devstack: make create_barbican_accounts idempotent
Make devstack's create_barbican_accounts function idempotent by using get_or_create_XXX functions to configure resources (users, roles, endpoints, etc.). This avoids problems in situations such [1], where the cinder service needs the "creator" role. Cinder ends up creating the role first, which would cause create_barbican_accounts to subsequently fail if barbican assumes that it will create the role. [1] Ia3f414c4b9b0829f60841a6dd63c97a893fdde4d Change-Id: I216f78e8a300ab3f79bbcbb38110adf2bbec2196
This commit is contained in:
Alan Bishop
parent
ff7fef6211
commit
b8b83a16fa
@ -241,153 +241,123 @@ function create_barbican_accounts {
|
|||||||
SERVICE_PROJECT=$(openstack project list | awk "/ $SERVICE_PROJECT_NAME / { print \$2 }")
|
SERVICE_PROJECT=$(openstack project list | awk "/ $SERVICE_PROJECT_NAME / { print \$2 }")
|
||||||
ADMIN_ROLE=$(openstack role list | awk "/ admin / { print \$2 }")
|
ADMIN_ROLE=$(openstack role list | awk "/ admin / { print \$2 }")
|
||||||
|
|
||||||
BARBICAN_USER=$(openstack user create \
|
create_service_user barbican $ADMIN_ROLE
|
||||||
--password "$SERVICE_PASSWORD" \
|
|
||||||
--project $SERVICE_PROJECT \
|
|
||||||
--email "barbican@example.com" \
|
|
||||||
barbican \
|
|
||||||
| grep " id " | get_field 2)
|
|
||||||
openstack role add --project $SERVICE_PROJECT \
|
|
||||||
--user $BARBICAN_USER \
|
|
||||||
$ADMIN_ROLE
|
|
||||||
#
|
#
|
||||||
# Setup Default service-admin User
|
# Setup Default service-admin User
|
||||||
#
|
#
|
||||||
SERVICE_ADMIN=$(get_id openstack user create \
|
SERVICE_ADMIN=$(get_or_create_user \
|
||||||
--password "$SERVICE_PASSWORD" \
|
"service-admin" \
|
||||||
--email "service-admin@example.com" \
|
"$SERVICE_PASSWORD" \
|
||||||
"service-admin")
|
"default" \
|
||||||
SERVICE_ADMIN_ROLE=$(get_id openstack role create \
|
"service-admin@example.com")
|
||||||
"key-manager:service-admin")
|
SERVICE_ADMIN_ROLE=$(get_or_create_role "key-manager:service-admin")
|
||||||
openstack role add \
|
get_or_add_user_project_role \
|
||||||
--user "$SERVICE_ADMIN" \
|
"$SERVICE_ADMIN_ROLE" \
|
||||||
--project "$SERVICE_PROJECT" \
|
"$SERVICE_ADMIN" \
|
||||||
"$SERVICE_ADMIN_ROLE"
|
"$SERVICE_PROJECT"
|
||||||
#
|
#
|
||||||
# Setup RBAC User Projects and Roles
|
# Setup RBAC User Projects and Roles
|
||||||
#
|
#
|
||||||
PASSWORD="barbican"
|
PASSWORD="barbican"
|
||||||
PROJECT_A_ID=$(get_id openstack project create "project_a")
|
PROJECT_A_ID=$(get_or_create_project "project_a" "default")
|
||||||
PROJECT_B_ID=$(get_id openstack project create "project_b")
|
PROJECT_B_ID=$(get_or_create_project "project_b" "default")
|
||||||
ROLE_ADMIN_ID=$(get_id openstack role show admin)
|
ROLE_ADMIN_ID=$(get_or_create_role "admin")
|
||||||
ROLE_CREATOR_ID=$(get_id openstack role create "creator")
|
ROLE_CREATOR_ID=$(get_or_create_role "creator")
|
||||||
ROLE_OBSERVER_ID=$(get_id openstack role create "observer")
|
ROLE_OBSERVER_ID=$(get_or_create_role "observer")
|
||||||
ROLE_AUDIT_ID=$(get_id openstack role create "audit")
|
ROLE_AUDIT_ID=$(get_or_create_role "audit")
|
||||||
#
|
#
|
||||||
# Setup RBAC Admin of Project A
|
# Setup RBAC Admin of Project A
|
||||||
#
|
#
|
||||||
USER_ID=$(get_id openstack user create \
|
USER_ID=$(get_or_create_user \
|
||||||
--password "$PASSWORD" \
|
"project_a_admin" \
|
||||||
--email "admin_a@example.net" \
|
"$PASSWORD" \
|
||||||
"project_a_admin")
|
"default" \
|
||||||
openstack role add \
|
"admin_a@example.net")
|
||||||
--user "$USER_ID" \
|
get_or_add_user_project_role "$ROLE_ADMIN_ID" "$USER_ID" "$PROJECT_A_ID"
|
||||||
--project "$PROJECT_A_ID" \
|
|
||||||
"$ROLE_ADMIN_ID"
|
|
||||||
#
|
#
|
||||||
# Setup RBAC Creator of Project A
|
# Setup RBAC Creator of Project A
|
||||||
#
|
#
|
||||||
USER_ID=$(get_id openstack user create \
|
USER_ID=$(get_or_create_user \
|
||||||
--password "$PASSWORD" \
|
"project_a_creator" \
|
||||||
--email "creator_a@example.net" \
|
"$PASSWORD" \
|
||||||
"project_a_creator")
|
"default" \
|
||||||
openstack role add \
|
"creator_a@example.net")
|
||||||
--user "$USER_ID" \
|
get_or_add_user_project_role "$ROLE_CREATOR_ID" "$USER_ID" "$PROJECT_A_ID"
|
||||||
--project "$PROJECT_A_ID" \
|
|
||||||
"$ROLE_CREATOR_ID"
|
|
||||||
# Adding second creator user in project_a
|
# Adding second creator user in project_a
|
||||||
USER_ID=$(openstack user create \
|
USER_ID=$(get_or_create_user \
|
||||||
--password "$PASSWORD" \
|
"project_a_creator_2" \
|
||||||
--email "creator2_a@example.net" \
|
"$PASSWORD" \
|
||||||
"project_a_creator_2" -f value -c id)
|
"default" \
|
||||||
openstack role add \
|
"creator2_a@example.net")
|
||||||
--user "$USER_ID" \
|
get_or_add_user_project_role "$ROLE_CREATOR_ID" "$USER_ID" "$PROJECT_A_ID"
|
||||||
--project "$PROJECT_A_ID" \
|
|
||||||
"$ROLE_CREATOR_ID"
|
|
||||||
#
|
#
|
||||||
# Setup RBAC Observer of Project A
|
# Setup RBAC Observer of Project A
|
||||||
#
|
#
|
||||||
USER_ID=$(get_id openstack user create \
|
USER_ID=$(get_or_create_user \
|
||||||
--password "$PASSWORD" \
|
"project_a_observer" \
|
||||||
--email "observer_a@example.net" \
|
"$PASSWORD" \
|
||||||
"project_a_observer")
|
"default" \
|
||||||
openstack role add \
|
"observer_a@example.net")
|
||||||
--user "$USER_ID" \
|
get_or_add_user_project_role "$ROLE_OBSERVER_ID" "$USER_ID" "$PROJECT_A_ID"
|
||||||
--project "$PROJECT_A_ID" \
|
|
||||||
"$ROLE_OBSERVER_ID"
|
|
||||||
#
|
#
|
||||||
# Setup RBAC Auditor of Project A
|
# Setup RBAC Auditor of Project A
|
||||||
#
|
#
|
||||||
USER_ID=$(get_id openstack user create \
|
USER_ID=$(get_or_create_user \
|
||||||
--password "$PASSWORD" \
|
"project_a_auditor" \
|
||||||
--email "auditor_a@example.net" \
|
"$PASSWORD" \
|
||||||
"project_a_auditor")
|
"default" \
|
||||||
openstack role add \
|
"auditor_a@example.net")
|
||||||
--user "$USER_ID" \
|
get_or_add_user_project_role "$ROLE_AUDIT_ID" "$USER_ID" "$PROJECT_A_ID"
|
||||||
--project "$PROJECT_A_ID" \
|
|
||||||
"$ROLE_AUDIT_ID"
|
|
||||||
#
|
#
|
||||||
# Setup RBAC Admin of Project B
|
# Setup RBAC Admin of Project B
|
||||||
#
|
#
|
||||||
USER_ID=$(get_id openstack user create \
|
USER_ID=$(get_or_create_user \
|
||||||
--password "$PASSWORD" \
|
"project_b_admin" \
|
||||||
--email "admin_b@example.net" \
|
"$PASSWORD" \
|
||||||
"project_b_admin")
|
"default" \
|
||||||
openstack role add \
|
"admin_b@example.net")
|
||||||
--user "$USER_ID" \
|
get_or_add_user_project_role "$ROLE_ADMIN_ID" "$USER_ID" "$PROJECT_B_ID"
|
||||||
--project "$PROJECT_B_ID" \
|
|
||||||
"$ROLE_ADMIN_ID"
|
|
||||||
#
|
#
|
||||||
# Setup RBAC Creator of Project B
|
# Setup RBAC Creator of Project B
|
||||||
#
|
#
|
||||||
USER_ID=$(get_id openstack user create \
|
USER_ID=$(get_or_create_user \
|
||||||
--password "$PASSWORD" \
|
"project_b_creator" \
|
||||||
--email "creator_b@example.net" \
|
"$PASSWORD" \
|
||||||
"project_b_creator")
|
"default" \
|
||||||
openstack role add \
|
"creator_b@example.net")
|
||||||
--user "$USER_ID" \
|
get_or_add_user_project_role "$ROLE_CREATOR_ID" "$USER_ID" "$PROJECT_B_ID"
|
||||||
--project "$PROJECT_B_ID" \
|
|
||||||
"$ROLE_CREATOR_ID"
|
|
||||||
#
|
#
|
||||||
# Setup RBAC Observer of Project B
|
# Setup RBAC Observer of Project B
|
||||||
#
|
#
|
||||||
USER_ID=$(get_id openstack user create \
|
USER_ID=$(get_or_create_user \
|
||||||
--password "$PASSWORD" \
|
"project_b_observer" \
|
||||||
--email "observer_b@example.net" \
|
"$PASSWORD" \
|
||||||
"project_b_observer")
|
"default" \
|
||||||
openstack role add \
|
"observer_b@example.net")
|
||||||
--user "$USER_ID" \
|
get_or_add_user_project_role "$ROLE_OBSERVER_ID" "$USER_ID" "$PROJECT_B_ID"
|
||||||
--project "$PROJECT_B_ID" \
|
|
||||||
"$ROLE_OBSERVER_ID"
|
|
||||||
#
|
#
|
||||||
# Setup RBAC auditor of Project B
|
# Setup RBAC auditor of Project B
|
||||||
#
|
#
|
||||||
USER_ID=$(get_id openstack user create \
|
USER_ID=$(get_or_create_user \
|
||||||
--password "$PASSWORD" \
|
"project_b_auditor" \
|
||||||
--email "auditor_b@example.net" \
|
"$PASSWORD" \
|
||||||
"project_b_auditor")
|
"default" \
|
||||||
openstack role add \
|
"auditor_b@example.net")
|
||||||
--user "$USER_ID" \
|
get_or_add_user_project_role "$ROLE_AUDIT_ID" "$USER_ID" "$PROJECT_B_ID"
|
||||||
--project "$PROJECT_B_ID" \
|
|
||||||
"$ROLE_AUDIT_ID"
|
|
||||||
#
|
#
|
||||||
# Setup Barbican Endpoint
|
# Setup Barbican Endpoint
|
||||||
#
|
#
|
||||||
BARBICAN_SERVICE=$(openstack service create \
|
BARBICAN_SERVICE=$(get_or_create_service \
|
||||||
--name barbican \
|
"barbican" \
|
||||||
--description "Barbican Service" \
|
"key-manager" \
|
||||||
'key-manager' \
|
"Barbican Service")
|
||||||
| grep " id " | get_field 2)
|
# This creates all 3 endpoints (public, admin, internal)
|
||||||
openstack endpoint create \
|
get_or_create_endpoint \
|
||||||
--os-identity-api-version 3 \
|
"$BARBICAN_SERVICE" \
|
||||||
--region RegionOne \
|
"RegionOne" \
|
||||||
$BARBICAN_SERVICE \
|
"$SERVICE_PROTOCOL://$SERVICE_HOST/key-manager" \
|
||||||
public "$SERVICE_PROTOCOL://$SERVICE_HOST/key-manager"
|
"$SERVICE_PROTOCOL://$SERVICE_HOST/key-manager" \
|
||||||
openstack endpoint create \
|
"$SERVICE_PROTOCOL://$SERVICE_HOST/key-manager"
|
||||||
--os-identity-api-version 3 \
|
|
||||||
--region RegionOne \
|
|
||||||
$BARBICAN_SERVICE \
|
|
||||||
internal "$SERVICE_PROTOCOL://$SERVICE_HOST/key-manager"
|
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user