Merge lp:~dmitriis/charms/trusty/contrail-configuration/trunk into lp:~sdn-charmers/charms/trusty/contrail-configuration/trunk
- Trusty Tahr (14.04)
- trunk
- Merge into trunk
Status: | Merged |
---|---|
Merged at revision: | 68 |
Proposed branch: | lp:~dmitriis/charms/trusty/contrail-configuration/trunk |
Merge into: | lp:~sdn-charmers/charms/trusty/contrail-configuration/trunk |
Diff against target: |
655 lines (+202/-70) 4 files modified
config.yaml (+10/-0) hooks/contrail_configuration_hooks.py (+171/-67) hooks/contrail_configuration_utils.py (+11/-2) templates/contrail-api.conf (+10/-1) |
To merge this branch: | bzr merge lp:~dmitriis/charms/trusty/contrail-configuration/trunk |
Related bugs: |
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
Robert Ayres (community) | Approve | ||
Ante Karamatić | Pending | ||
Review via email: mp+320826@code.launchpad.net |
This proposal supersedes a proposal from 2017-03-19.
Commit message
Description of the change
rbac support (rebased)
Ante Karamatić (ivoks) wrote : Posted in a previous version of this proposal | # |
Ante Karamatić (ivoks) wrote : Posted in a previous version of this proposal | # |
One more comment
Ante Karamatić (ivoks) wrote : Posted in a previous version of this proposal | # |
I haven't investigated into detail, but with your patches contrail-analytics never populates 'api_server' in /etc/contrail/
Dmitrii Shcherbakov (dmitriis) wrote : Posted in a previous version of this proposal | # |
Ante,
Not sure about api_server - no modifications for that in my MP.
https:/
Have to investigate why.
Have you tried it without my patch or just with the patch?
If not, we can try it without a patch first to figure out if I introduced a regression or not.
Bernhard Koessler (bkoessler) wrote : Posted in a previous version of this proposal | # |
I would recommend not using multi_tenancy anymore going forward.
aaa_mode can be set to:
no-auth—No authentication is performed and full access is granted to all.
cloud-admin—
rbac—Authentication is performed and access is granted based on role.
cloud-admin would be the same behaviour as multi-tenancy=true
Ante Karamatić (ivoks) wrote : Posted in a previous version of this proposal | # |
Right, but charms need to support older versions also.
Dmitrii Shcherbakov (dmitriis) wrote : | # |
Just noticed a piece of dead code for an action that we wanted to implement originally - uploaded an updated branch.
Robert Ayres (robert-ayres) wrote : | # |
For this to get merged, please remove all the unnecessary formatting changes.
This diff should only contain the *actual* code changes.
Dmitrii Shcherbakov (dmitriis) wrote : | # |
Robert,
They were separated into two revisions intentionally and it is possible to view the individual diffs.
https:/
https:/
Lint checks are a normal part of the charm dev process so I think it is worthwhile that they pass:
https:/
https:/
Robert Ayres (robert-ayres) wrote : | # |
I appreciate the lint comment, but it would be better if changes to pass lint tests were in a separate patch.
Robert Ayres (robert-ayres) wrote : | # |
To save effort, we can just look at merging r67 here.
Robert Ayres (robert-ayres) : | # |
Preview Diff
1 | === modified file 'config.yaml' |
2 | --- config.yaml 2017-03-10 12:49:07 +0000 |
3 | +++ config.yaml 2017-03-23 15:13:02 +0000 |
4 | @@ -59,3 +59,13 @@ |
5 | type: int |
6 | default: 1 |
7 | description: Minimum number of units required in cassandra relation |
8 | + rbac: |
9 | + type: boolean |
10 | + default: true |
11 | + description: enable/disable role-based authentication - only supported in Contrail 3.2 and newer |
12 | + cloud-admin-role: |
13 | + type: string |
14 | + description: A user who is assigned the cloud_admin_role has full access to everything. |
15 | + global-read-only-role: |
16 | + type: string |
17 | + description: This role allows read-only access to all Contrail resources. Must be configured in keystone. |
18 | |
19 | === modified file 'hooks/contrail_configuration_hooks.py' |
20 | --- hooks/contrail_configuration_hooks.py 2017-03-10 12:49:07 +0000 |
21 | +++ hooks/contrail_configuration_hooks.py 2017-03-23 15:13:02 +0000 |
22 | @@ -1,6 +1,5 @@ |
23 | #!/usr/bin/env python |
24 | |
25 | -from socket import gethostbyname |
26 | import sys |
27 | |
28 | from apt_pkg import version_compare |
29 | @@ -24,7 +23,6 @@ |
30 | relation_ids, |
31 | relation_set, |
32 | remote_unit, |
33 | - unit_get |
34 | ) |
35 | |
36 | from charmhelpers.core.host import ( |
37 | @@ -68,17 +66,44 @@ |
38 | write_ifmap_config, |
39 | write_nodemgr_config, |
40 | write_ssl_ca_certificate, |
41 | - write_vnc_api_config |
42 | + write_vnc_api_config, |
43 | ) |
44 | |
45 | -PACKAGES = [ "ifmap-server", "contrail-config", "contrail-config-openstack", |
46 | - "neutron-common", "contrail-utils", "contrail-nodemgr" ] |
47 | - |
48 | -PACKAGES_BARBICAN = [ "python-barbicanclient" ] |
49 | +PACKAGES = ["ifmap-server", "contrail-config", "contrail-config-openstack", |
50 | + "neutron-common", "contrail-utils", "contrail-nodemgr"] |
51 | + |
52 | +PACKAGES_BARBICAN = ["python-barbicanclient"] |
53 | + |
54 | +CONFIG_ROLES = ['cloud-admin-role', 'global-read-only-role'] |
55 | |
56 | hooks = Hooks() |
57 | config = config() |
58 | |
59 | + |
60 | +def get_rbac_roles(): |
61 | + rid = relation_ids("identity-admin")[0] |
62 | + unit = related_units(rid)[0] |
63 | + default_role = relation_get(attribute='service_tenant_name', |
64 | + rid=rid, unit=unit) |
65 | + rbac_roles = {} |
66 | + for r in CONFIG_ROLES: |
67 | + val = config.get(r) |
68 | + rbac_roles[r] = val if val else default_role |
69 | + return rbac_roles |
70 | + |
71 | + |
72 | +def add_rbac_settings(d): |
73 | + rbac = config.get('rbac') |
74 | + # update the rbac settings unconditionally |
75 | + # we do need to signal the change of relation data |
76 | + if rbac: |
77 | + d['rbac'] = rbac |
78 | + d.update(get_rbac_roles()) |
79 | + else: |
80 | + d['rbac'] = None |
81 | + d.update({k: None for k in CONFIG_ROLES}) |
82 | + |
83 | + |
84 | def add_contrail_api(): |
85 | # check relation dependencies |
86 | if not config_get("contrail-api-configured") \ |
87 | @@ -95,14 +120,18 @@ |
88 | config["contrail-api-configured"] = True |
89 | |
90 | # inform relations |
91 | - settings = { "private-address": control_network_ip(), |
92 | - "port": api_port(), |
93 | - "vip": config.get("vip") } |
94 | + settings = {"private-address": control_network_ip(), |
95 | + "port": api_port(), |
96 | + "vip": config.get("vip")} |
97 | + |
98 | + add_rbac_settings(settings) |
99 | + |
100 | for rid in relation_ids("contrail-api"): |
101 | relation_set(relation_id=rid, relation_settings=settings) |
102 | |
103 | configure_floating_ip_pools() |
104 | |
105 | + |
106 | def add_metadata(): |
107 | # check relation dependencies |
108 | if is_leader() \ |
109 | @@ -112,6 +141,7 @@ |
110 | provision_metadata() |
111 | leader_set({"metadata-provisioned": True}) |
112 | |
113 | + |
114 | @hooks.hook("amqp-relation-changed") |
115 | def amqp_changed(): |
116 | if not relation_get("password"): |
117 | @@ -122,6 +152,7 @@ |
118 | add_contrail_api() |
119 | add_metadata() |
120 | |
121 | + |
122 | @hooks.hook("amqp-relation-departed") |
123 | @hooks.hook("amqp-relation-broken") |
124 | def amqp_departed(): |
125 | @@ -131,10 +162,13 @@ |
126 | config["amqp-ready"] = False |
127 | amqp_relation() |
128 | |
129 | -@restart_on_change({"/etc/contrail/contrail-api.conf": ["supervisor-config"], |
130 | - "/etc/contrail/contrail-device-manager.conf": ["supervisor-config"], |
131 | - "/etc/contrail/contrail-schema.conf": ["supervisor-config"], |
132 | - "/etc/contrail/contrail-svc-monitor.conf": ["supervisor-config"]}) |
133 | + |
134 | +@restart_on_change( |
135 | + { |
136 | + "/etc/contrail/contrail-api.conf": ["supervisor-config"], |
137 | + "/etc/contrail/contrail-device-manager.conf": ["supervisor-config"], |
138 | + "/etc/contrail/contrail-schema.conf": ["supervisor-config"], |
139 | + "/etc/contrail/contrail-svc-monitor.conf": ["supervisor-config"]}) |
140 | def amqp_relation(): |
141 | write_contrail_api_config() |
142 | write_contrail_svc_monitor_config() |
143 | @@ -142,10 +176,12 @@ |
144 | if version_compare(CONTRAIL_VERSION, "3.0") >= 0: |
145 | write_contrail_schema_config() |
146 | |
147 | + |
148 | @hooks.hook("amqp-relation-joined") |
149 | def amqp_joined(): |
150 | relation_set(username="contrail", vhost="contrail") |
151 | |
152 | + |
153 | @hooks.hook("cassandra-relation-changed") |
154 | def cassandra_changed(): |
155 | # 'port' is used in legacy precise charm |
156 | @@ -156,13 +192,15 @@ |
157 | units = len(cassandra_units()) |
158 | required = config["cassandra-units"] |
159 | if units < required: |
160 | - log("{} cassandra unit(s) ready, require {} more".format(units, required - units)) |
161 | + log("{} cassandra unit(s) ready, require {} more".format( |
162 | + units, required - units)) |
163 | return |
164 | config["cassandra-ready"] = True |
165 | cassandra_relation() |
166 | add_contrail_api() |
167 | add_metadata() |
168 | |
169 | + |
170 | @hooks.hook("cassandra-relation-departed") |
171 | @hooks.hook("cassandra-relation-broken") |
172 | def cassandra_departed(): |
173 | @@ -172,12 +210,15 @@ |
174 | config["cassandra-ready"] = False |
175 | cassandra_relation() |
176 | |
177 | -@restart_on_change({"/etc/contrail/contrail-api.conf": ["supervisor-config"], |
178 | - "/etc/contrail/contrail-device-manager.conf": ["supervisor-config"], |
179 | - "/etc/contrail/contrail-discovery.conf": ["supervisor-config"], |
180 | - "/etc/contrail/contrail-schema.conf": ["supervisor-config"], |
181 | - "/etc/contrail/contrail-svc-monitor.conf": ["supervisor-config"], |
182 | - "/etc/contrail/discovery.conf": ["supervisor-config"]}) |
183 | + |
184 | +@restart_on_change( |
185 | + { |
186 | + "/etc/contrail/contrail-api.conf": ["supervisor-config"], |
187 | + "/etc/contrail/contrail-device-manager.conf": ["supervisor-config"], |
188 | + "/etc/contrail/contrail-discovery.conf": ["supervisor-config"], |
189 | + "/etc/contrail/contrail-schema.conf": ["supervisor-config"], |
190 | + "/etc/contrail/contrail-svc-monitor.conf": ["supervisor-config"], |
191 | + "/etc/contrail/discovery.conf": ["supervisor-config"]}) |
192 | def cassandra_relation(): |
193 | write_contrail_api_config() |
194 | write_contrail_schema_config() |
195 | @@ -185,6 +226,7 @@ |
196 | write_contrail_svc_monitor_config() |
197 | write_device_manager_config() |
198 | |
199 | + |
200 | @hooks.hook("config-changed") |
201 | def config_changed(): |
202 | write_config() |
203 | @@ -197,8 +239,14 @@ |
204 | |
205 | ip = control_network_ip() |
206 | vip = config.get("vip") |
207 | - settings = { "private-address": ip, |
208 | - "vip": vip } |
209 | + settings = {"private-address": ip, |
210 | + "vip": vip} |
211 | + |
212 | + # a role fetched from keystone is used as a fallback |
213 | + # hence we have to check if this relation is established |
214 | + if config_get("identity-admin-ready"): |
215 | + add_rbac_settings(settings) |
216 | + |
217 | for rid in relation_ids("contrail-api"): |
218 | relation_set(relation_id=rid, relation_settings=settings) |
219 | for rid in relation_ids("contrail-discovery"): |
220 | @@ -217,12 +265,14 @@ |
221 | for rid in relation_ids("http-services"): |
222 | relation_set(relation_id=rid, services=services) |
223 | |
224 | + |
225 | def config_get(key): |
226 | try: |
227 | return config[key] |
228 | except KeyError: |
229 | return None |
230 | |
231 | + |
232 | def configure_control_network(): |
233 | # unprovision/provision configuration on 3.0.2.0+ |
234 | if version_compare(CONTRAIL_VERSION, "3.0.2.0-34") >= 0: |
235 | @@ -230,6 +280,7 @@ |
236 | unprovision_configuration() |
237 | provision_configuration() |
238 | |
239 | + |
240 | def configure_floating_ip_pools(): |
241 | if is_leader(): |
242 | floating_pools = config.get("floating-ip-pools") |
243 | @@ -237,16 +288,19 @@ |
244 | if floating_pools != previous_floating_pools: |
245 | # create/destroy pools, activate/deactivate projects |
246 | # according to new value |
247 | - pools = { (pool["project"], |
248 | - pool["network"], |
249 | - pool["pool-name"]): set(pool["target-projects"]) |
250 | - for pool in yaml.safe_load(floating_pools) } \ |
251 | - if floating_pools else {} |
252 | + pools = {(pool["project"], |
253 | + pool["network"], |
254 | + pool["pool-name"]): set(pool["target-projects"]) |
255 | + for pool in yaml.safe_load(floating_pools)} \ |
256 | + if floating_pools else {} |
257 | previous_pools = {} |
258 | if previous_floating_pools: |
259 | for pool in yaml.safe_load(previous_floating_pools): |
260 | projects = pool["target-projects"] |
261 | - name = (pool["project"], pool["network"], pool["pool-name"]) |
262 | + name = ( |
263 | + pool["project"], |
264 | + pool["network"], |
265 | + pool["pool-name"]) |
266 | if name in pools: |
267 | previous_pools[name] = set(projects) |
268 | else: |
269 | @@ -255,10 +309,12 @@ |
270 | if name not in previous_pools: |
271 | floating_ip_pool_create(name, projects) |
272 | else: |
273 | - floating_ip_pool_update(name, projects, previous_pools[name]) |
274 | + floating_ip_pool_update( |
275 | + name, projects, previous_pools[name]) |
276 | |
277 | leader_set({"floating-ip-pools": floating_pools}) |
278 | |
279 | + |
280 | def configure_ssl(): |
281 | cert = config.get("ssl-ca") |
282 | if cert: |
283 | @@ -268,6 +324,7 @@ |
284 | if remove_ssl_ca_certificate(): |
285 | service_restart("supervisor-config") |
286 | |
287 | + |
288 | @hooks.hook("contrail-analytics-api-relation-changed") |
289 | def contrail_analytics_api_changed(): |
290 | if not relation_get("port"): |
291 | @@ -275,27 +332,33 @@ |
292 | return |
293 | contrail_analytics_api_relation() |
294 | |
295 | + |
296 | @hooks.hook("contrail-analytics-api-relation-departed") |
297 | @hooks.hook("contrail-analytics-api-relation-broken") |
298 | -@restart_on_change({"/etc/contrail/contrail-svc-monitor.conf": ["supervisor-config"]}) |
299 | +@restart_on_change( |
300 | + {"/etc/contrail/contrail-svc-monitor.conf": ["supervisor-config"]}) |
301 | def contrail_analytics_api_relation(): |
302 | write_contrail_svc_monitor_config() |
303 | |
304 | + |
305 | @hooks.hook("contrail-api-relation-joined") |
306 | def contrail_api_joined(): |
307 | if config_get("contrail-api-configured"): |
308 | - settings = { "private-address": control_network_ip(), |
309 | - "port": api_port(), |
310 | - "vip": config.get("vip") } |
311 | + settings = {"private-address": control_network_ip(), |
312 | + "port": api_port(), |
313 | + "vip": config.get("vip")} |
314 | + add_rbac_settings(settings) |
315 | relation_set(relation_settings=settings) |
316 | |
317 | + |
318 | @hooks.hook("contrail-discovery-relation-joined") |
319 | def contrail_discovery_joined(): |
320 | - settings = { "private-address": control_network_ip(), |
321 | - "port": discovery_port(), |
322 | - "vip": config.get("vip") } |
323 | + settings = {"private-address": control_network_ip(), |
324 | + "port": discovery_port(), |
325 | + "vip": config.get("vip")} |
326 | relation_set(relation_settings=settings) |
327 | |
328 | + |
329 | @hooks.hook("contrail-ifmap-relation-joined") |
330 | def contrail_ifmap_joined(): |
331 | if is_leader(): |
332 | @@ -303,12 +366,12 @@ |
333 | creds = json.loads(creds) if creds else {} |
334 | |
335 | # prune credentials because we can't remove them directly lp #1469731 |
336 | - creds = { rid: { unit: units[unit] |
337 | - for unit, units in |
338 | - ((unit, creds[rid]) for unit in related_units(rid)) |
339 | - if unit in units } |
340 | - for rid in relation_ids("contrail-ifmap") |
341 | - if rid in creds } |
342 | + creds = {rid: {unit: units[unit] |
343 | + for unit, units in |
344 | + ((unit, creds[rid]) for unit in related_units(rid)) |
345 | + if unit in units} |
346 | + for rid in relation_ids("contrail-ifmap") |
347 | + if rid in creds} |
348 | |
349 | rid = relation_id() |
350 | if rid not in creds: |
351 | @@ -318,12 +381,13 @@ |
352 | if unit in cs: |
353 | return |
354 | # generate new credentials for unit |
355 | - cs[unit] = { "username": unit, "password": pwgen(32) } |
356 | + cs[unit] = {"username": unit, "password": pwgen(32)} |
357 | leader_set({"ifmap-creds": json.dumps(creds)}) |
358 | write_ifmap_config() |
359 | service_restart("supervisor-config") |
360 | relation_set(creds=json.dumps(cs)) |
361 | |
362 | + |
363 | def floating_ip_pool_create(name, projects): |
364 | # create pool |
365 | fq_network = "default-domain:" + ":".join(name[:2]) |
366 | @@ -335,6 +399,7 @@ |
367 | fq_project = "default-domain:" + project |
368 | contrail_floating_ip_use(fq_project, fq_pool_name) |
369 | |
370 | + |
371 | def floating_ip_pool_delete(name, projects): |
372 | # deactivate pool for projects |
373 | fq_pool_name = "default-domain:" + ":".join(name) |
374 | @@ -346,6 +411,7 @@ |
375 | fq_network = "default-domain:" + ":".join(name[:2]) |
376 | contrail_floating_ip_delete(fq_network, name[2]) |
377 | |
378 | + |
379 | def floating_ip_pool_update(name, projects, previous_projects): |
380 | fq_pool_name = "default-domain:" + ":".join(name) |
381 | |
382 | @@ -359,24 +425,39 @@ |
383 | fq_project = "default-domain:" + project |
384 | contrail_floating_ip_use(fq_project, fq_pool_name) |
385 | |
386 | + |
387 | def http_services(): |
388 | name = local_unit().replace("/", "-") |
389 | addr = control_network_ip() |
390 | - return [ { "service_name": "contrail-api", |
391 | - "service_host": "0.0.0.0", |
392 | - "service_port": 8082, |
393 | - "service_options": [ "mode http", "balance leastconn", "option httpchk GET /Snh_SandeshUVECacheReq?x=NodeStatus HTTP/1.0" ], |
394 | - "servers": [ [ name, addr, api_port(), "check port 8084" ] ] }, |
395 | - { "service_name": "contrail-discovery", |
396 | - "service_host": "0.0.0.0", |
397 | - "service_port": 5998, |
398 | - "service_options": [ "mode http", "balance leastconn", "option httpchk GET /services HTTP/1.0" ], |
399 | - "servers": [ [ name, addr, discovery_port(), "check" ] ] } ] |
400 | + return [{"service_name": "contrail-api", |
401 | + "service_host": "0.0.0.0", |
402 | + "service_port": 8082, |
403 | + "service_options": ["mode http", |
404 | + "balance leastconn", |
405 | + "option httpchk GET " |
406 | + "/Snh_SandeshUVECacheReq?x=NodeStatus " |
407 | + "HTTP/1.0"], |
408 | + "servers": [[name, |
409 | + addr, |
410 | + api_port(), |
411 | + "check port 8084"]]}, |
412 | + {"service_name": "contrail-discovery", |
413 | + "service_host": "0.0.0.0", |
414 | + "service_port": 5998, |
415 | + "service_options": ["mode http", |
416 | + "balance leastconn", |
417 | + "option httpchk GET /services HTTP/1.0"], |
418 | + "servers": [[name, |
419 | + addr, |
420 | + discovery_port(), |
421 | + "check"]]}] |
422 | + |
423 | |
424 | @hooks.hook("http-services-relation-joined") |
425 | def http_services_joined(): |
426 | relation_set(services=yaml.dump(http_services())) |
427 | |
428 | + |
429 | @hooks.hook("identity-admin-relation-changed") |
430 | def identity_admin_changed(): |
431 | if not relation_get("service_hostname"): |
432 | @@ -387,6 +468,7 @@ |
433 | add_contrail_api() |
434 | add_metadata() |
435 | |
436 | + |
437 | @hooks.hook("identity-admin-relation-departed") |
438 | @hooks.hook("identity-admin-relation-broken") |
439 | def identity_admin_departed(): |
440 | @@ -396,10 +478,13 @@ |
441 | config["identity-admin-ready"] = False |
442 | identity_admin_relation() |
443 | |
444 | -@restart_on_change({"/etc/contrail/contrail-api.conf": ["supervisor-config"], |
445 | - "/etc/contrail/contrail-device-manager.conf": ["supervisor-config"], |
446 | - "/etc/contrail/contrail-schema.conf": ["supervisor-config"], |
447 | - "/etc/contrail/contrail-svc-monitor.conf": ["supervisor-config"]}) |
448 | + |
449 | +@restart_on_change( |
450 | + { |
451 | + "/etc/contrail/contrail-api.conf": ["supervisor-config"], |
452 | + "/etc/contrail/contrail-device-manager.conf": ["supervisor-config"], |
453 | + "/etc/contrail/contrail-schema.conf": ["supervisor-config"], |
454 | + "/etc/contrail/contrail-svc-monitor.conf": ["supervisor-config"]}) |
455 | def identity_admin_relation(): |
456 | write_contrail_api_config() |
457 | write_contrail_schema_config() |
458 | @@ -409,6 +494,7 @@ |
459 | if version_compare(CONTRAIL_VERSION, "3.0.2.0-34") >= 0: |
460 | write_barbican_auth_config() |
461 | |
462 | + |
463 | @hooks.hook("identity-service-relation-joined") |
464 | def identity_service_joined(): |
465 | vip = config.get("vip") |
466 | @@ -419,6 +505,7 @@ |
467 | internal_url=url, |
468 | admin_url=url) |
469 | |
470 | + |
471 | @hooks.hook() |
472 | def install(): |
473 | configure_installation_source(config["openstack-origin"]) |
474 | @@ -437,8 +524,10 @@ |
475 | write_nodemgr_config() |
476 | service_restart("contrail-config-nodemgr") |
477 | |
478 | + |
479 | @hooks.hook("leader-settings-changed") |
480 | -@restart_on_change({"/etc/ifmap-server/basicauthusers.properties": ["supervisor-config"]}) |
481 | +@restart_on_change( |
482 | + {"/etc/ifmap-server/basicauthusers.properties": ["supervisor-config"]}) |
483 | def leader_changed(): |
484 | write_ifmap_config() |
485 | creds = leader_get("ifmap-creds") |
486 | @@ -448,12 +537,14 @@ |
487 | if rid in creds: |
488 | relation_set(relation_id=rid, creds=json.dumps(creds[rid])) |
489 | |
490 | + |
491 | def main(): |
492 | try: |
493 | hooks.execute(sys.argv) |
494 | except UnregisteredHookError as e: |
495 | log("Unknown hook {} - skipping.".format(e)) |
496 | |
497 | + |
498 | @hooks.hook("neutron-metadata-relation-changed") |
499 | def neutron_metadata_changed(): |
500 | if not relation_get("shared-secret"): |
501 | @@ -462,6 +553,7 @@ |
502 | config["neutron-metadata-ready"] = True |
503 | add_metadata() |
504 | |
505 | + |
506 | @hooks.hook("neutron-metadata-relation-departed") |
507 | @hooks.hook("neutron-metadata-relation-broken") |
508 | def neutron_metadata_departed(): |
509 | @@ -469,6 +561,7 @@ |
510 | remove_metadata() |
511 | config["neutron-metadata-ready"] = False |
512 | |
513 | + |
514 | def remove_contrail_api(): |
515 | if config_get("contrail-api-configured"): |
516 | # unprovision configuration on 3.0.2.0+ |
517 | @@ -476,6 +569,7 @@ |
518 | unprovision_configuration() |
519 | config["contrail-api-configured"] = False |
520 | |
521 | + |
522 | def remove_metadata(): |
523 | if is_leader() and leader_get("metadata-provisioned"): |
524 | # impossible to know if current hook is firing because |
525 | @@ -484,6 +578,7 @@ |
526 | unprovision_metadata() |
527 | leader_set({"metadata-provisioned": ""}) |
528 | |
529 | + |
530 | @hooks.hook("upgrade-charm") |
531 | def upgrade_charm(): |
532 | write_ifmap_config() |
533 | @@ -496,12 +591,16 @@ |
534 | write_nodemgr_config() |
535 | service_restart("supervisor-config") |
536 | |
537 | -@restart_on_change({"/etc/contrail/contrail-api.conf": ["supervisor-config"], |
538 | - "/etc/contrail/contrail-config-nodemgr.conf": ["supervisor-config"]}) |
539 | + |
540 | +@restart_on_change( |
541 | + { |
542 | + "/etc/contrail/contrail-api.conf": ["supervisor-config"], |
543 | + "/etc/contrail/contrail-config-nodemgr.conf": ["supervisor-config"]}) |
544 | def write_config(): |
545 | write_contrail_api_config() |
546 | write_nodemgr_config() |
547 | |
548 | + |
549 | @hooks.hook("zookeeper-relation-changed") |
550 | def zookeeper_changed(): |
551 | if not relation_get("port"): |
552 | @@ -512,6 +611,7 @@ |
553 | add_contrail_api() |
554 | add_metadata() |
555 | |
556 | + |
557 | @hooks.hook("zookeeper-relation-departed") |
558 | @hooks.hook("zookeeper-relation-broken") |
559 | def zookeeper_departed(): |
560 | @@ -521,12 +621,15 @@ |
561 | config["zookeeper-ready"] = False |
562 | zookeeper_relation() |
563 | |
564 | -@restart_on_change({"/etc/contrail/contrail-api.conf": ["supervisor-config"], |
565 | - "/etc/contrail/contrail-device-manager.conf": ["supervisor-config"], |
566 | - "/etc/contrail/contrail-discovery.conf": ["supervisor-config"], |
567 | - "/etc/contrail/contrail-schema.conf": ["supervisor-config"], |
568 | - "/etc/contrail/contrail-svc-monitor.conf": ["supervisor-config"], |
569 | - "/etc/contrail/discovery.conf": ["supervisor-config"]}) |
570 | + |
571 | +@restart_on_change( |
572 | + { |
573 | + "/etc/contrail/contrail-api.conf": ["supervisor-config"], |
574 | + "/etc/contrail/contrail-device-manager.conf": ["supervisor-config"], |
575 | + "/etc/contrail/contrail-discovery.conf": ["supervisor-config"], |
576 | + "/etc/contrail/contrail-schema.conf": ["supervisor-config"], |
577 | + "/etc/contrail/contrail-svc-monitor.conf": ["supervisor-config"], |
578 | + "/etc/contrail/discovery.conf": ["supervisor-config"]}) |
579 | def zookeeper_relation(): |
580 | write_contrail_api_config() |
581 | write_contrail_schema_config() |
582 | @@ -534,5 +637,6 @@ |
583 | write_contrail_svc_monitor_config() |
584 | write_device_manager_config() |
585 | |
586 | + |
587 | if __name__ == "__main__": |
588 | main() |
589 | |
590 | === modified file 'hooks/contrail_configuration_utils.py' |
591 | --- hooks/contrail_configuration_utils.py 2017-03-10 12:49:07 +0000 |
592 | +++ hooks/contrail_configuration_utils.py 2017-03-23 15:13:02 +0000 |
593 | @@ -40,6 +40,7 @@ |
594 | |
595 | apt_pkg.init() |
596 | |
597 | + |
598 | def dpkg_version(pkg): |
599 | try: |
600 | return check_output(["dpkg-query", "-f", "${Version}\\n", "-W", pkg]).rstrip() |
601 | @@ -155,10 +156,16 @@ |
602 | |
603 | def contrail_ctx(): |
604 | addr = control_network_ip() |
605 | + rbac = config.get("rbac") |
606 | + cloud_admin_role = config.get("cloud-admin-role") |
607 | + global_read_only_role = config.get("global-read-only-role") |
608 | return { "api_port": api_port(), |
609 | "ifmap_server": addr, |
610 | "disc_server": addr, |
611 | - "disc_port": discovery_port() } |
612 | + "disc_port": discovery_port(), |
613 | + "rbac": rbac, |
614 | + "cloud_admin_role": cloud_admin_role, |
615 | + "global_read_only_role": global_read_only_role } |
616 | |
617 | def contrail_floating_ip_create(network, name): |
618 | user, password, tenant = [ (relation_get("service_username", unit, rid), |
619 | @@ -344,7 +351,9 @@ |
620 | "admin_user": relation_get("service_username", unit, rid), |
621 | "admin_password": relation_get("service_password", unit, rid), |
622 | "admin_tenant_name": relation_get("service_tenant_name", unit, rid), |
623 | - "auth_region": relation_get("service_region", unit, rid) } |
624 | + "auth_region": relation_get("service_region", unit, rid), |
625 | + "service_protocol": relation_get("service_protocol", unit, rid), |
626 | + "api_version": relation_get("api_version", unit, rid)} |
627 | for rid in relation_ids("identity-admin") |
628 | for unit, hostname in |
629 | ((unit, relation_get("service_hostname", unit, rid)) for unit in related_units(rid)) |
630 | |
631 | === added symlink 'hooks/identity-credentials-relation-changed' |
632 | === target is u'contrail_configuration_hooks.py' |
633 | === added symlink 'hooks/identity-credentials-relation-joined' |
634 | === target is u'contrail_configuration_hooks.py' |
635 | === modified file 'templates/contrail-api.conf' |
636 | --- templates/contrail-api.conf 2017-01-31 12:51:09 +0000 |
637 | +++ templates/contrail-api.conf 2017-03-23 15:13:02 +0000 |
638 | @@ -10,7 +10,16 @@ |
639 | ifmap_password = api-server |
640 | cassandra_server_list = {{ cassandra_servers|join(" ") }} |
641 | auth = keystone |
642 | -multi_tenancy = True |
643 | + |
644 | +{% if rbac -%} |
645 | +aaa_mode = rbac |
646 | +{% else -%} |
647 | +multi_tenancy = true |
648 | +{% endif -%} |
649 | + |
650 | +cloud_admin_role = {{ cloud_admin_role }} |
651 | +global_read_only_role = {{ global_read_only_role }} |
652 | + |
653 | disc_server_ip = {{ disc_server }} |
654 | disc_server_port = {{ disc_port }} |
655 | zk_server_ip = {{ zk_servers|join(",") }} |
See my comment