From 3a38aa6eda5a57299f20bf0cabb10442e1a2cc89 Mon Sep 17 00:00:00 2001
From: Martin Magr <mmagr@redhat.com>
Date: Thu, 5 Jun 2014 14:24:47 +0200
Subject: [PATCH] Implement Keystone domain creation

Keystone domain has to be created for Heat. This patch implements this
via helper script [1] since we don't have support for Keystone v3 API
in puppet-keystone yet. This implementation should be refactored as soon
as we will have v3 API available in puppet-keystone. For more info
please check [2].

[1] https://github.com/openstack/heat/blob/master/bin/heat-keystone-setup-domain
[2] https://bugzilla.redhat.com/show_bug.cgi?id=1076172
---
 lib/puppet/provider/heat_domain_id_setter/ruby.rb | 183 ++++++++++++++++++++++
 lib/puppet/type/heat_config.rb                    |   4 +
 lib/puppet/type/heat_domain_id_setter.rb          |  31 ++++
 manifests/keystone/domain.pp                      |  73 +++++++++
 4 files changed, 291 insertions(+)
 create mode 100644 lib/puppet/provider/heat_domain_id_setter/ruby.rb
 create mode 100644 lib/puppet/type/heat_domain_id_setter.rb
 create mode 100644 manifests/keystone/domain.pp

diff --git a/lib/puppet/provider/heat_domain_id_setter/ruby.rb b/lib/puppet/provider/heat_domain_id_setter/ruby.rb
new file mode 100644
index 0000000..8862fe5
--- /dev/null
+++ b/lib/puppet/provider/heat_domain_id_setter/ruby.rb
@@ -0,0 +1,183 @@
+## NB: This must work with Ruby 1.8!
+
+# This provider permits the stack_user_domain parameter in heat.conf
+# to be set by providing a domain_name to the Puppet module and
+# using the Keystone REST API to translate the name into the corresponding
+# UUID.
+#
+# This requires that tenant names be unique.  If there are multiple matches
+# for a given tenant name, this provider will raise an exception.
+
+require 'rubygems'
+require 'net/http'
+require 'json'
+
+class KeystoneError < Puppet::Error
+end
+
+class KeystoneConnectionError < KeystoneError
+end
+
+class KeystoneAPIError < KeystoneError
+end
+
+# Provides common request handling semantics to the other methods in
+# this module.
+#
+# +req+::
+#   An HTTPRequest object
+# +url+::
+#   A parsed URL (returned from URI.parse)
+def handle_request(req, url)
+    begin
+        res = Net::HTTP.start(url.host, url.port) {|http|
+            http.request(req)
+        }
+
+        if res.code != '200'
+            raise KeystoneAPIError, "Received error response from Keystone server at #{url}: #{res.message}"
+        end
+    rescue Errno::ECONNREFUSED => detail
+        raise KeystoneConnectionError, "Failed to connect to Keystone server at #{url}: #{detail}"
+    rescue SocketError => detail
+        raise KeystoneConnectionError, "Failed to connect to Keystone server at #{url}: #{detail}"
+    end
+
+    res
+end
+
+# Authenticates to a Keystone server and obtains an authentication token.
+# It returns a 2-element +[token, authinfo]+, where +token+ is a token
+# suitable for passing to openstack apis in the +X-Auth-Token+ header, and
+# +authinfo+ is the complete response from Keystone, including the service
+# catalog (if available).
+#
+# +auth_url+::
+#   Keystone endpoint URL.  This function assumes API version
+#   2.0 and an administrative endpoint, so this will typically look like
+#   +http://somehost:35357/v2.0+.
+#
+# +username+::
+#   Username for authentication.
+#
+# +password+::
+#   Password for authentication
+#
+# +tenantID+::
+#   Tenant UUID
+#
+# +tenantName+::
+#   Tenant name
+#
+def keystone_v2_authenticate(auth_url,
+                             username,
+                             password,
+                             tenantId=nil,
+                             tenantName=nil)
+
+    post_args = {
+        'auth' => {
+            'passwordCredentials' => {
+                'username' => username,
+                'password' => password
+            },
+        }}
+
+    if tenantId
+        post_args['auth']['tenantId'] = tenantId
+    end
+
+    if tenantName
+        post_args['auth']['tenantName'] = tenantName
+    end
+
+    url = URI.parse("#{auth_url}/tokens")
+    req = Net::HTTP::Post.new url.path
+    req['content-type'] = 'application/json'
+    req.body = post_args.to_json
+
+    res = handle_request(req, url)
+    data = JSON.parse res.body
+    return data['access']['token']['id'], data
+end
+
+# Queries a Keystone server to a list of all tenants.
+#
+# +auth_url+::
+#   Keystone endpoint.  See the notes for +auth_url+ in
+#   +keystone_v2_authenticate+.
+#
+# +token+::
+#   A Keystone token that will be passed in requests as the value of the
+#   +X-Auth-Token+ header.
+#
+def keystone_v3_domains(auth_url,
+                        token)
+
+    auth_url.sub!('v2.0', 'v3')
+    url = URI.parse("#{auth_url}/domains")
+    req = Net::HTTP::Get.new url.path
+    req['content-type'] = 'application/json'
+    req['x-auth-token'] = token
+
+    res = handle_request(req, url)
+    data = JSON.parse res.body
+    data['domains']
+end
+
+Puppet::Type.type(:heat_domain_id_setter).provide(:ruby) do
+    def authenticate
+        token, authinfo = keystone_v2_authenticate(
+            @resource[:auth_url],
+            @resource[:auth_username],
+            @resource[:auth_password],
+            nil,
+            @resource[:auth_tenant_name])
+
+        return token
+    end
+
+    def find_domain_by_name(token)
+        domains = keystone_v3_domains(
+            @resource[:auth_url],
+            token)
+        domains.select{|domain| domain['name'] == @resource[:domain_name]}
+    end
+
+    def exists?
+        false
+    end
+
+    def create
+        config
+    end
+
+    # This looks for the domain specified by the 'domain_name' parameter to
+    # the resource and returns the corresponding UUID if there is a single
+    # match.
+    #
+    # Raises a KeystoneAPIError if:
+    #
+    # - There are multiple matches, or
+    # - There are zero matches
+    def get_domain_id
+        token = authenticate
+        domains = find_domain_by_name(token)
+
+        if domains.length == 1
+            return domains[0]['id']
+        elsif domains.length > 1
+            name = domains[0]['name']
+            raise KeystoneAPIError, 'Found multiple matches for domain name "#{name}"'
+        else
+            raise KeystoneAPIError, 'Unable to find matching tenant'
+        end
+    end
+
+    def config
+        Puppet::Type.type(:heat_config).new(
+            {:name => 'DEFAULT/stack_user_domain', :value => "#{get_domain_id}"}
+        ).create
+    end
+
+end
diff --git a/lib/puppet/type/heat_config.rb b/lib/puppet/type/heat_config.rb
index 3534e22..131cfad 100644
--- a/lib/puppet/type/heat_config.rb
+++ b/lib/puppet/type/heat_config.rb
@@ -16,4 +16,8 @@ Puppet::Type.newtype(:heat_config) do
     end
   end
 
+  def create
+    provider.create
+  end
+
 end
diff --git a/lib/puppet/type/heat_domain_id_setter.rb b/lib/puppet/type/heat_domain_id_setter.rb
new file mode 100644
index 0000000..d6e1eee
--- /dev/null
+++ b/lib/puppet/type/heat_domain_id_setter.rb
@@ -0,0 +1,31 @@
+Puppet::Type.newtype(:heat_domain_id_setter) do
+
+    ensurable
+
+    newparam(:name, :namevar => true) do
+        desc 'The name of the setting to update'
+    end
+
+    newparam(:domain_name) do
+        desc 'The heat domain name'
+    end
+
+    newparam(:auth_url) do
+        desc 'The Keystone endpoint URL'
+        defaultto 'http://localhost:35357/v2.0'
+    end
+
+    newparam(:auth_username) do
+        desc 'Username with which to authenticate'
+        defaultto 'admin'
+    end
+
+    newparam(:auth_password) do
+        desc 'Password with which to authenticate'
+    end
+
+    newparam(:auth_tenant_name) do
+        desc 'Tenant name with which to authenticate'
+        defaultto 'admin'
+    end
+end
diff --git a/manifests/keystone/domain.pp b/manifests/keystone/domain.pp
new file mode 100644
index 0000000..0ef4b6a
--- /dev/null
+++ b/manifests/keystone/domain.pp
@@ -0,0 +1,73 @@
+# == Class: heat::keystone::domain
+#
+# Configures heat domain in Keystone.
+#
+# Note: Implementation is done by heat-keystone-setup-domain script temporarily
+#       because currently puppet-keystone does not support v3 API
+#
+# === Parameters
+#
+# [*auth_url*]
+#   Keystone auth url
+#
+# [*keystone_admin*]
+#   Keystone admin user
+#
+# [*keystone_password*]
+#   Keystone admin password
+#
+# [*keystone_tenant*]
+#   Keystone admin tenant name
+#
+# [*domain_name*]
+#   Heat domain name. Defaults to 'heat'.
+#
+# [*domain_admin*]
+#   Keystone domain admin user which will be created. Defaults to 'heat_admin'.
+#
+# [*domain_password*]
+#   Keystone domain admin user password. Defaults to 'changeme'.
+#
+class heat::keystone::domain (
+  $auth_url          = undef,
+  $keystone_admin    = undef,
+  $keystone_password = undef,
+  $keystone_tenant   = undef,
+  $domain_name       = 'heat',
+  $domain_admin      = 'heat_admin',
+  $domain_password   = 'changeme',
+) {
+
+  include heat::params
+
+  $cmd_evn = [
+    "OS_USERNAME=${keystone_admin}",
+    "OS_PASSWORD=${keystone_password}",
+    "OS_AUTH_URL=${auth_url}",
+    "HEAT_DOMAIN=${domain_name}",
+    "HEAT_DOMAIN_ADMIN=${domain_admin}",
+    "HEAT_DOMAIN_PASSWORD=${domain_password}"
+  ]
+  exec { 'heat_domain_create':
+    path        => '/usr/bin',
+    command     => 'heat-keystone-setup-domain &>/dev/null',
+    environment => $cmd_evn,
+    require     => Package['heat-common'],
+  }
+
+  heat_domain_id_setter { 'heat_domain_id':
+    ensure           => present,
+    domain_name      => $domain_name,
+    auth_url         => $auth_url,
+    auth_username    => $keystone_admin,
+    auth_password    => $keystone_password,
+    auth_tenant_name => $keystone_tenant,
+    require          => Exec['heat_domain_create'],
+  }
+
+  heat_config {
+    'DEFAULT/stack_domain_admin': value => $domain_admin;
+    'DEFAULT/stack_domain_admin_password': value => $domain_password;
+  }
+
+}
-- 
1.9.3