openstack/barbican
Code Issues Proposed changes

devstack: make create_barbican_accounts idempotent

Browse Source 
Make devstack's create_barbican_accounts function idempotent by
using get_or_create_XXX functions to configure resources (users,
roles, endpoints, etc.).

This avoids problems in situations such [1], where the cinder service
needs the "creator" role. Cinder ends up creating the role first,
which would cause create_barbican_accounts to subsequently fail if
barbican assumes that it will create the role.

[1] Ia3f414c4b9b0829f60841a6dd63c97a893fdde4d

Change-Id: I216f78e8a300ab3f79bbcbb38110adf2bbec2196
This commit is contained in:
Alan Bishop 2022-08-11 09:27:00 -07:00
parent ff7fef6211
commit b8b83a16fa
1 changed files with 82 additions and 112 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

194
devstack/lib/barbican
View File

@ -241,153 +241,123 @@ function create_barbican_accounts {
SERVICE_PROJECT=$(openstack project list | awk "/ $SERVICE_PROJECT_NAME / { print \$2 }")
ADMIN_ROLE=$(openstack role list | awk "/ admin / { print \$2 }")
BARBICAN_USER=$(openstack user create \
--password "$SERVICE_PASSWORD" \
--project $SERVICE_PROJECT \
--email "barbican@example.com" \
barbican \
| grep " id " | get_field 2)
openstack role add --project $SERVICE_PROJECT \
--user $BARBICAN_USER \
$ADMIN_ROLE
create_service_user barbican $ADMIN_ROLE
#
# Setup Default service-admin User
#
SERVICE_ADMIN=$(get_id openstack user create \
--password "$SERVICE_PASSWORD" \
--email "service-admin@example.com" \
"service-admin")
SERVICE_ADMIN_ROLE=$(get_id openstack role create \
"key-manager:service-admin")
openstack role add \
--user "$SERVICE_ADMIN" \
--project "$SERVICE_PROJECT" \
"$SERVICE_ADMIN_ROLE"
SERVICE_ADMIN=$(get_or_create_user \
"service-admin" \
"$SERVICE_PASSWORD" \
"default" \
"service-admin@example.com")
SERVICE_ADMIN_ROLE=$(get_or_create_role "key-manager:service-admin")
get_or_add_user_project_role \
"$SERVICE_ADMIN_ROLE" \
"$SERVICE_ADMIN" \
"$SERVICE_PROJECT"
#
# Setup RBAC User Projects and Roles
#
PASSWORD="barbican"
PROJECT_A_ID=$(get_id openstack project create "project_a")
PROJECT_B_ID=$(get_id openstack project create "project_b")
ROLE_ADMIN_ID=$(get_id openstack role show admin)
ROLE_CREATOR_ID=$(get_id openstack role create "creator")
ROLE_OBSERVER_ID=$(get_id openstack role create "observer")
ROLE_AUDIT_ID=$(get_id openstack role create "audit")
PROJECT_A_ID=$(get_or_create_project "project_a" "default")
PROJECT_B_ID=$(get_or_create_project "project_b" "default")
ROLE_ADMIN_ID=$(get_or_create_role "admin")
ROLE_CREATOR_ID=$(get_or_create_role "creator")
ROLE_OBSERVER_ID=$(get_or_create_role "observer")
ROLE_AUDIT_ID=$(get_or_create_role "audit")
#
# Setup RBAC Admin of Project A
#
USER_ID=$(get_id openstack user create \
--password "$PASSWORD" \
--email "admin_a@example.net" \
"project_a_admin")
openstack role add \
--user "$USER_ID" \
--project "$PROJECT_A_ID" \
"$ROLE_ADMIN_ID"
USER_ID=$(get_or_create_user \
"project_a_admin" \
"$PASSWORD" \
"default" \
"admin_a@example.net")
get_or_add_user_project_role "$ROLE_ADMIN_ID" "$USER_ID" "$PROJECT_A_ID"
#
# Setup RBAC Creator of Project A
#
USER_ID=$(get_id openstack user create \
--password "$PASSWORD" \
--email "creator_a@example.net" \
"project_a_creator")
openstack role add \
--user "$USER_ID" \
--project "$PROJECT_A_ID" \
"$ROLE_CREATOR_ID"
USER_ID=$(get_or_create_user \
"project_a_creator" \
"$PASSWORD" \
"default" \
"creator_a@example.net")
get_or_add_user_project_role "$ROLE_CREATOR_ID" "$USER_ID" "$PROJECT_A_ID"
# Adding second creator user in project_a
USER_ID=$(openstack user create \
--password "$PASSWORD" \
--email "creator2_a@example.net" \
"project_a_creator_2" -f value -c id)
openstack role add \
--user "$USER_ID" \
--project "$PROJECT_A_ID" \
"$ROLE_CREATOR_ID"
USER_ID=$(get_or_create_user \
"project_a_creator_2" \
"$PASSWORD" \
"default" \
"creator2_a@example.net")
get_or_add_user_project_role "$ROLE_CREATOR_ID" "$USER_ID" "$PROJECT_A_ID"
#
# Setup RBAC Observer of Project A
#
USER_ID=$(get_id openstack user create \
--password "$PASSWORD" \
--email "observer_a@example.net" \
"project_a_observer")
openstack role add \
--user "$USER_ID" \
--project "$PROJECT_A_ID" \
"$ROLE_OBSERVER_ID"
USER_ID=$(get_or_create_user \
"project_a_observer" \
"$PASSWORD" \
"default" \
"observer_a@example.net")
get_or_add_user_project_role "$ROLE_OBSERVER_ID" "$USER_ID" "$PROJECT_A_ID"
#
# Setup RBAC Auditor of Project A
#
USER_ID=$(get_id openstack user create \
--password "$PASSWORD" \
--email "auditor_a@example.net" \
"project_a_auditor")
openstack role add \
--user "$USER_ID" \
--project "$PROJECT_A_ID" \
"$ROLE_AUDIT_ID"
USER_ID=$(get_or_create_user \
"project_a_auditor" \
"$PASSWORD" \
"default" \
"auditor_a@example.net")
get_or_add_user_project_role "$ROLE_AUDIT_ID" "$USER_ID" "$PROJECT_A_ID"
#
# Setup RBAC Admin of Project B
#
USER_ID=$(get_id openstack user create \
--password "$PASSWORD" \
--email "admin_b@example.net" \
"project_b_admin")
openstack role add \
--user "$USER_ID" \
--project "$PROJECT_B_ID" \
"$ROLE_ADMIN_ID"
USER_ID=$(get_or_create_user \
"project_b_admin" \
"$PASSWORD" \
"default" \
"admin_b@example.net")
get_or_add_user_project_role "$ROLE_ADMIN_ID" "$USER_ID" "$PROJECT_B_ID"
#
# Setup RBAC Creator of Project B
#
USER_ID=$(get_id openstack user create \
--password "$PASSWORD" \
--email "creator_b@example.net" \
"project_b_creator")
openstack role add \
--user "$USER_ID" \
--project "$PROJECT_B_ID" \
"$ROLE_CREATOR_ID"
USER_ID=$(get_or_create_user \
"project_b_creator" \
"$PASSWORD" \
"default" \
"creator_b@example.net")
get_or_add_user_project_role "$ROLE_CREATOR_ID" "$USER_ID" "$PROJECT_B_ID"
#
# Setup RBAC Observer of Project B
#
USER_ID=$(get_id openstack user create \
--password "$PASSWORD" \
--email "observer_b@example.net" \
"project_b_observer")
openstack role add \
--user "$USER_ID" \
--project "$PROJECT_B_ID" \
"$ROLE_OBSERVER_ID"
USER_ID=$(get_or_create_user \
"project_b_observer" \
"$PASSWORD" \
"default" \
"observer_b@example.net")
get_or_add_user_project_role "$ROLE_OBSERVER_ID" "$USER_ID" "$PROJECT_B_ID"
#
# Setup RBAC auditor of Project B
#
USER_ID=$(get_id openstack user create \
--password "$PASSWORD" \
--email "auditor_b@example.net" \
"project_b_auditor")
openstack role add \
--user "$USER_ID" \
--project "$PROJECT_B_ID" \
"$ROLE_AUDIT_ID"
USER_ID=$(get_or_create_user \
"project_b_auditor" \
"$PASSWORD" \
"default" \
"auditor_b@example.net")
get_or_add_user_project_role "$ROLE_AUDIT_ID" "$USER_ID" "$PROJECT_B_ID"
#
# Setup Barbican Endpoint
#
BARBICAN_SERVICE=$(openstack service create \
--name barbican \
--description "Barbican Service" \
'key-manager' \
| grep " id " | get_field 2)
openstack endpoint create \
--os-identity-api-version 3 \
--region RegionOne \
$BARBICAN_SERVICE \
public "$SERVICE_PROTOCOL://$SERVICE_HOST/key-manager"
openstack endpoint create \
--os-identity-api-version 3 \
--region RegionOne \
$BARBICAN_SERVICE \
internal "$SERVICE_PROTOCOL://$SERVICE_HOST/key-manager"
BARBICAN_SERVICE=$(get_or_create_service \
"barbican" \
"key-manager" \
"Barbican Service")
# This creates all 3 endpoints (public, admin, internal)
get_or_create_endpoint \
"$BARBICAN_SERVICE" \
"RegionOne" \
"$SERVICE_PROTOCOL://$SERVICE_HOST/key-manager" \
"$SERVICE_PROTOCOL://$SERVICE_HOST/key-manager" \
"$SERVICE_PROTOCOL://$SERVICE_HOST/key-manager"
}