This file is indexed.

/usr/bin/heat-keystone-setup is in heat-common 2014.1-0ubuntu1.

This file is owned by root:root, with mode 0o755.

The actual contents of the file can be viewed below.

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
#!/bin/bash

set +e

KEYSTONE_CONF=${KEYSTONE_CONF:-/etc/keystone/keystone.conf}

# Extract some info from Keystone's configuration file
if [[ -r "$KEYSTONE_CONF" ]]; then
    CONFIG_SERVICE_TOKEN=$(sed 's/[[:space:]]//g' $KEYSTONE_CONF | grep ^admin_token= | cut -d'=' -f2)
    CONFIG_ADMIN_PORT=$(sed 's/[[:space:]]//g' $KEYSTONE_CONF | grep ^admin_port= | cut -d'=' -f2)
fi

SERVICE_TOKEN=${OS_SERVICE_TOKEN:-$CONFIG_SERVICE_TOKEN}
SERVICE_ENDPOINT=${OS_SERVICE_ENDPOINT:-http://127.0.0.1:${CONFIG_ADMIN_PORT:-35357}/v2.0}
if [[ -z "$SERVICE_TOKEN" ]]; then
    echo "No service token found." >&2
    echo "Set SERVICE_TOKEN manually from keystone.conf admin_token." >&2
    exit 1
fi

set_admin_token() {
    alias keystone="keystone --token $SERVICE_TOKEN \
                             --endpoint $SERVICE_ENDPOINT"
}

unset_admin_token() {
    unalias keystone
}

#### utilities functions merged from devstack to check required parameter is not empty
# Prints line number and "message" in error format
# err $LINENO "message"
function err() {
    local exitcode=$?
    errXTRACE=$(set +o | grep xtrace)
    set +o xtrace
    local msg="[ERROR] ${BASH_SOURCE[2]}:$1 $2"
    echo $msg 1>&2;
    if [[ -n ${SCREEN_LOGDIR} ]]; then
        echo $msg >> "${SCREEN_LOGDIR}/error.log"
    fi
    $errXTRACE
    return $exitcode
}
# Prints backtrace info
# filename:lineno:function
function backtrace {
    local level=$1
    local deep=$((${#BASH_SOURCE[@]} - 1))
    echo "[Call Trace]"
    while [ $level -le $deep ]; do
        echo "${BASH_SOURCE[$deep]}:${BASH_LINENO[$deep-1]}:${FUNCNAME[$deep-1]}"
        deep=$((deep - 1))
    done
}


# Prints line number and "message" then exits
# die $LINENO "message"
function die() {
    local exitcode=$?
    set +o xtrace
    local line=$1; shift
    if [ $exitcode == 0 ]; then
        exitcode=1
    fi
    backtrace 2
    err $line "$*"
    exit $exitcode
}


# Checks an environment variable is not set or has length 0 OR if the
# exit code is non-zero and prints "message" and exits
# NOTE: env-var is the variable name without a '$'
# die_if_not_set $LINENO env-var "message"
function die_if_not_set() {
    local exitcode=$?
    FXTRACE=$(set +o | grep xtrace)
    set +o xtrace
    local line=$1; shift
    local evar=$1; shift
    if ! is_set $evar || [ $exitcode != 0 ]; then
        die $line "$*"
    fi
    $FXTRACE
}

# Test if the named environment variable is set and not zero length
# is_set env-var
function is_set() {
    local var=\$"$1"
    eval "[ -n \"$var\" ]" # For ex.: sh -c "[ -n \"$var\" ]" would be better, but several exercises depends on this
}

#######################################

get_data() {
    local match_column=$(($1 + 1))
    local regex="$2"
    local output_column=$(($3 + 1))
    shift 3

    output=$("$@" | \
           awk -F'|' \
               "! /^\+/ && \$${match_column} ~ \"^ *${regex} *\$\" \
                { print \$${output_column} }")

    echo "$output"
}

get_id () {
    get_data 1 id 2 "$@"
}

get_column_num() {
    local name=$1
    shift
    $@ | awk -F'|' "NR == 2 && /^|/ { for (i=2; i<NF; i++) if (\$i ~ \"^ *${name} *\$\") print (i - 1) }"
}

get_user() {
    local username=$1

    # Outut format of keystone user-list changed between essex and
    # folsom - the columns have been re-ordered (!?), so detect what
    # column to pass to get_data via get_column_num
    namecol=$(get_column_num name keystone user-list)
    die_if_not_set $LINENO namecol "Fail to get namecol for name by 'keystone user-list' "

    local user_id=$(get_data $namecol $username 1 keystone user-list)

    if [ -n "$user_id" ]; then
        echo "Found existing $username user" >&2
        echo $user_id
    else
        echo "Creating $username user..." >&2
        get_id keystone user-create --name=$username \
                                    --pass="$SERVICE_PASSWORD" \
                                    --tenant_id $SERVICE_TENANT \
                                    --email=$username@example.com
    fi
}

add_role() {
    local user_id=$1
    local tenant=$2
    local role_id=$3
    local username=$4

    # The keystone argument format changed between essex and folsom
    # so we use the fact that the folsom keystone version has a new
    # option "user-role-list" to detect we're on that newer version
    # This also allows us to detect when the user already has the
    # requested role_id, preventing an error on folsom
    user_roles=$(keystone user-role-list \
                          --user_id $user_id\
                          --tenant_id $tenant 2>/dev/null)
    die_if_not_set $LINENO user_roles "Fail to get user_roles for tenant($tenant) and user_id($user_id)"
    if [ $? == 0 ]; then
        # Folsom
        existing_role=$(get_data 1 $role_id 1 echo "$user_roles")
        if [ -n "$existing_role" ]
        then
            echo "User $username already has role $role_id" >&2
            return
        fi
        keystone user-role-add --tenant_id $tenant \
                           --user_id $user_id \
                           --role_id $role_id
    else
        # Essex
        keystone user-role-add --tenant_id $tenant \
                               --user $user_id \
                               --role $role_id
    fi
}

create_role() {
    local role_name=$1

    role_id=$(get_data 2 $role_name 1 keystone role-list)
    if [ -n "$role_id" ]
    then
        echo "Role $role_name already exists : $role_id" >&2
    else
        keystone role-create --name $role_name
    fi
}

get_endpoint() {
    local service_type=$1

    unset_admin_token
    keystone endpoint-get --service $service_type
    set_admin_token
}

delete_endpoint() {
    local service_type=$1

    case $service_type in
        volume) urlsuffix='\\\\$\\\\(tenant_id)s';;
        orchestration) urlsuffix='%[(]tenant_id[)]s';;
        # cloudformation has no hash suffix
        *) urlsuffix=''
    esac

    local url=$(get_data 1 "${service_type}[.]publicURL" 2 \
                get_endpoint $service_type 2>/dev/null | \
                sed -r "s/[a-f0-9]{32}/$urlsuffix/")

    if [ -n "$url" ]; then
        local endpoints=$(get_data 3 $url 1 keystone endpoint-list)

        for endpoint in $endpoints; do
            echo "Removing $service_type endpoint ${endpoint}..." >&2
            keystone endpoint-delete "$endpoint" >&2
        done

        if [ -z "$endpoints" ]; then false; fi
    else
        false
    fi
}

delete_all_endpoints() {
    while delete_endpoint $1; do
        true
    done
}

delete_service() {
    local service_type=$1

    delete_all_endpoints $service_type

    local service_ids=$(get_data 3 $service_type 1 keystone service-list)

    for service in $service_ids; do
        local service_name=$(get_data 1 $service 2 keystone service-list)
        echo "Removing $service_name:$service_type service..." >&2
        keystone service-delete $service >&2
    done
}

get_service() {
    local service_name=$1
    local service_type=$2
    local description="$3"

    delete_service $service_type

    get_id keystone service-create --name=$service_name \
                                   --type=$service_type \
                                   --description="$description"
}

add_endpoint() {
    local service_id=$1
    local url="$2"

    keystone endpoint-create --region RegionOne --service_id $service_id \
        --publicurl "$url" --adminurl "$url" --internalurl "$url" >&2
}

keystone_setup() {
    # Make sure we can use keystone command without OS_SERVICE_TOKEN and OS_SERVICE_ENDPOINT
    # credential, because we need to use keystone endpoint-get command below, and the
    # keystone endpoint-get command can not run correctly
    # using OS_SERVICE_TOKEN and OS_SERVICE_ENDPOINT credential.
    unset OS_SERVICE_TOKEN
    unset OS_SERVICE_ENDPOINT
    TENANT_ID=$(get_data 1 tenant_id 2 keystone token-get)
    die_if_not_set $LINENO TENANT_ID "Fail to get TENANT_ID by 'token-get' "

    set_admin_token

    ADMIN_ROLE=$(get_data 2 admin 1 keystone role-list)
    die_if_not_set $LINENO ADMIN_ROLE "Fail to get ADMIN_ROLE by 'keystone role-list' "
    SERVICE_TENANT=$(get_data 2 service 1 keystone tenant-list)
    die_if_not_set $LINENO SERVICE_TENANT "Fail to get service tenant 'keystone tenant-list' "
    SERVICE_PASSWORD=${SERVICE_PASSWORD:-$OS_PASSWORD}
    SERVICE_HOST=${SERVICE_HOST:-localhost}

    if [[ "$SERVICE_PASSWORD" == "$OS_PASSWORD" ]]; then
        echo "Using the OS_PASSWORD for the SERVICE_PASSWORD." >&2
    fi

    if [[ "$SERVICE_HOST" == "localhost" ]]; then
        echo "Warning: Endpoints will be registered as localhost, but this usually won't work."
        echo "Set SERVICE_HOST to a publicly accessible hostname/IP instead."
    fi

    echo ADMIN_ROLE $ADMIN_ROLE
    echo SERVICE_TENANT $SERVICE_TENANT
    echo SERVICE_PASSWORD $SERVICE_PASSWORD
    echo SERVICE_TOKEN $SERVICE_TOKEN
    echo SERVICE_HOST $SERVICE_HOST

    HEAT_USERNAME="heat"
    HEAT_USERID=$(get_user $HEAT_USERNAME)
    die_if_not_set $LINENO HEAT_USERID "Fail to get user for $HEAT_USERNAME"
    echo HEAT_USERID $HEAT_USERID
    add_role $HEAT_USERID $SERVICE_TENANT $ADMIN_ROLE $HEAT_USERNAME

    # Create a special role which template-defined "stack users" are
    # assigned to in the engine when they are created, this allows them
    # to be more easily differentiated from other users (e.g so we can
    # lock down these implicitly untrusted users via RBAC policy)
    STACK_USER_ROLE="heat_stack_user"
    create_role $STACK_USER_ROLE

    HEAT_CFN_SERVICE=$(get_service heat-cfn cloudformation \
                       "Heat CloudFormation API")
    add_endpoint $HEAT_CFN_SERVICE "http://$SERVICE_HOST:8000/v1"

    HEAT_OS_SERVICE=$(get_service heat orchestration \
                      "Heat API")
    add_endpoint $HEAT_OS_SERVICE "http://$SERVICE_HOST:8004/v1/%(tenant_id)s"
}

if [[ ${BASH_SOURCE[0]} == ${0} ]]; then
    keystone_setup
fi