compass-adapters/chef/cookbooks/openstack-identity/recipes/server.rb

# encoding: UTF-8
#
# Cookbook Name:: openstack-identity
# Recipe:: server
#
# Copyright 2012, Rackspace US, Inc.
# Copyright 2012-2013, Opscode, Inc.
# Copyright 2013 SUSE LINUX Products GmbH.
#
# Licensed under the Apache License, Version 2.0 (the 'License');
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an 'AS IS' BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#

require 'uri'

class ::Chef::Recipe # rubocop:disable Documentation
  include ::Openstack
end

if node['openstack']['identity']['syslog']['use']
  include_recipe 'openstack-common::logging'
end

platform_options = node['openstack']['identity']['platform']

db_type = node['openstack']['db']['identity']['service_type']
unless db_type == 'sqlite'
  platform_options["#{db_type}_python_packages"].each do |pkg|
    package pkg do
      options platform_options['package_options']
      action :upgrade
    end
  end
end

platform_options['memcache_python_packages'].each do |pkg|
  package pkg do
    options platform_options['package_options']
    action :upgrade
  end
end

platform_options['keystone_packages'].each do |pkg|
  package pkg do
    options platform_options['package_options']
    action :upgrade
  end
end

execute 'Keystone: sleep' do
  command 'sleep 10s'

  action :nothing
end

service 'keystone' do
  service_name platform_options['keystone_service']
  supports status: true, restart: true

  action [:enable]

  notifies :run, 'execute[Keystone: sleep]', :immediately
end

directory '/etc/keystone' do
  owner node['openstack']['identity']['user']
  group node['openstack']['identity']['group']
  mode  00700
end

file '/var/lib/keystone/keystone.db' do
  action :delete
  not_if { node['openstack']['db']['identity']['service_type'] == 'sqlite' }
end

if node['openstack']['auth']['strategy'] == 'pki'
  certfile_url = node['openstack']['identity']['signing']['certfile_url']
  keyfile_url = node['openstack']['identity']['signing']['keyfile_url']
  ca_certs_url = node['openstack']['identity']['signing']['ca_certs_url']
  signing_basedir = node['openstack']['identity']['signing']['basedir']

  directory signing_basedir do
    owner node['openstack']['identity']['user']
    group node['openstack']['identity']['group']
    mode  00700
  end

  directory "#{signing_basedir}/certs" do
    owner node['openstack']['identity']['user']
    group node['openstack']['identity']['group']
    mode  00755
  end

  directory "#{signing_basedir}/private" do
    owner node['openstack']['identity']['user']
    group node['openstack']['identity']['group']
    mode  00750
  end

  if certfile_url.nil? || keyfile_url.nil? || ca_certs_url.nil?
    keygen_node = node_election('os-identity', 'keystone_keygen')
    if node.name.eql?(keygen_node.name)
      execute 'keystone-manage pki_setup' do
        user  node['openstack']['identity']['user']
        group node['openstack']['identity']['group']
        not_if { ::FileTest.exists? node['openstack']['identity']['signing']['keyfile'] }
      end
      %w{certfile keyfile ca_certs}.each do |name|
        ruby_block "read #{name}" do
          block do
            file = node['openstack']['identity']['signing']["#{name}"]
            if File.exists?(file) and !node['openstack']['identity']['signing'].attribute?("#{name}_data")
              node.set['openstack']['identity']['signing']["#{name}_data"] = File.read(file)
              node.save
            end
          end
        end
      end

    else
      if keygen_node['openstack']['identity']['signing'].attribute?("ca_certs_data")
        %w{certfile keyfile ca_certs}.each do |name|
          file node['openstack']['identity']['signing']["#{name}"] do
            content keygen_node['openstack']['identity']['signing']["#{name}_data"]
            owner   node['openstack']['identity']['user']
            group   node['openstack']['identity']['group']
            mode    00640
          end
        end
      end
    end

  else
    remote_file node['openstack']['identity']['signing']['certfile'] do
      source certfile_url
      owner  node['openstack']['identity']['user']
      group  node['openstack']['identity']['group']
      mode   00640

      notifies :restart, 'service[keystone]', :delayed
    end

    remote_file node['openstack']['identity']['signing']['keyfile'] do
      source keyfile_url
      owner  node['openstack']['identity']['user']
      group  node['openstack']['identity']['group']
      mode   00640

      notifies :restart, 'service[keystone]', :delayed
    end

    remote_file node['openstack']['identity']['signing']['ca_certs'] do
      source ca_certs_url
      owner  node['openstack']['identity']['user']
      group  node['openstack']['identity']['group']
      mode   00640

      notifies :restart, 'service[keystone]', :delayed
    end
  end
end

bind_endpoint = endpoint 'identity-bind'
identity_admin_endpoint = endpoint 'identity-admin'
identity_endpoint = endpoint 'identity-api'
compute_endpoint = endpoint 'compute-api'
ec2_endpoint = endpoint 'compute-ec2-api'
image_endpoint = endpoint 'image-api'
network_endpoint = endpoint 'network-api'
volume_endpoint = endpoint 'block-storage-api'

db_user = node['openstack']['db']['identity']['username']
db_pass = get_password 'db', 'keystone'
sql_connection = db_uri('identity', db_user, db_pass)

bootstrap_token = get_secret 'openstack_identity_bootstrap_token'

bind_address = bind_endpoint.host

# If the search role is set, we search for memcache
# servers via a Chef search. If not, we look at the
# memcache.servers attribute.
if node['openstack']['identity']['token']['backend'].eql?('memcache')
  memcache_servers = memcached_servers('os-ops-caching').join ','  # from openstack-common lib
  # number of seconds to wait before sockets timeout when the memcached server is down
  # the default number is 3, here is going to set it as 0.1
  ruby_block "Set memcache socket timeout" do
    block do
      `sed -i "s/_SOCKET_TIMEOUT = 3/_SOCKET_TIMEOUT = 0.1/g" /usr/lib/python[0-9].[0-9]/site-packages/memcache.py`
    end
  end
end

# These configuration endpoints must not have the path (v2.0, etc)
# added to them, as these values are used in returning the version
# listing information from the root / endpoint.
ie = identity_endpoint
public_endpoint = "#{ie.scheme}://#{ie.host}:#{ie.port}/"
ae = identity_admin_endpoint
admin_endpoint = "#{ae.scheme}://#{ae.host}:#{ae.port}/"

# If a keystone-paste.ini is specified use it
if node['openstack']['identity']['pastefile_url']
  remote_file '/etc/keystone/keystone-paste.ini' do
    source node['openstack']['identity']['pastefile_url']
    owner node['openstack']['identity']['user']
    group node['openstack']['identity']['group']
    mode 00644

    notifies :restart, 'service[keystone]', :delayed
  end
end

template '/etc/keystone/keystone.conf' do
  source 'keystone.conf.erb'
  owner node['openstack']['identity']['user']
  group node['openstack']['identity']['group']
  mode   00644
  variables(
    sql_connection: sql_connection,
    bind_address: bind_address,
    bootstrap_token: bootstrap_token,
    memcache_servers: memcache_servers,
    public_endpoint: public_endpoint,
    public_port: identity_endpoint.port,
    admin_endpoint: admin_endpoint,
    admin_port: identity_admin_endpoint.port,
    ldap: node['openstack']['identity']['ldap'],
    token_expiration: node['openstack']['identity']['token']['expiration']
  )

  notifies :restart, 'service[keystone]', :immediately
end

# populate the templated catlog, if you're using the templated catalog backend
uris = {
  'identity-admin' => identity_admin_endpoint.to_s.gsub('%25', '%'),
  'identity' => identity_endpoint.to_s.gsub('%25', '%'),
  'image' => image_endpoint.to_s.gsub('%25', '%'),
  'compute' => compute_endpoint.to_s.gsub('%25', '%'),
  'ec2' => ec2_endpoint.to_s.gsub('%25', '%'),
  'network' => network_endpoint.to_s.gsub('%25', '%'),
  'volume' => volume_endpoint.to_s.gsub('%25', '%')
}

template '/etc/keystone/default_catalog.templates' do
  source 'default_catalog.templates.erb'
  owner node['openstack']['identity']['user']
  group node['openstack']['identity']['group']
  mode   00644
  variables(
    uris: uris
  )

  notifies :restart, 'service[keystone]', :immediately
  only_if { node['openstack']['identity']['catalog']['backend'] == 'templated' }
end

# sync db after keystone.conf is generated
execute 'keystone-manage db_sync' do
  user node['openstack']['identity']['user']
  group node['openstack']['identity']['group']

  only_if { node['openstack']['db']['identity']['migrate'] }
end

# Configure the flush tokens cronjob
should_run_cron = node['openstack']['identity']['token_flush_cron']['enabled'] && node['openstack']['identity']['token']['backend'] == 'sql'
log_file = node['openstack']['identity']['token_flush_cron']['log_file']

cron 'keystone-manage-token-flush' do
  minute node['openstack']['identity']['token_flush_cron']['minute']
  hour node['openstack']['identity']['token_flush_cron']['hour']
  day node['openstack']['identity']['token_flush_cron']['day']
  weekday node['openstack']['identity']['token_flush_cron']['weekday']
  action should_run_cron ? :create : :delete
  user node['openstack']['identity']['user']
  command %Q{
    `which keystone-manage` token_flush > #{log_file} 2>&1 &&
    echo keystone-manage token_flush ran at $(/bin/date) with exit code $? >> #{log_file}
  }.gsub!(/\n/, '')
end
# TODO(luisg): We can remove the \n substitution in the cron command when https://tickets.opscode.com/browse/CHEF-5238 is fixed