From b8b83a16fa2da9cbb942621a43095bed408ae9a9 Mon Sep 17 00:00:00 2001 From: Alan Bishop Date: Thu, 11 Aug 2022 09:27:00 -0700 Subject: [PATCH] devstack: make create_barbican_accounts idempotent Make devstack's create_barbican_accounts function idempotent by using get_or_create_XXX functions to configure resources (users, roles, endpoints, etc.). This avoids problems in situations such [1], where the cinder service needs the "creator" role. Cinder ends up creating the role first, which would cause create_barbican_accounts to subsequently fail if barbican assumes that it will create the role. [1] Ia3f414c4b9b0829f60841a6dd63c97a893fdde4d Change-Id: I216f78e8a300ab3f79bbcbb38110adf2bbec2196 --- devstack/lib/barbican | 194 ++++++++++++++++++------------------------ 1 file changed, 82 insertions(+), 112 deletions(-) diff --git a/devstack/lib/barbican b/devstack/lib/barbican index a9164f0b0..ffae8cc68 100644 --- a/devstack/lib/barbican +++ b/devstack/lib/barbican @@ -241,153 +241,123 @@ function create_barbican_accounts { SERVICE_PROJECT=$(openstack project list | awk "/ $SERVICE_PROJECT_NAME / { print \$2 }") ADMIN_ROLE=$(openstack role list | awk "/ admin / { print \$2 }") - BARBICAN_USER=$(openstack user create \ - --password "$SERVICE_PASSWORD" \ - --project $SERVICE_PROJECT \ - --email "barbican@example.com" \ - barbican \ - | grep " id " | get_field 2) - openstack role add --project $SERVICE_PROJECT \ - --user $BARBICAN_USER \ - $ADMIN_ROLE + create_service_user barbican $ADMIN_ROLE # # Setup Default service-admin User # - SERVICE_ADMIN=$(get_id openstack user create \ - --password "$SERVICE_PASSWORD" \ - --email "service-admin@example.com" \ - "service-admin") - SERVICE_ADMIN_ROLE=$(get_id openstack role create \ - "key-manager:service-admin") - openstack role add \ - --user "$SERVICE_ADMIN" \ - --project "$SERVICE_PROJECT" \ - "$SERVICE_ADMIN_ROLE" + SERVICE_ADMIN=$(get_or_create_user \ + "service-admin" \ + "$SERVICE_PASSWORD" \ + "default" \ + "service-admin@example.com") + SERVICE_ADMIN_ROLE=$(get_or_create_role "key-manager:service-admin") + get_or_add_user_project_role \ + "$SERVICE_ADMIN_ROLE" \ + "$SERVICE_ADMIN" \ + "$SERVICE_PROJECT" # # Setup RBAC User Projects and Roles # PASSWORD="barbican" - PROJECT_A_ID=$(get_id openstack project create "project_a") - PROJECT_B_ID=$(get_id openstack project create "project_b") - ROLE_ADMIN_ID=$(get_id openstack role show admin) - ROLE_CREATOR_ID=$(get_id openstack role create "creator") - ROLE_OBSERVER_ID=$(get_id openstack role create "observer") - ROLE_AUDIT_ID=$(get_id openstack role create "audit") + PROJECT_A_ID=$(get_or_create_project "project_a" "default") + PROJECT_B_ID=$(get_or_create_project "project_b" "default") + ROLE_ADMIN_ID=$(get_or_create_role "admin") + ROLE_CREATOR_ID=$(get_or_create_role "creator") + ROLE_OBSERVER_ID=$(get_or_create_role "observer") + ROLE_AUDIT_ID=$(get_or_create_role "audit") # # Setup RBAC Admin of Project A # - USER_ID=$(get_id openstack user create \ - --password "$PASSWORD" \ - --email "admin_a@example.net" \ - "project_a_admin") - openstack role add \ - --user "$USER_ID" \ - --project "$PROJECT_A_ID" \ - "$ROLE_ADMIN_ID" + USER_ID=$(get_or_create_user \ + "project_a_admin" \ + "$PASSWORD" \ + "default" \ + "admin_a@example.net") + get_or_add_user_project_role "$ROLE_ADMIN_ID" "$USER_ID" "$PROJECT_A_ID" # # Setup RBAC Creator of Project A # - USER_ID=$(get_id openstack user create \ - --password "$PASSWORD" \ - --email "creator_a@example.net" \ - "project_a_creator") - openstack role add \ - --user "$USER_ID" \ - --project "$PROJECT_A_ID" \ - "$ROLE_CREATOR_ID" + USER_ID=$(get_or_create_user \ + "project_a_creator" \ + "$PASSWORD" \ + "default" \ + "creator_a@example.net") + get_or_add_user_project_role "$ROLE_CREATOR_ID" "$USER_ID" "$PROJECT_A_ID" # Adding second creator user in project_a - USER_ID=$(openstack user create \ - --password "$PASSWORD" \ - --email "creator2_a@example.net" \ - "project_a_creator_2" -f value -c id) - openstack role add \ - --user "$USER_ID" \ - --project "$PROJECT_A_ID" \ - "$ROLE_CREATOR_ID" + USER_ID=$(get_or_create_user \ + "project_a_creator_2" \ + "$PASSWORD" \ + "default" \ + "creator2_a@example.net") + get_or_add_user_project_role "$ROLE_CREATOR_ID" "$USER_ID" "$PROJECT_A_ID" # # Setup RBAC Observer of Project A # - USER_ID=$(get_id openstack user create \ - --password "$PASSWORD" \ - --email "observer_a@example.net" \ - "project_a_observer") - openstack role add \ - --user "$USER_ID" \ - --project "$PROJECT_A_ID" \ - "$ROLE_OBSERVER_ID" + USER_ID=$(get_or_create_user \ + "project_a_observer" \ + "$PASSWORD" \ + "default" \ + "observer_a@example.net") + get_or_add_user_project_role "$ROLE_OBSERVER_ID" "$USER_ID" "$PROJECT_A_ID" # # Setup RBAC Auditor of Project A # - USER_ID=$(get_id openstack user create \ - --password "$PASSWORD" \ - --email "auditor_a@example.net" \ - "project_a_auditor") - openstack role add \ - --user "$USER_ID" \ - --project "$PROJECT_A_ID" \ - "$ROLE_AUDIT_ID" + USER_ID=$(get_or_create_user \ + "project_a_auditor" \ + "$PASSWORD" \ + "default" \ + "auditor_a@example.net") + get_or_add_user_project_role "$ROLE_AUDIT_ID" "$USER_ID" "$PROJECT_A_ID" # # Setup RBAC Admin of Project B # - USER_ID=$(get_id openstack user create \ - --password "$PASSWORD" \ - --email "admin_b@example.net" \ - "project_b_admin") - openstack role add \ - --user "$USER_ID" \ - --project "$PROJECT_B_ID" \ - "$ROLE_ADMIN_ID" + USER_ID=$(get_or_create_user \ + "project_b_admin" \ + "$PASSWORD" \ + "default" \ + "admin_b@example.net") + get_or_add_user_project_role "$ROLE_ADMIN_ID" "$USER_ID" "$PROJECT_B_ID" # # Setup RBAC Creator of Project B # - USER_ID=$(get_id openstack user create \ - --password "$PASSWORD" \ - --email "creator_b@example.net" \ - "project_b_creator") - openstack role add \ - --user "$USER_ID" \ - --project "$PROJECT_B_ID" \ - "$ROLE_CREATOR_ID" + USER_ID=$(get_or_create_user \ + "project_b_creator" \ + "$PASSWORD" \ + "default" \ + "creator_b@example.net") + get_or_add_user_project_role "$ROLE_CREATOR_ID" "$USER_ID" "$PROJECT_B_ID" # # Setup RBAC Observer of Project B # - USER_ID=$(get_id openstack user create \ - --password "$PASSWORD" \ - --email "observer_b@example.net" \ - "project_b_observer") - openstack role add \ - --user "$USER_ID" \ - --project "$PROJECT_B_ID" \ - "$ROLE_OBSERVER_ID" + USER_ID=$(get_or_create_user \ + "project_b_observer" \ + "$PASSWORD" \ + "default" \ + "observer_b@example.net") + get_or_add_user_project_role "$ROLE_OBSERVER_ID" "$USER_ID" "$PROJECT_B_ID" # # Setup RBAC auditor of Project B # - USER_ID=$(get_id openstack user create \ - --password "$PASSWORD" \ - --email "auditor_b@example.net" \ - "project_b_auditor") - openstack role add \ - --user "$USER_ID" \ - --project "$PROJECT_B_ID" \ - "$ROLE_AUDIT_ID" + USER_ID=$(get_or_create_user \ + "project_b_auditor" \ + "$PASSWORD" \ + "default" \ + "auditor_b@example.net") + get_or_add_user_project_role "$ROLE_AUDIT_ID" "$USER_ID" "$PROJECT_B_ID" # # Setup Barbican Endpoint # - BARBICAN_SERVICE=$(openstack service create \ - --name barbican \ - --description "Barbican Service" \ - 'key-manager' \ - | grep " id " | get_field 2) - openstack endpoint create \ - --os-identity-api-version 3 \ - --region RegionOne \ - $BARBICAN_SERVICE \ - public "$SERVICE_PROTOCOL://$SERVICE_HOST/key-manager" - openstack endpoint create \ - --os-identity-api-version 3 \ - --region RegionOne \ - $BARBICAN_SERVICE \ - internal "$SERVICE_PROTOCOL://$SERVICE_HOST/key-manager" + BARBICAN_SERVICE=$(get_or_create_service \ + "barbican" \ + "key-manager" \ + "Barbican Service") + # This creates all 3 endpoints (public, admin, internal) + get_or_create_endpoint \ + "$BARBICAN_SERVICE" \ + "RegionOne" \ + "$SERVICE_PROTOCOL://$SERVICE_HOST/key-manager" \ + "$SERVICE_PROTOCOL://$SERVICE_HOST/key-manager" \ + "$SERVICE_PROTOCOL://$SERVICE_HOST/key-manager" }