONFIG_ROLES})
82+
83+
84 def add_contrail_api():
85 # check relation dependencies
86 if not config_get("contrail-api-configured") \
87@@ -95,14 +120,18 @@
88 config["contrail-api-configured"] = True
89
90 # inform relations
91- settings = { "private-address": control_network_ip(),
92- "port": api_port(),
93- "vip": config.get("vip") }
94+ settings = {"private-address": control_network_ip(),
95+ "port": api_port(),
96+ "vip": config.get("vip")}
97+
98+ add_rbac_settings(settings)
99+
100 for rid in relation_ids("contrail-api"):
101 relation_set(relation_id=rid, relation_settings=settings)
102
103 configure_floating_ip_pools()
104
105+
106 def add_metadata():
107 # check relation dependencies
108 if is_leader() \
109@@ -112,6 +141,7 @@
110 provision_metadata()
111 leader_set({"metadata-provisioned": True})
112
113+
114 @hooks.hook("amqp-relation-changed")
115 def amqp_changed():
116 if not relation_get("password"):
117@@ -122,6 +152,7 @@
118 add_contrail_api()
119 add_metadata()
120
121+
122 @hooks.hook("amqp-relation-departed")
123 @hooks.hook("amqp-relation-broken")
124 def amqp_departed():
125@@ -131,10 +162,13 @@
126 config["amqp-ready"] = False
127 amqp_relation()
128
129-@restart_on_change({"/etc/contrail/contrail-api.conf": ["supervisor-config"],
130- "/etc/contrail/contrail-device-manager.conf": ["supervisor-config"],
131- "/etc/contrail/contrail-schema.conf": ["supervisor-config"],
132- "/etc/contrail/contrail-svc-monitor.conf": ["supervisor-config"]})
133+
134+@restart_on_change(
135+ {
136+ "/etc/contrail/contrail-api.conf": ["supervisor-config"],
137+ "/etc/contrail/contrail-device-manager.conf": ["supervisor-config"],
138+ "/etc/contrail/contrail-schema.conf": ["supervisor-config"],
139+ "/etc/contrail/contrail-svc-monitor.conf": ["supervisor-config"]})
140 def amqp_relation():
141 write_contrail_api_config()
142 write_contrail_svc_monitor_config()
143@@ -142,10 +176,12 @@
144 if version_compare(CONTRAIL_VERSION, "3.0") >= 0:
145 write_contrail_schema_config()
146
147+
148 @hooks.hook("amqp-relation-joined")
149 def amqp_joined():
150 relation_set(username="contrail", vhost="contrail")
151
152+
153 @hooks.hook("cassandra-relation-changed")
154 def cassandra_changed():
155 # 'port' is used in legacy precise charm
156@@ -156,13 +192,15 @@
157 units = len(cassandra_units())
158 required = config["cassandra-units"]
159 if units < required:
160- log("{} cassandra unit(s) ready, require {} more".format(units, required - units))
161+ log("{} cassandra unit(s) ready, require {} more".format(
162+ units, required - units))
163 return
164 config["cassandra-ready"] = True
165 cassandra_relation()
166 add_contrail_api()
167 add_metadata()
168
169+
170 @hooks.hook("cassandra-relation-departed")
171 @hooks.hook("cassandra-relation-broken")
172 def cassandra_departed():
173@@ -172,12 +210,15 @@
174 config["cassandra-ready"] = False
175 cassandra_relation()
176
177-@restart_on_change({"/etc/contrail/contrail-api.conf": ["supervisor-config"],
178- "/etc/contrail/contrail-device-manager.conf": ["supervisor-config"],
179- "/etc/contrail/contrail-discovery.conf": ["supervisor-config"],
180- "/etc/contrail/contrail-schema.conf": ["supervisor-config"],
181- "/etc/contrail/contrail-svc-monitor.conf": ["supervisor-config"],
182- "/etc/contrail/discovery.conf": ["supervisor-config"]})
183+
184+@restart_on_change(
185+ {
186+ "/etc/contrail/contrail-api.conf": ["supervisor-config"],
187+ "/etc/contrail/contrail-device-manager.conf": ["supervisor-config"],
188+ "/etc/contrail/contrail-discovery.conf": ["supervisor-config"],
189+ "/etc/contrail/contrail-schema.conf": ["supervisor-config"],
190+ "/etc/contrail/contrail-svc-monitor.conf": ["supervisor-config"],
191+ "/etc/contrail/discovery.conf": ["supervisor-config"]})
192 def cassandra_relation():
193 write_contrail_api_config()
194 write_contrail_schema_config()
195@@ -185,6 +226,7 @@
196 write_contrail_svc_monitor_config()
197 write_device_manager_config()
198
199+
200 @hooks.hook("config-changed")
201 def config_changed():
202 write_config()
203@@ -197,8 +239,14 @@
204
205 ip = control_network_ip()
206 vip = config.get("vip")
207- settings = { "private-address": ip,
208- "vip": vip }
209+ settings = {"private-address": ip,
210+ "vip": vip}
211+
212+ # a role fetched from keystone is used as a fallback
213+ # hence we have to check if this relation is established
214+ if config_get("identity-admin-ready"):
215+ add_rbac_settings(settings)
216+
217 for rid in relation_ids("contrail-api"):
218 relation_set(relation_id=rid, relation_settings=settings)
219 for rid in relation_ids("contrail-discovery"):
220@@ -217,12 +265,14 @@
221 for rid in relation_ids("http-services"):
222 relation_set(relation_id=rid, services=services)
223
224+
225 def config_get(key):
226 try:
227 return config[key]
228 except KeyError:
229 return None
230
231+
232 def configure_control_network():
233 # unprovision/provision configuration on 3.0.2.0+
234 if version_compare(CONTRAIL_VERSION, "3.0.2.0-34") >= 0:
235@@ -230,6 +280,7 @@
236 unprovision_configuration()
237 provision_configuration()
238
239+
240 def configure_floating_ip_pools():
241 if is_leader():
242 floating_pools = config.get("floating-ip-pools")
243@@ -237,16 +288,19 @@
244 if floating_pools != previous_floating_pools:
245 # create/destroy pools, activate/deactivate projects
246 # according to new value
247- pools = { (pool["project"],
248- pool["network"],
249- pool["pool-name"]): set(pool["target-projects"])
250- for pool in yaml.safe_load(floating_pools) } \
251- if floating_pools else {}
252+ pools = {(pool["project"],
253+ pool["network"],
254+ pool["pool-name"]): set(pool["target-projects"])
255+ for pool in yaml.safe_load(floating_pools)} \
256+ if floating_pools else {}
257 previous_pools = {}
258 if previous_floating_pools:
259 for pool in yaml.safe_load(previous_floating_pools):
260 projects = pool["target-projects"]
261- name = (pool["project"], pool["network"], pool["pool-name"])
262+ name = (
263+ pool["project"],
264+ pool["network"],
265+ pool["pool-name"])
266 if name in pools:
267 previous_pools[name] = set(projects)
268 else:
269@@ -255,10 +309,12 @@
270 if name not in previous_pools:
271 floating_ip_pool_create(name, projects)
272 else:
273- floating_ip_pool_update(name, projects, previous_pools[name])
274+ floating_ip_pool_update(
275+ name, projects, previous_pools[name])
276
277 leader_set({"floating-ip-pools": floating_pools})
278
279+
280 def configure_ssl():
281 cert = config.get("ssl-ca")
282 if cert:
283@@ -268,6 +324,7 @@
284 if remove_ssl_ca_certificate():
285 service_restart("supervisor-config")
286
287+
288 @hooks.hook("contrail-analytics-api-relation-changed")
289 def contrail_analytics_api_changed():
290 if not relation_get("port"):
291@@ -275,27 +332,33 @@
292 return
293 contrail_analytics_api_relation()
294
295+
296 @hooks.hook("contrail-analytics-api-relation-departed")
297 @hooks.hook("contrail-analytics-api-relation-broken")
298-@restart_on_change({"/etc/contrail/contrail-svc-monitor.conf": ["supervisor-config"]})
299+@restart_on_change(
300+ {"/etc/contrail/contrail-svc-monitor.conf": ["supervisor-config"]})
301 def contrail_analytics_api_relation():
302 write_contrail_svc_monitor_config()
303
304+
305 @hooks.hook("contrail-api-relation-joined")
306 def contrail_api_joined():
307 if config_get("contrail-api-configured"):
308- settings = { "private-address": control_network_ip(),
309- "port": api_port(),
310- "vip": config.get("vip") }
311+ settings = {"private-address": control_network_ip(),
312+ "port": api_port(),
313+ "vip": config.get("vip")}
314+ add_rbac_settings(settings)
315 relation_set(relation_settings=settings)
316
317+
318 @hooks.hook("contrail-discovery-relation-joined")
319 def contrail_discovery_joined():
320- settings = { "private-address": control_network_ip(),
321- "port": discovery_port(),
322- "vip": config.get("vip") }
323+ settings = {"private-address": control_network_ip(),
324+ "port": discovery_port(),
325+ "vip": config.get("vip")}
326 relation_set(relation_settings=settings)
327
328+
329 @hooks.hook("contrail-ifmap-relation-joined")
330 def contrail_ifmap_joined():
331 if is_leader():
332@@ -303,12 +366,12 @@
333 creds = json.loads(creds) if creds else {}
334
335 # prune credentials because we can't remove them directly lp #1469731
336- creds = { rid: { unit: units[unit]
337- for unit, units in
338- ((unit, creds[rid]) for unit in related_units(rid))
339- if unit in units }
340- for rid in relation_ids("contrail-ifmap")
341- if rid in creds }
342+ creds = {rid: {unit: units[unit]
343+ for unit, units in
344+ ((unit, creds[rid]) for unit in related_units(rid))
345+ if unit in units}
346+ for rid in relation_ids("contrail-ifmap")
347+ if rid in creds}
348
349 rid = relation_id()
350 if rid not in creds:
351@@ -318,12 +381,13 @@
352 if unit in cs:
353 return
354 # generate new credentials for unit
355- cs[unit] = { "username": unit, "password": pwgen(32) }
356+ cs[unit] = {"username": unit, "password": pwgen(32)}
357 leader_set({"ifmap-creds": json.dumps(creds)})
358 write_ifmap_config()
359 service_restart("supervisor-config")
360 relation_set(creds=json.dumps(cs))
361
362+
363 def floating_ip_pool_create(name, projects):
364 # create pool
365 fq_network = "default-domain:" + ":".join(name[:2])
366@@ -335,6 +399,7 @@
367 fq_project = "default-domain:" + project
368 contrail_floating_ip_use(fq_project, fq_pool_name)
369
370+
371 def floating_ip_pool_delete(name, projects):
372 # deactivate pool for projects
373 fq_pool_name = "default-domain:" + ":".join(name)
374@@ -346,6 +411,7 @@
375 fq_network = "default-domain:" + ":".join(name[:2])
376 contrail_floating_ip_delete(fq_network, name[2])
377
378+
379 def floating_ip_pool_update(name, projects, previous_projects):
380 fq_pool_name = "default-domain:" + ":".join(name)
381
382@@ -359,24 +425,39 @@
383 fq_project = "default-domain:" + project
384 contrail_floating_ip_use(fq_project, fq_pool_name)
385
386+
387 def http_services():
388 name = local_unit().replace("/", "-")
389 addr = control_network_ip()
390- return [ { "service_name": "contrail-api",
391- "service_host": "0.0.0.0",
392- "service_port": 8082,
393- "service_options": [ "mode http", "balance leastconn", "option httpchk GET /Snh_SandeshUVECacheReq?x=NodeStatus HTTP/1.0" ],
394- "servers": [ [ name, addr, api_port(), "check port 8084" ] ] },
395- { "service_name": "contrail-discovery",
396- "service_host": "0.0.0.0",
397- "service_port": 5998,
398- "service_options": [ "mode http", "balance leastconn", "option httpchk GET /services HTTP/1.0" ],
399- "servers": [ [ name, addr, discovery_port(), "check" ] ] } ]
400+ return [{"service_name": "contrail-api",
401+ "service_host": "0.0.0.0",
402+ "service_port": 8082,
403+ "service_options": ["mode http",
404+ "balance leastconn",
405+ "option httpchk GET "
406+ "/Snh_SandeshUVECacheReq?x=NodeStatus "
407+ "HTTP/1.0"],
408+ "servers": [[name,
409+ addr,
410+ api_port(),
411+ "check port 8084"]]},
412+ {"service_name": "contrail-discovery",
413+ "service_host": "0.0.0.0",
414+ "service_port": 5998,
415+ "service_options": ["mode http",
416+ "balance leastconn",
417+ "option httpchk GET /services HTTP/1.0"],
418+ "servers": [[name,
419+ addr,
420+ discovery_port(),
421+ "check"]]}]
422+
423
424 @hooks.hook("http-services-relation-joined")
425 def http_services_joined():
426 relation_set(services=yaml.dump(http_services()))
427
428+
429 @hooks.hook("identity-admin-relation-changed")
430 def identity_admin_changed():
431 if not relation_get("service_hostname"):
432@@ -387,6 +468,7 @@
433 add_contrail_api()
434 add_metadata()
435
436+
437 @hooks.hook("identity-admin-relation-departed")
438 @hooks.hook("identity-admin-relation-broken")
439 def identity_admin_departed():
440@@ -396,10 +478,13 @@
441 config["identity-admin-ready"] = False
442 identity_admin_relation()
443
444-@restart_on_change({"/etc/contrail/contrail-api.conf": ["supervisor-config"],
445- "/etc/contrail/contrail-device-manager.conf": ["supervisor-config"],
446- "/etc/contrail/contrail-schema.conf": ["supervisor-config"],
447- "/etc/contrail/contrail-svc-monitor.conf": ["supervisor-config"]})
448+
449+@restart_on_change(
450+ {
451+ "/etc/contrail/contrail-api.conf": ["supervisor-config"],
452+ "/etc/contrail/contrail-device-manager.conf": ["supervisor-config"],
453+ "/etc/contrail/contrail-schema.conf": ["supervisor-config"],
454+ "/etc/contrail/contrail-svc-monitor.conf": ["supervisor-config"]})
455 def identity_admin_relation():
456 write_contrail_api_config()
457 write_contrail_schema_config()
458@@ -409,6 +494,7 @@
459 if version_compare(CONTRAIL_VERSION, "3.0.2.0-34") >= 0:
460 write_barbican_auth_config()
461
462+
463 @hooks.hook("identity-service-relation-joined")
464 def identity_service_joined():
465 vip = config.get("vip")
466@@ -419,6 +505,7 @@
467 internal_url=url,
468 admin_url=url)
469
470+
471 @hooks.hook()
472 def install():
473 configure_installation_source(config["openstack-origin"])
474@@ -437,8 +524,10 @@
475 write_nodemgr_config()
476 service_restart("contrail-config-nodemgr")
477
478+
479 @hooks.hook("leader-settings-changed")
480-@restart_on_change({"/etc/ifmap-server/basicauthusers.properties": ["supervisor-config"]})
481+@restart_on_change(
482+ {"/etc/ifmap-server/basicauthusers.properties": ["supervisor-config"]})
483 def leader_changed():
484 write_ifmap_config()
485 creds = leader_get("ifmap-creds")
486@@ -448,12 +537,14 @@
487 if rid in creds:
488 relation_set(relation_id=rid, creds=json.dumps(creds[rid]))
489
490+
491 def main():
492 try:
493 hooks.execute(sys.argv)
494 except UnregisteredHookError as e:
495 log("Unknown hook {} - skipping.".format(e))
496
497+
498 @hooks.hook("neutron-metadata-relation-changed")
499 def neutron_metadata_changed():
500 if not relation_get("shared-secret"):
501@@ -462,6 +553,7 @@
502 config["neutron-metadata-ready"] = True
503 add_metadata()
504
505+
506 @hooks.hook("neutron-metadata-relation-departed")
507 @hooks.hook("neutron-metadata-relation-broken")
508 def neutron_metadata_departed():
509@@ -469,6 +561,7 @@
510 remove_metadata()
511 config["neutron-metadata-ready"] = False
512
513+
514 def remove_contrail_api():
515 if config_get("contrail-api-configured"):
516 # unprovision configuration on 3.0.2.0+
517@@ -476,6 +569,7 @@
518 unprovision_configuration()
519 config["contrail-api-configured"] = False
520
521+
522 def remove_metadata():
523 if is_leader() and leader_get("metadata-provisioned"):
524 # impossible to know if current hook is firing because
525@@ -484,6 +578,7 @@
526 unprovision_metadata()
527 leader_set({"metadata-provisioned": ""})
528
529+
530 @hooks.hook("upgrade-charm")
531 def upgrade_charm():
532 write_ifmap_config()
533@@ -496,12 +591,16 @@
534 write_nodemgr_config()
535 service_restart("supervisor-config")
536
537-@restart_on_change({"/etc/contrail/contrail-api.conf": ["supervisor-config"],
538- "/etc/contrail/contrail-config-nodemgr.conf": ["supervisor-config"]})
539+
540+@restart_on_change(
541+ {
542+ "/etc/contrail/contrail-api.conf": ["supervisor-config"],
543+ "/etc/contrail/contrail-config-nodemgr.conf": ["supervisor-config"]})
544 def write_config():
545 write_contrail_api_config()
546 write_nodemgr_config()
547
548+
549 @hooks.hook("zookeeper-relation-changed")
550 def zookeeper_changed():
551 if not relation_get("port"):
552@@ -512,6 +611,7 @@
553 add_contrail_api()
554 add_metadata()
555
556+
557 @hooks.hook("zookeeper-relation-departed")
558 @hooks.hook("zookeeper-relation-broken")
559 def zookeeper_departed():
560@@ -521,12 +621,15 @@
561 config["zookeeper-ready"] = False
562 zookeeper_relation()
563
564-@restart_on_change({"/etc/contrail/contrail-api.conf": ["supervisor-config"],
565- "/etc/contrail/contrail-device-manager.conf": ["supervisor-config"],
566- "/etc/contrail/contrail-discovery.conf": ["supervisor-config"],
567- "/etc/contrail/contrail-schema.conf": ["supervisor-config"],
568- "/etc/contrail/contrail-svc-monitor.conf": ["supervisor-config"],
569- "/etc/contrail/discovery.conf": ["supervisor-config"]})
570+
571+@restart_on_change(
572+ {
573+ "/etc/contrail/contrail-api.conf": ["supervisor-config"],
574+ "/etc/contrail/contrail-device-manager.conf": ["supervisor-config"],
575+ "/etc/contrail/contrail-discovery.conf": ["supervisor-config"],
576+ "/etc/contrail/contrail-schema.conf": ["supervisor-config"],
577+ "/etc/contrail/contrail-svc-monitor.conf": ["supervisor-config"],
578+ "/etc/contrail/discovery.conf": ["supervisor-config"]})
579 def zookeeper_relation():
580 write_contrail_api_config()
581 write_contrail_schema_config()
582@@ -534,5 +637,6 @@
583 write_contrail_svc_monitor_config()
584 write_device_manager_config()
585
586+
587 if __name__ == "__main__":
588 main()
589
590=== modified file 'hooks/contrail_configuration_utils.py'
591--- hooks/contrail_configuration_utils.py 2017-03-10 12:49:07 +0000
592+++ hooks/contrail_configuration_utils.py 2017-03-23 15:13:02 +0000
593@@ -40,6 +40,7 @@
594
595 apt_pkg.init()
596
597+
598 def dpkg_version(pkg):
599 try:
600 return check_output(["dpkg-query", "-f", "${Version}\\n", "-W", pkg]).rstrip()
601@@ -155,10 +156,16 @@
602
603 def contrail_ctx():
604 addr = control_network_ip()
605+ rbac = config.get("rbac")
606+ cloud_admin_role = config.get("cloud-admin-role")
607+ global_read_only_role = config.get("global-read-only-role")
608 return { "api_port": api_port(),
609 "ifmap_server": addr,
610 "disc_server": addr,
611- "disc_port": discovery_port() }
612+ "disc_port": discovery_port(),
613+ "rbac": rbac,
614+ "cloud_admin_role": cloud_admin_role,
615+ "global_read_only_role": global_read_only_role }
616
617 def contrail_floating_ip_create(network, name):
618 user, password, tenant = [ (relation_get("service_username", unit, rid),
619@@ -344,7 +351,9 @@
620 "admin_user": relation_get("service_username", unit, rid),
621 "admin_password": relation_get("service_password", unit, rid),
622 "admin_tenant_name": relation_get("service_tenant_name", unit, rid),
623- "auth_region": relation_get("service_region", unit, rid) }
624+ "auth_region": relation_get("service_region", unit, rid),
625+ "service_protocol": relation_get("service_protocol", unit, rid),
626+ "api_version": relation_get("api_version", unit, rid)}
627 for rid in relation_ids("identity-admin")
628 for unit, hostname in
629 ((unit, relation_get("service_hostname", unit, rid)) for unit in related_units(rid))
630
631=== added symlink 'hooks/identity-credentials-relation-changed'
632=== target is u'contrail_configuration_hooks.py'
633=== added symlink 'hooks/identity-credentials-relation-joined'
634=== target is u'contrail_configuration_hooks.py'
635=== modified file 'templates/contrail-api.conf'
636--- templates/contrail-api.conf 2017-01-31 12:51:09 +0000
637+++ templates/contrail-api.conf 2017-03-23 15:13:02 +0000
638@@ -10,7 +10,16 @@
639 ifmap_password = api-server
640 cassandra_server_list = {{ cassandra_servers|join(" ") }}
641 auth = keystone
642-multi_tenancy = True
643+
644+{% if rbac -%}
645+aaa_mode = rbac
646+{% else -%}
647+multi_tenancy = true
648+{% endif -%}
649+
650+cloud_admin_role = {{ cloud_admin_role }}
651+global_read_only_role = {{ global_read_only_role }}
652+
653 disc_server_ip = {{ disc_server }}
654 disc_server_port = {{ disc_port }}
655 zk_server_ip = {{ zk_servers|join(",") }}

Subscribers

People subscribed via source and target branches