# ## Copyright (C) 2019 Wind River Systems, Inc. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. DESCRIPTION = "Authentication service for OpenStack" HOMEPAGE = "http://www.openstack.org" SECTION = "devel/python" LICENSE = "Apache-2.0" LIC_FILES_CHKSUM = "file://LICENSE;md5=1dece7821bf3fd70fe1309eaa37d52a2" SRCREV = "c78581b4608f3dc10e945d358963000f284f188a" SRCNAME = "keystone" PROTOCOL = "git" BRANCH = "stable/stein" S = "${WORKDIR}/git" PV = "15.0.0+git${SRCPV}" SRC_URI = " \ git://opendev.org/openstack/${SRCNAME}.git;protocol=${PROTOCOL};branch=${BRANCH} \ file://${PN}/keystone.conf \ file://${PN}/identity.sh \ file://${PN}/convert_keystone_backend.py \ file://${PN}/wsgi-keystone.conf \ file://${PN}/admin-openrc \ file://${PN}/keystone-init.service \ file://${PN}/stx-files/openstack-keystone.service \ file://${PN}/stx-files/keystone-all \ file://${PN}/stx-files/keystone-fernet-keys-rotate-active \ file://${PN}/stx-files/public.py \ file://${PN}/stx-files/password-rules.conf \ " inherit setuptools identity hosts default_configs monitor useradd systemd SERVICE_TOKEN = "password" TOKEN_FORMAT ?= "PKI" USERADD_PACKAGES = "${PN}" USERADD_PARAM_${PN} = "--system -m -s /bin/false keystone" LDAP_DN ?= "dc=my-domain,dc=com" SERVICECREATE_PACKAGES = "${SRCNAME}-setup" KEYSTONE_HOST="${CONTROLLER_IP}" # USERCREATE_PARAM and SERVICECREATE_PARAM contain the list of parameters to be # set. If the flag for a parameter in the list is not set here, the default # value will be given to that parameter. Parameters not in the list will be set # to empty. USERCREATE_PARAM_${SRCNAME}-setup = "name pass tenant role email" python () { flags = {'name':'${ADMIN_USER}',\ 'pass':'${ADMIN_PASSWORD}',\ 'tenant':'${ADMIN_TENANT}',\ 'role':'${ADMIN_ROLE}',\ 'email':'${ADMIN_USER_EMAIL}',\ } d.setVarFlags("USERCREATE_PARAM_%s-setup" % d.getVar('SRCNAME',True), flags) } SERVICECREATE_PARAM_${SRCNAME}-setup = "name type description region publicurl adminurl internalurl" python () { flags = {'type':'identity',\ 'description':'OpenStack Identity',\ 'publicurl':"'http://${KEYSTONE_HOST}:8081/keystone/main/v2.0'",\ 'adminurl':"'http://${KEYSTONE_HOST}:8081/keystone/admin/v2.0'",\ 'internalurl':"'http://${KEYSTONE_HOST}:8081/keystone/main/v2.0'"} d.setVarFlags("SERVICECREATE_PARAM_%s-setup" % d.getVar('SRCNAME',True), flags) } do_install_append() { KEYSTONE_CONF_DIR=${D}${sysconfdir}/keystone KEYSTONE_DATA_DIR=${D}${localstatedir}/lib/keystone KEYSTONE_PACKAGE_DIR=${D}${PYTHON_SITEPACKAGES_DIR}/keystone APACHE_CONF_DIR=${D}${sysconfdir}/apache2/conf.d/ # Create directories install -m 755 -d ${KEYSTONE_CONF_DIR} install -m 755 -d ${KEYSTONE_DATA_DIR} install -m 755 -d ${APACHE_CONF_DIR} install -d ${D}${localstatedir}/log/${SRCNAME} # Setup the systemd service file install -d ${D}${systemd_system_unitdir}/ install -m 644 ${WORKDIR}/${PN}/keystone-init.service ${D}${systemd_system_unitdir}/keystone-init.service mv ${D}/${datadir}/etc/keystone/sso_callback_template.html ${KEYSTONE_CONF_DIR}/ rm -rf ${D}/${datadir} # Setup the admin-openrc file KS_OPENRC_FILE=${KEYSTONE_CONF_DIR}/admin-openrc install -m 600 ${WORKDIR}/${PN}/admin-openrc ${KS_OPENRC_FILE} sed -e "s:%CONTROLLER_IP%:${CONTROLLER_IP}:g" -i ${KS_OPENRC_FILE} sed -e "s:%ADMIN_USER%:${ADMIN_USER}:g" -i ${KS_OPENRC_FILE} sed -e "s:%ADMIN_PASSWORD%:${ADMIN_PASSWORD}:g" -i ${KS_OPENRC_FILE} # Install various configuration files. We have to select suitable # permissions as packages such as Apache require read access. # # Apache needs to read the keystone.conf install -m 644 ${WORKDIR}/${PN}/keystone.conf ${KEYSTONE_CONF_DIR}/ # Apache needs to read the wsgi-keystone.conf install -m 644 ${WORKDIR}/${PN}/wsgi-keystone.conf ${APACHE_CONF_DIR}/keystone.conf install -m 600 ${S}${sysconfdir}/logging.conf.sample ${KEYSTONE_CONF_DIR}/logging.conf # Copy examples from upstream cp -r ${S}/examples ${KEYSTONE_PACKAGE_DIR} # Edit the configuration to allow it to work out of the box KEYSTONE_CONF_FILE=${KEYSTONE_CONF_DIR}/keystone.conf sed "/# admin_endpoint = .*/a \ public_endpoint = http://%CONTROLLER_IP%:5000/ " \ -i ${KEYSTONE_CONF_FILE} sed "/# admin_endpoint = .*/a \ admin_endpoint = http://%CONTROLLER_IP%:35357/ " \ -i ${KEYSTONE_CONF_FILE} sed -e "s:%SERVICE_TOKEN%:${SERVICE_TOKEN}:g" -i ${KEYSTONE_CONF_FILE} sed -e "s:%DB_USER%:${DB_USER}:g" -i ${KEYSTONE_CONF_FILE} sed -e "s:%DB_PASSWORD%:${DB_PASSWORD}:g" -i ${KEYSTONE_CONF_FILE} sed -e "s:%CONTROLLER_IP%:${CONTROLLER_IP}:g" -i ${KEYSTONE_CONF_FILE} sed -e "s:%CONTROLLER_IP%:${CONTROLLER_IP}:g" -i ${KEYSTONE_CONF_FILE} sed -e "s:%TOKEN_FORMAT%:${TOKEN_FORMAT}:g" -i ${KEYSTONE_CONF_FILE} install -d ${KEYSTONE_PACKAGE_DIR}/tests/tmp if [ -e "${KEYSTONE_PACKAGE_DIR}/tests/test_overrides.conf" ];then sed -e "s:%KEYSTONE_PACKAGE_DIR%:${PYTHON_SITEPACKAGES_DIR}/keystone:g" \ -i ${KEYSTONE_PACKAGE_DIR}/tests/test_overrides.conf fi if ${@bb.utils.contains('DISTRO_FEATURES', 'OpenLDAP', 'true', 'false', d)}; then sed -i -e '/^\[identity\]/a \ driver = keystone.identity.backends.hybrid_identity.Identity \ \ [assignment]\ driver = keystone.assignment.backends.hybrid_assignment.Assignment\ ' ${D}${sysconfdir}/keystone/keystone.conf sed -i -e '/^\[ldap\]/a \ url = ldap://localhost \ user = cn=Manager,${LDAP_DN} \ password = secret \ suffix = ${LDAP_DN} \ use_dumb_member = True \ \ user_tree_dn = ou=Users,${LDAP_DN} \ user_attribute_ignore = enabled,email,tenants,default_project_id \ user_id_attribute = uid \ user_name_attribute = uid \ user_mail_attribute = email \ user_pass_attribute = keystonePassword \ \ tenant_tree_dn = ou=Groups,${LDAP_DN} \ tenant_desc_attribute = description \ tenant_domain_id_attribute = businessCategory \ tenant_attribute_ignore = enabled \ tenant_objectclass = groupOfNames \ tenant_id_attribute = cn \ tenant_member_attribute = member \ tenant_name_attribute = ou \ \ role_attribute_ignore = enabled \ role_objectclass = groupOfNames \ role_member_attribute = member \ role_id_attribute = cn \ role_name_attribute = ou \ role_tree_dn = ou=Roles,${LDAP_DN} \ ' ${KEYSTONE_CONF_FILE} install -m 0755 ${WORKDIR}/${PN}/convert_keystone_backend.py \ ${D}${sysconfdir}/keystone/convert_keystone_backend.py fi install -m 755 ${WORKDIR}/${PN}/stx-files/keystone-fernet-keys-rotate-active ${D}/${bindir}/keystone-fernet-keys-rotate-active install -m 440 ${WORKDIR}/${PN}/stx-files/password-rules.conf ${KEYSTONE_CONF_DIR}/password-rules.conf install -m 755 ${WORKDIR}/${PN}/stx-files/public.py ${KEYSTONE_DATA_DIR}/public.py install -m 644 ${WORKDIR}/${PN}/stx-files/openstack-keystone.service ${D}${systemd_system_unitdir}/openstack-keystone.service install -m 755 ${WORKDIR}/${PN}/stx-files/keystone-all ${D}${bindir}/keystone-all } # By default tokens are expired after 1 day so by default we can set # this token flush cronjob to run every 2 days KEYSTONE_TOKEN_FLUSH_TIME ??= "0 0 */2 * *" pkg_postinst_${SRCNAME}-cronjobs () { if [ -z "$D" ]; then # By default keystone expired tokens are not automatic removed out of the # database. So we create a cronjob for cleaning these expired tokens. echo "${KEYSTONE_TOKEN_FLUSH_TIME} root /usr/bin/keystone-manage token_flush" >> /etc/crontab fi } pkg_postinst_${SRCNAME} () { # openstak-keystone will be run in httpd/apache2 instead of standalone ln -sf ${systemd_system_unitdir}/apache2.service $D${sysconfdir}/systemd/system/openstack-keystone.service } PACKAGES += " ${SRCNAME}-tests ${SRCNAME} ${SRCNAME}-setup ${SRCNAME}-cronjobs" SYSTEMD_PACKAGES += "${SRCNAME}-setup" SYSTEMD_SERVICE_${SRCNAME}-setup = "keystone-init.service" SYSTEMD_SERVICE_${SRCNAME} = "openstack-keystone.service" SYSTEMD_AUTO_ENABLE_${SRCNAME}-setup = "disable" SYSTEMD_AUTO_ENABLE_${SRCNAME} = "disable" FILES_${SRCNAME}-setup = " \ ${systemd_system_unitdir}/keystone-init.service \ " ALLOW_EMPTY_${SRCNAME}-cronjobs = "1" FILES_${PN} = "${libdir}/* \ " FILES_${SRCNAME}-tests = "${sysconfdir}/${SRCNAME}/run_tests.sh" FILES_${SRCNAME} = "${bindir}/* \ ${sysconfdir}/${SRCNAME}/* \ ${localstatedir}/* \ ${datadir}/openstack-dashboard/openstack_dashboard/api/keystone-httpd.py \ ${sysconfdir}/apache2/conf.d/keystone.conf \ ${systemd_system_unitdir}/openstack-keystone.service \ " DEPENDS += " \ python-pip \ python-pbr-native \ " # Satisfy setup.py 'setup_requires' DEPENDS += " \ python-pbr-native \ " RDEPENDS_${PN} += " \ python-babel \ python-pbr \ python-webob \ python-pastedeploy \ python-paste \ python-routes \ python-cryptography \ python-six \ python-sqlalchemy \ python-sqlalchemy-migrate \ python-stevedore \ python-passlib \ python-keystoneclient \ python-keystonemiddleware \ python-bcrypt \ python-scrypt \ python-oslo.cache \ python-oslo.concurrency \ python-oslo.config \ python-oslo.context \ python-oslo.messaging \ python-oslo.db \ python-oslo.i18n \ python-oslo.log \ python-oslo.middleware \ python-oslo.policy \ python-oslo.serialization \ python-oslo.utils \ python-oauthlib \ python-pysaml2 \ python-dogpile.cache \ python-jsonschema \ python-pycadf \ python-msgpack \ python-osprofiler \ python-flask \ python-flask-restful \ python-pytz \ " RDEPENDS_${SRCNAME}-tests += " bash" PACKAGECONFIG ?= "${@bb.utils.contains('DISTRO_FEATURES', 'OpenLDAP', 'OpenLDAP', '', d)}" PACKAGECONFIG[OpenLDAP] = ",,,python-ldap python-keystone-hybrid-backend" # TODO: # if DISTRO_FEATURE contains "tempest" then add *-tests to the main RDEPENDS RDEPENDS_${SRCNAME} = " \ ${PN} \ postgresql \ postgresql-client \ python-psycopg2 \ apache2 \ " RDEPENDS_${SRCNAME}-setup = "postgresql sudo ${SRCNAME}" RDEPENDS_${SRCNAME}-cronjobs = "cronie ${SRCNAME}" MONITOR_SERVICE_PACKAGES = "${SRCNAME}" MONITOR_SERVICE_${SRCNAME} = "keystone"