From 8ab64b3236c93c8449edf80165017898b83f1269 Mon Sep 17 00:00:00 2001 From: Dirk Mueller Date: Fri, 17 Nov 2017 19:52:29 +0100 Subject: [PATCH] Drop signing_dir option from configure_auth_token_middleware This is no longer being used due to Keystone PKI tokens no longer being implemented. In order to not break backward compatibility we create a new function that is to be used instead and deprecate the old one. Modify the old function to ignore the 3rd argument and display a deprecation warning. Adjust callers to no longer create and set that directory, calling the new function instead. Change-Id: Id0dec1ba72467cce5cacfcfdb2bc0af2bd3a3610 --- lib/cinder | 13 ++----------- lib/glance | 24 +++--------------------- lib/keystone | 17 +++++++++++------ lib/neutron | 17 +++-------------- lib/neutron-legacy | 14 ++------------ lib/nova | 13 ++----------- lib/placement | 12 +----------- lib/swift | 7 +------ 8 files changed, 25 insertions(+), 92 deletions(-) diff --git a/lib/cinder b/lib/cinder index ed8349aad6..32e38c44da 100644 --- a/lib/cinder +++ b/lib/cinder @@ -51,7 +51,6 @@ else fi CINDER_STATE_PATH=${CINDER_STATE_PATH:=$DATA_DIR/cinder} -CINDER_AUTH_CACHE_DIR=${CINDER_AUTH_CACHE_DIR:-/var/cache/cinder} CINDER_CONF_DIR=/etc/cinder CINDER_CONF=$CINDER_CONF_DIR/cinder.conf @@ -217,7 +216,7 @@ function configure_cinder { inicomment $CINDER_API_PASTE_INI filter:authtoken admin_password inicomment $CINDER_API_PASTE_INI filter:authtoken signing_dir - configure_auth_token_middleware $CINDER_CONF cinder $CINDER_AUTH_CACHE_DIR + configure_keystone_authtoken_middleware $CINDER_CONF cinder iniset $CINDER_CONF DEFAULT debug $ENABLE_DEBUG_LOG_LEVEL @@ -314,7 +313,7 @@ function configure_cinder { fi # Set nova credentials (used for os-assisted-snapshots) - configure_auth_token_middleware $CINDER_CONF nova $CINDER_AUTH_CACHE_DIR nova + configure_keystone_authtoken_middleware $CINDER_CONF nova nova iniset $CINDER_CONF nova region_name "$REGION_NAME" iniset $CINDER_CONF DEFAULT graceful_shutdown_timeout "$SERVICE_GRACEFUL_SHUTDOWN_TIMEOUT" @@ -380,13 +379,6 @@ function create_cinder_accounts { fi } -# create_cinder_cache_dir() - Part of the init_cinder() process -function create_cinder_cache_dir { - # Create cache dir - sudo install -d -o $STACK_USER $CINDER_AUTH_CACHE_DIR - rm -f $CINDER_AUTH_CACHE_DIR/* -} - # init_cinder() - Initialize database and volume group function init_cinder { if is_service_enabled $DATABASE_BACKENDS; then @@ -415,7 +407,6 @@ function init_cinder { fi mkdir -p $CINDER_STATE_PATH/volumes - create_cinder_cache_dir } # install_cinder() - Collect source and prepare diff --git a/lib/glance b/lib/glance index d630c9a3b0..54d3276433 100644 --- a/lib/glance +++ b/lib/glance @@ -44,7 +44,6 @@ fi GLANCE_CACHE_DIR=${GLANCE_CACHE_DIR:=$DATA_DIR/glance/cache} GLANCE_IMAGE_DIR=${GLANCE_IMAGE_DIR:=$DATA_DIR/glance/images} GLANCE_LOCK_DIR=${GLANCE_LOCK_DIR:=$DATA_DIR/glance/locks} -GLANCE_AUTH_CACHE_DIR=${GLANCE_AUTH_CACHE_DIR:-/var/cache/glance} GLANCE_CONF_DIR=${GLANCE_CONF_DIR:-/etc/glance} GLANCE_METADEF_DIR=$GLANCE_CONF_DIR/metadefs @@ -97,20 +96,14 @@ function is_glance_enabled { # cleanup_glance() - Remove residual data files, anything left over from previous # runs that a clean run would need to clean up function cleanup_glance { - # kill instances (nova) # delete image files (glance) - sudo rm -rf $GLANCE_CACHE_DIR $GLANCE_IMAGE_DIR $GLANCE_AUTH_CACHE_DIR + sudo rm -rf $GLANCE_CACHE_DIR $GLANCE_IMAGE_DIR } # configure_glance() - Set config files, create data dirs, etc function configure_glance { sudo install -d -o $STACK_USER $GLANCE_CONF_DIR $GLANCE_METADEF_DIR - # We run this here as this configures cache dirs for the auth middleware - # which is used in the api server and not in the registry. The api - # Server is configured through this function and not init_glance. - create_glance_cache_dir - # Set non-default configuration options for registry iniset $GLANCE_REGISTRY_CONF DEFAULT debug $ENABLE_DEBUG_LOG_LEVEL iniset $GLANCE_REGISTRY_CONF DEFAULT bind_host $GLANCE_SERVICE_LISTEN_ADDRESS @@ -120,7 +113,7 @@ function configure_glance { iniset $GLANCE_REGISTRY_CONF database connection $dburl iniset $GLANCE_REGISTRY_CONF DEFAULT use_syslog $SYSLOG iniset $GLANCE_REGISTRY_CONF paste_deploy flavor keystone - configure_auth_token_middleware $GLANCE_REGISTRY_CONF glance $GLANCE_AUTH_CACHE_DIR/registry + configure_keystone_authtoken_middleware $GLANCE_REGISTRY_CONF glance iniset $GLANCE_REGISTRY_CONF oslo_messaging_notifications driver messagingv2 iniset_rpc_backend glance $GLANCE_REGISTRY_CONF iniset $GLANCE_REGISTRY_CONF DEFAULT graceful_shutdown_timeout "$SERVICE_GRACEFUL_SHUTDOWN_TIMEOUT" @@ -132,7 +125,7 @@ function configure_glance { iniset $GLANCE_API_CONF DEFAULT image_cache_dir $GLANCE_CACHE_DIR/ iniset $GLANCE_API_CONF oslo_concurrency lock_path $GLANCE_LOCK_DIR iniset $GLANCE_API_CONF paste_deploy flavor keystone+cachemanagement - configure_auth_token_middleware $GLANCE_API_CONF glance $GLANCE_AUTH_CACHE_DIR/api + configure_keystone_authtoken_middleware $GLANCE_API_CONF glance iniset $GLANCE_API_CONF oslo_messaging_notifications driver messagingv2 iniset_rpc_backend glance $GLANCE_API_CONF if [ "$VIRT_DRIVER" = 'xenserver' ]; then @@ -279,23 +272,12 @@ function create_glance_accounts { fi } -# create_glance_cache_dir() - Part of the configure_glance() process -function create_glance_cache_dir { - # Create cache dir - sudo install -d -o $STACK_USER $GLANCE_AUTH_CACHE_DIR/api $GLANCE_AUTH_CACHE_DIR/registry $GLANCE_AUTH_CACHE_DIR/search $GLANCE_AUTH_CACHE_DIR/artifact - rm -f $GLANCE_AUTH_CACHE_DIR/api/* $GLANCE_AUTH_CACHE_DIR/registry/* $GLANCE_AUTH_CACHE_DIR/search/* $GLANCE_AUTH_CACHE_DIR/artifact/* -} - # init_glance() - Initialize databases, etc. function init_glance { # Delete existing images rm -rf $GLANCE_IMAGE_DIR mkdir -p $GLANCE_IMAGE_DIR - # Delete existing cache - rm -rf $GLANCE_CACHE_DIR - mkdir -p $GLANCE_CACHE_DIR - # (Re)create glance database recreate_database glance diff --git a/lib/keystone b/lib/keystone index 02e28222b7..5bd552f557 100644 --- a/lib/keystone +++ b/lib/keystone @@ -397,18 +397,17 @@ function create_service_user { fi } -# Configure the service to use the auth token middleware. +# Configure a service to use the auth token middleware. # -# configure_auth_token_middleware conf_file admin_user signing_dir [section] +# configure_keystone_authtoken_middleware conf_file admin_user IGNORED [section] # # section defaults to keystone_authtoken, which is where auth_token looks in # the .conf file. If the paste config file is used (api-paste.ini) then # provide the section name for the auth_token filter. -function configure_auth_token_middleware { +function configure_keystone_authtoken_middleware { local conf_file=$1 local admin_user=$2 - local signing_dir=$3 - local section=${4:-keystone_authtoken} + local section=${3:-keystone_authtoken} iniset $conf_file $section auth_type password iniset $conf_file $section auth_url $KEYSTONE_SERVICE_URI @@ -419,10 +418,16 @@ function configure_auth_token_middleware { iniset $conf_file $section project_domain_name "$SERVICE_DOMAIN_NAME" iniset $conf_file $section cafile $SSL_BUNDLE_FILE - iniset $conf_file $section signing_dir $signing_dir iniset $conf_file $section memcached_servers localhost:11211 } +# configure_auth_token_middleware conf_file admin_user IGNORED [section] +# TODO(frickler): old function for backwards compatibility, remove in U cycle +function configure_auth_token_middleware { + echo "WARNING: configure_auth_token_middleware is deprecated, use configure_keystone_authtoken_middleware instead" + configure_keystone_authtoken_middleware $1 $2 $4 +} + # init_keystone() - Initialize databases, etc. function init_keystone { if is_service_enabled ldap; then diff --git a/lib/neutron b/lib/neutron index 947c491ec1..e1fd10ce1f 100644 --- a/lib/neutron +++ b/lib/neutron @@ -36,7 +36,6 @@ GITDIR["python-neutronclient"]=$DEST/python-neutronclient NEUTRON_DEPLOY_MOD_WSGI=$(trueorfalse False NEUTRON_DEPLOY_MOD_WSGI) NEUTRON_AGENT=${NEUTRON_AGENT:-openvswitch} NEUTRON_DIR=$DEST/neutron -NEUTRON_AUTH_CACHE_DIR=${NEUTRON_AUTH_CACHE_DIR:-/var/cache/neutron} NEUTRON_DISTRIBUTED_ROUTING=$(trueorfalse False NEUTRON_DISTRIBUTED_ROUTING) # Distributed Virtual Router (DVR) configuration @@ -62,7 +61,6 @@ NEUTRON_AGENT_CONF=$NEUTRON_CONF_DIR/ NEUTRON_CREATE_INITIAL_NETWORKS=${NEUTRON_CREATE_INITIAL_NETWORKS:-True} NEUTRON_STATE_PATH=${NEUTRON_STATE_PATH:=$DATA_DIR/neutron} -NEUTRON_AUTH_CACHE_DIR=${NEUTRON_AUTH_CACHE_DIR:-/var/cache/neutron} NEUTRON_UWSGI_CONF=$NEUTRON_CONF_DIR/neutron-api-uwsgi.ini @@ -200,8 +198,8 @@ function configure_neutron_new { iniset $NEUTRON_CONF DEFAULT router_distributed $NEUTRON_DISTRIBUTED_ROUTING iniset $NEUTRON_CONF DEFAULT auth_strategy $NEUTRON_AUTH_STRATEGY - configure_auth_token_middleware $NEUTRON_CONF neutron $NEUTRON_AUTH_CACHE_DIR keystone_authtoken - configure_auth_token_middleware $NEUTRON_CONF nova $NEUTRON_AUTH_CACHE_DIR nova + configure_keystone_authtoken_middleware $NEUTRON_CONF neutron + configure_keystone_authtoken_middleware $NEUTRON_CONF nova nova # Configure VXLAN # TODO(sc68cal) not hardcode? @@ -292,7 +290,7 @@ function configure_neutron_new { # TODO(dtroyer): remove the v2.0 hard code below iniset $NEUTRON_META_CONF DEFAULT auth_url $KEYSTONE_SERVICE_URI - configure_auth_token_middleware $NEUTRON_META_CONF neutron $NEUTRON_AUTH_CACHE_DIR DEFAULT + configure_keystone_authtoken_middleware $NEUTRON_META_CONF neutron DEFAULT fi # Format logging @@ -389,13 +387,6 @@ function create_neutron_accounts_new { fi } -# create_neutron_cache_dir() - Part of the init_neutron() process -function create_neutron_cache_dir { - # Create cache dir - sudo install -d -o $STACK_USER $NEUTRON_AUTH_CACHE_DIR - rm -f $NEUTRON_AUTH_CACHE_DIR/* -} - # init_neutron() - Initialize databases, etc. function init_neutron_new { @@ -405,8 +396,6 @@ function init_neutron_new { # Run Neutron db migrations $NEUTRON_BIN_DIR/neutron-db-manage upgrade heads time_stop "dbsync" - - create_neutron_cache_dir } # install_neutron() - Collect source and prepare diff --git a/lib/neutron-legacy b/lib/neutron-legacy index 87edc5ab81..dbd6e2c06b 100644 --- a/lib/neutron-legacy +++ b/lib/neutron-legacy @@ -71,7 +71,6 @@ GITDIR["python-neutronclient"]=$DEST/python-neutronclient NEUTRON_DIR=$DEST/neutron NEUTRON_FWAAS_DIR=$DEST/neutron-fwaas -NEUTRON_AUTH_CACHE_DIR=${NEUTRON_AUTH_CACHE_DIR:-/var/cache/neutron} # Support entry points installation of console scripts if [[ -d $NEUTRON_DIR/bin/neutron-server ]]; then @@ -841,13 +840,13 @@ function _configure_neutron_service { iniset $NEUTRON_CONF DEFAULT allow_overlapping_ips $Q_ALLOW_OVERLAPPING_IP iniset $NEUTRON_CONF DEFAULT auth_strategy $Q_AUTH_STRATEGY - _neutron_setup_keystone $NEUTRON_CONF keystone_authtoken + configure_keystone_authtoken_middleware $NEUTRON_CONF $Q_ADMIN_USERNAME # Configuration for neutron notifications to nova. iniset $NEUTRON_CONF DEFAULT notify_nova_on_port_status_changes $Q_NOTIFY_NOVA_PORT_STATUS_CHANGES iniset $NEUTRON_CONF DEFAULT notify_nova_on_port_data_changes $Q_NOTIFY_NOVA_PORT_DATA_CHANGES - configure_auth_token_middleware $NEUTRON_CONF nova $NEUTRON_AUTH_CACHE_DIR nova + configure_keystone_authtoken_middleware $NEUTRON_CONF nova nova # Configure plugin neutron_plugin_configure_service @@ -933,15 +932,6 @@ function _neutron_setup_rootwrap { fi } -# Configures keystone integration for neutron service -function _neutron_setup_keystone { - local conf_file=$1 - local section=$2 - - create_neutron_cache_dir - configure_auth_token_middleware $conf_file $Q_ADMIN_USERNAME $NEUTRON_AUTH_CACHE_DIR $section -} - function _neutron_setup_interface_driver { # ovs_use_veth needs to be set before the plugin configuration diff --git a/lib/nova b/lib/nova index 8220e0f10b..a394a64eef 100644 --- a/lib/nova +++ b/lib/nova @@ -46,7 +46,6 @@ fi NOVA_STATE_PATH=${NOVA_STATE_PATH:=$DATA_DIR/nova} # INSTANCES_PATH is the previous name for this NOVA_INSTANCES_PATH=${NOVA_INSTANCES_PATH:=${INSTANCES_PATH:=$NOVA_STATE_PATH/instances}} -NOVA_AUTH_CACHE_DIR=${NOVA_AUTH_CACHE_DIR:-/var/cache/nova} NOVA_CONF_DIR=/etc/nova NOVA_CONF=$NOVA_CONF_DIR/nova.conf @@ -215,7 +214,7 @@ function cleanup_nova { sudo rm -rf $NOVA_INSTANCES_PATH/* fi - sudo rm -rf $NOVA_STATE_PATH $NOVA_AUTH_CACHE_DIR + sudo rm -rf $NOVA_STATE_PATH # NOTE(dtroyer): This really should be called from here but due to the way # nova abuses the _cleanup() function we're moving it @@ -443,7 +442,7 @@ function create_nova_conf { iniset $NOVA_CONF DEFAULT osapi_compute_link_prefix $NOVA_SERVICE_PROTOCOL://$NOVA_SERVICE_HOST:$NOVA_SERVICE_PORT fi - configure_auth_token_middleware $NOVA_CONF nova $NOVA_AUTH_CACHE_DIR + configure_keystone_authtoken_middleware $NOVA_CONF nova fi if is_service_enabled cinder; then @@ -690,13 +689,6 @@ function conductor_conf { echo "${NOVA_CONF_DIR}/nova_cell${cell}.conf" } -# create_nova_cache_dir() - Part of the init_nova() process -function create_nova_cache_dir { - # Create cache dir - sudo install -d -o $STACK_USER $NOVA_AUTH_CACHE_DIR - rm -f $NOVA_AUTH_CACHE_DIR/* -} - # create_nova_keys_dir() - Part of the init_nova() process function create_nova_keys_dir { # Create keys dir @@ -738,7 +730,6 @@ function init_nova { done fi - create_nova_cache_dir create_nova_keys_dir if [[ "$NOVA_BACKEND" == "LVM" ]]; then diff --git a/lib/placement b/lib/placement index a89cd26939..785b0ddfca 100644 --- a/lib/placement +++ b/lib/placement @@ -29,7 +29,6 @@ set +o xtrace PLACEMENT_DIR=$DEST/placement PLACEMENT_CONF_DIR=/etc/placement PLACEMENT_CONF=$PLACEMENT_CONF_DIR/placement.conf -PLACEMENT_AUTH_CACHE_DIR=${PLACEMENT_AUTH_CACHE_DIR:-/var/cache/placement} PLACEMENT_AUTH_STRATEGY=${PLACEMENT_AUTH_STRATEGY:-keystone} # Placement virtual environment if [[ ${USE_VENV} = True ]]; then @@ -64,7 +63,6 @@ function is_placement_enabled { function cleanup_placement { sudo rm -f $(apache_site_config_for placement-api) remove_uwsgi_config "$PLACEMENT_UWSGI_CONF" "$PLACEMENT_UWSGI" - sudo rm -f $PLACEMENT_AUTH_CACHE_DIR/* } # _config_placement_apache_wsgi() - Set WSGI config files @@ -99,7 +97,7 @@ function create_placement_conf { iniset $PLACEMENT_CONF placement_database connection `database_connection_url placement` iniset $PLACEMENT_CONF DEFAULT debug "$ENABLE_DEBUG_LOG_LEVEL" iniset $PLACEMENT_CONF api auth_strategy $PLACEMENT_AUTH_STRATEGY - configure_auth_token_middleware $PLACEMENT_CONF placement $PLACEMENT_AUTH_CACHE_DIR + configure_keystone_authtoken_middleware $PLACEMENT_CONF placement setup_logging $PLACEMENT_CONF } @@ -127,19 +125,11 @@ function create_placement_accounts { "$placement_api_url" } -# create_placement_cache_dir() - Create directories for keystone cache -function create_placement_cache_dir { - # Create cache dir - sudo install -d -o $STACK_USER $PLACEMENT_AUTH_CACHE_DIR - rm -f $PLACEMENT_AUTH_CACHE_DIR/* -} - # init_placement() - Create service user and endpoints function init_placement { recreate_database placement $PLACEMENT_BIN_DIR/placement-manage db sync create_placement_accounts - create_placement_cache_dir } # install_placement() - Collect source and prepare diff --git a/lib/swift b/lib/swift index d9a7878652..5be9e3575e 100644 --- a/lib/swift +++ b/lib/swift @@ -47,7 +47,6 @@ else SWIFT_BIN_DIR=$(get_python_exec_prefix) fi -SWIFT_AUTH_CACHE_DIR=${SWIFT_AUTH_CACHE_DIR:-/var/cache/swift} SWIFT_APACHE_WSGI_DIR=${SWIFT_APACHE_WSGI_DIR:-/var/www/swift} SWIFT_SERVICE_PROTOCOL=${SWIFT_SERVICE_PROTOCOL:-$SERVICE_PROTOCOL} @@ -452,7 +451,7 @@ function configure_swift { iniset ${SWIFT_CONFIG_PROXY_SERVER} filter:authtoken log_name swift iniset ${SWIFT_CONFIG_PROXY_SERVER} filter:authtoken paste.filter_factory keystonemiddleware.auth_token:filter_factory - configure_auth_token_middleware $SWIFT_CONFIG_PROXY_SERVER swift $SWIFT_AUTH_CACHE_DIR filter:authtoken + configure_keystone_authtoken_middleware $SWIFT_CONFIG_PROXY_SERVER swift filter:authtoken iniset ${SWIFT_CONFIG_PROXY_SERVER} filter:authtoken delay_auth_decision 1 iniset ${SWIFT_CONFIG_PROXY_SERVER} filter:authtoken cache swift.cache iniset ${SWIFT_CONFIG_PROXY_SERVER} filter:authtoken include_service_catalog False @@ -735,10 +734,6 @@ function init_swift { $SWIFT_BIN_DIR/swift-ring-builder container.builder rebalance 42 $SWIFT_BIN_DIR/swift-ring-builder account.builder rebalance 42 } && popd >/dev/null - - # Create cache dir - sudo install -d -o ${STACK_USER} $SWIFT_AUTH_CACHE_DIR - rm -f $SWIFT_AUTH_CACHE_DIR/* } function install_swift {