Create policy.json file in Ocata for non-admin user

[doctor.git] / tests / lib / installers / fuel

#!/bin/bash

if [[ "congress " == "$INSPECTOR_TYPE" ]]; then
    die $LINENO "fuel does not support congress yet..."
fi

COMPUTE_USER=${COMPUTE_USER:-root}
ssh_opts_cpu="$ssh_opts -i instack_key"

function get_installer_ip {
    is_set INSTALLER_IP && return
    INSTALLER_IP=$(get_first_vnic_ip fuel-master)
}

function get_controller_ips {
    is_set CONTROLLER_IPS && return
    CONTROLLER_IPS=$(ssh $ssh_opts_cpu root@$INSTALLER_IP \
                     "fuel node | grep controller | cut -d '|' -f 5|xargs")
    die_if_not_set $LINENO CONTROLLER_IPS "No controller IPs"
}

function installer_get_ssh_keys {
    if [[ -e instack_key ]]; then
        echo "test existing instack_key..."
        ssh $ssh_opts_cpu root@${INSTALLER_IP} "hostname" && return
    fi
    echo "getting instack_key from fuel node..."
    sshpass -p r00tme scp $ssh_opts root@${INSTALLER_IP}:.ssh/id_rsa instack_key
    sudo chown $(whoami):$(whoami) instack_key
    chmod 400 instack_key
}

function installer_apply_patches {
    # TODO(r-mibu): fix the followings in upstream (fuel)
    for node in $CONTROLLER_IPS;do
        echo "check controller configuration for doctor ($node)"
        ssh $ssh_opts_cpu "root@$node" '
            set -x
            date
            echo "### apply patches (installer=fuel)"

            ep_conf=/etc/ceilometer/event_pipeline.yaml
            entry="- notifier://?topic=alarm.all"
            if ! grep -q -e "$entry" $ep_conf; then
                echo "modify the ceilometer config"
                echo "          $entry    # added by doctor script" >> $ep_conf
                service ceilometer-agent-notification restart
            fi

            # TODO(r-mibu): enable this section once congress 4.0.0 is available
            if false; then
            co_conf=/etc/congress/congress.conf
            entry="congress.datasources.doctor_driver.DoctorDriver"
            if ! grep -q -e "^drivers.*$entry" $co_conf; then
                echo "modify the congress config"
                sed -i -e "/^drivers/s/$/,$entry    # added by doctor script/" \
                    $co_conf
                service congress-server restart
            fi

            rule="-m multiport -p tcp --dports 1789"
            rule+=" -m comment --comment doctor-congress"
            rule+=" -j ACCEPT"
            if ! iptables -C INPUT $rule; then
                iptables -I INPUT $rule
            fi

            ha_conf=/etc/haproxy/conf.d/180-congress.cfg
            if [[ ! -e $ha_conf ]]; then
                sed -e "1i# generated by doctor script" \
                    -e "s/9696/1789/" \
                    -e "s/neutron/congress/" \
                    /etc/haproxy/conf.d/085-neutron.cfg > $ha_conf
                ip netns exec haproxy /usr/lib/ocf/resource.d/fuel/ns_haproxy restart
            fi
            fi

            np_conf=/etc/nova/policy.json
            if [ -e $np_conf ]; then
                entry="os_compute_api:servers:show:host_status"
                new="rule:admin_or_owner"
                np_backup="${np_conf}-doctor-saved"
                if grep -q "${entry}.*${new}" $np_conf; then
                    echo "Not modifying nova policy"
                elif grep -q "${entry}" $np_conf; then
                    echo "modify nova policy"
                    cp $np_conf $np_backup
                    oldline=$(grep "$entry" $np_conf)
                    newline=$(echo "$oldline" | sed "s/rule.*\"/$new\"/")
                    sed -i "s/$oldline/$newline/" $np_conf
                    service nova-api restart
                else
                    echo "add nova policy"
                    cp $np_conf $np_backup
                    sed -i "/{/a \    \"${entry}\": \"$new\"" $np_conf
                    service nova-api restart
                fi
            else
                # policy.json does not exist in Ocata.
                echo "$np_conf does not exist. Creating new one."
                echo -e "{\n    \"context_is_admin\":  \"role:admin\"," > $np_conf
                echo -e "    \"owner\" : \"user_id:%(user_id)s\"," >> $np_conf
                echo -e "    \"admin_or_owner\": \"rule:context_is_admin or rule:owner\"," >> $np_conf
                echo -e "    \"os_compute_api:servers:show:host_status\":  \"rule:admin_or_owner\" \n}" >> $np_conf
                np_rm="${np_conf}-doctor-rm"
                cp $np_conf $np_rm
                service nova-api restart
            fi
            ' > installer_apply_patches_$node.log 2>&1
    done
}

function setup_installer {
    get_installer_ip
    installer_get_ssh_keys
    get_controller_ips
    installer_apply_patches
    #Might take a moment for nova-api to restart
    sleep 20
    if ! openstack flavor show $VM_FLAVOR ; then
        openstack flavor create --ram 512 --disk 1 $VM_FLAVOR \
            && touch created_doctor_flavor
    fi
}

function get_compute_ip_from_hostname {
    local compute_host=$1

    compute_host_in_undercloud=${compute_host%%.*}
    node_id=$(echo $compute_host_in_undercloud | cut -d "-" -f 2)
    COMPUTE_IP=$(sshpass -p r00tme ssh 2>/dev/null $ssh_opts root@${INSTALLER_IP} \
         "fuel node|awk -F '|' -v id=$node_id '{if (\$1 == id) print \$5}' |xargs")
    die_if_not_set $LINENO COMPUTE_IP "Could get IP address of $compute_host."
}

function installer_revert_patches {
    # TODO(r-mibu): fix the followings in upstream (fuel)
    get_controller_ips
    for node in $CONTROLLER_IPS;do
        echo "restore controller configuration if touched ($node)"
        ssh $ssh_opts_cpu "root@$node" '
            set -x
            echo "### revert patches (installer=fuel)"
            date

            # TODO(r-mibu): enable this section once congress 4.0.0 is available
            if false; then
            ha_conf=/etc/haproxy/conf.d/180-congress.cfg
            if grep -q "# generated by doctor script" $ha_conf; then
                rm -f $ha_conf
                ip netns exec haproxy /usr/lib/ocf/resource.d/fuel/ns_haproxy restart
            fi

            rule="-m multiport -p tcp --dports 1789"
            rule+=" -m comment --comment doctor-congress"
            rule+=" -j ACCEPT"
            if iptables -C INPUT $rule; then
                iptables -D INPUT $rule
            fi

            co_conf=/etc/congress/congress.conf
            entry="congress.datasources.doctor_driver.DoctorDriver"
            if grep -q -e "^drivers.*$entry    # added by doctor script" $co_conf; then
                echo "modify the congress config"
                sed -i -e "/^drivers/s/^\(.*\),$entry/\1/" $co_conf
                service congress-server restart
            fi
            fi

            ep_conf=/etc/ceilometer/event_pipeline.yaml
            if grep -q "# added by doctor script" $ep_conf; then
                sed -ie "/# added by doctor script/d" $ep_conf
                service ceilometer-agent-notification restart
            fi

            np_conf=/etc/nova/policy.json
            np_backup="${np_conf}-doctor-saved"
            np_rm="${np_conf}-doctor-rm"
            if [ -e $np_backup ]; then
                cp -f $np_backup $np_conf
                rm $np_backup
                service nova-api restart
            elif [ -e $np_rm ]; then
                rm $np_conf
                rm $np_rm
                service nova-api restart
            fi
            ' >> installer_apply_patches_$node.log 2>&1
    done
}

function cleanup_installer {
    if [[ -e created_doctor_flavor ]] && openstack flavor show $VM_FLAVOR ; then
        openstack flavor delete $VM_FLAVOR && rm -f created_doctor_flavor
    fi
    installer_revert_patches
}