This eliminates the need for services in an Openstack deployment
to be deployed in order. Previously, keystone <-> mysql relation
needed to be established before anything else. With this change,
existing service entries are recreated in the new database for
existing relations.
This adds the ability to update a users' password via keystoneclient. This is
called for every run of ensure_initial_admin().
A basic config-changed hook is added to call ensure_initial_admin(), allowing:
- Changing the current admin user's password via
'juju set admin-password=foo'
- Defining a new admin user in the system via
'juju set admin-user=newadmin admin-password=foo'.
Note, when creating a new admin user, the previous admin user is not deleted from the system.
The new admin user can manage existing users thru the dashboard or keystoneclient.
Keystone+keystoneclient have recently changed to now throw errors when
a role is assigned to a user+tenant more than once. Account for this
by checking user+tenant's role assignments before attempting to assign.
The changes to keystone+keystoneclient happened in folsom, but this operation
is supported in the Essex release as well, so applying to the precise charm
branch to avoid an early delta between precise + quantal branches (which doesn't
exist yet).
