/usr/bin/heat-keystone-setup-domain is in heat-common 1:6.0.0-0ubuntu1.
This file is owned by root:root, with mode 0o755.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 | #!/usr/bin/python
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
import os
import sys
import keystoneclient.exceptions as kc_exception
from keystoneclient.v3 import client
from oslo_config import cfg
from oslo_log import log as logging
from heat import version
logger = logging.getLogger(__name__)
DEBUG = False
USERNAME = os.environ.get('OS_USERNAME')
PASSWORD = os.environ.get('OS_PASSWORD')
AUTH_URL = os.environ.get('OS_AUTH_URL', '').replace('v2.0', 'v3')
TENANT_NAME = os.environ.get('OS_TENANT_NAME')
opts = [
cfg.StrOpt('stack-user-domain-name',
default="heat",
help="Name of domain to create for stack users."),
cfg.StrOpt('stack-domain-admin',
default="heat_stack_admin",
help="Keystone username with roles sufficient to manage users"
" and projects in the stack-user-domain"),
cfg.StrOpt('stack-domain-admin-password',
secret=True,
help="Password to set for stack-domain-admin"),
cfg.BoolOpt('insecure',
default=False,
help="If set, then the server's certificate will not "
"be verified."),
cfg.StrOpt('os-cacert',
help='Optional CA cert file to use in SSL connections.'),
cfg.StrOpt('os-cert',
help='Optional PEM-formatted certificate chain file.'),
cfg.StrOpt('os-key',
help='Optional PEM-formatted file that contains the '
'private key.'),
]
cfg.CONF.register_cli_opts(opts)
cfg.CONF(sys.argv[1:],
project='heat',
prog='heat-keystone-setup-domain',
version=version.version_info.version_string())
HEAT_DOMAIN_NAME = os.environ.get(
'HEAT_DOMAIN', cfg.CONF.stack_user_domain_name)
HEAT_DOMAIN_ADMIN = os.environ.get('HEAT_DOMAIN_ADMIN',
cfg.CONF.stack_domain_admin)
HEAT_DOMAIN_PASSWORD = os.environ.get('HEAT_DOMAIN_PASSWORD',
cfg.CONF.stack_domain_admin_password)
HEAT_DOMAIN_DESCRIPTION = 'Contains users and projects created by heat'
logger.debug("USERNAME=%s" % USERNAME)
logger.debug("AUTH_URL=%s" % AUTH_URL)
CACERT = os.environ.get('OS_CACERT', cfg.CONF.os_cacert)
CERT = os.environ.get('OS_CERT', cfg.CONF.os_cert)
KEY = os.environ.get('OS_KEY', cfg.CONF.os_key)
insecure = cfg.CONF.insecure
def main():
log_lvl = logging.DEBUG if DEBUG else logging.WARNING
logging.basicConfig(
format="%(levelname)s (%(module)s:%(lineno)d) %(message)s",
level=log_lvl)
logging.getLogger('urllib3.connectionpool').setLevel(logging.WARNING)
client_kwargs = {
'debug': DEBUG,
'username': USERNAME,
'password': PASSWORD,
'auth_url': AUTH_URL,
'endpoint': AUTH_URL,
'tenant_name': TENANT_NAME
}
if insecure:
client_kwargs['verify'] = False
else:
client_kwargs.update({
'cacert': CACERT,
'cert': CERT,
'key': KEY
})
c = client.Client(**client_kwargs)
c.authenticate()
# Create the heat domain
logger.info("Creating domain %s" % HEAT_DOMAIN_NAME)
try:
heat_domain = c.domains.create(name=HEAT_DOMAIN_NAME,
description=HEAT_DOMAIN_DESCRIPTION)
except kc_exception.Conflict:
logger.warning("Domain %s already exists" % HEAT_DOMAIN_NAME)
heat_domain = c.domains.list(name=HEAT_DOMAIN_NAME)[0]
if heat_domain.name != HEAT_DOMAIN_NAME:
logger.error("Unexpected filtered list response, please upgrade "
"keystoneclient to >= 0.5")
sys.exit(1)
except kc_exception.Forbidden:
logger.error("User '%s' is not authorized to perform this "
"operation, please try with other OS_USERNAME setting." %
USERNAME)
sys.exit(1)
# Create heat domain admin user
if not HEAT_DOMAIN_PASSWORD:
logger.error("Must export HEAT_DOMAIN_PASSWORD or use"
" --stack-domain-admin-password")
sys.exit(1)
try:
domain_admin = c.users.create(name=HEAT_DOMAIN_ADMIN,
password=HEAT_DOMAIN_PASSWORD,
domain=heat_domain,
description="Heat domain admin")
except kc_exception.Conflict:
logger.warning("User %s already exists" % HEAT_DOMAIN_ADMIN)
domain_admin = c.users.list(name=HEAT_DOMAIN_ADMIN,
domain=heat_domain)[0]
# Make the user a domain admin
roles_list = c.roles.list()
# FIXME(shardy): seems filtering roles by name currently doesn't work
admin_role = [r for r in roles_list
if r.name == 'admin'][0]
c.roles.grant(role=admin_role, user=domain_admin, domain=heat_domain)
print("\nPlease update your heat.conf with the following in [DEFAULT]\n")
print("stack_user_domain_id=%s" % heat_domain.id)
print("stack_domain_admin=%s" % HEAT_DOMAIN_ADMIN)
print("stack_domain_admin_password=%s" % HEAT_DOMAIN_PASSWORD)
if __name__ == "__main__":
main()
|