diff --git a/functions-common b/functions-common index 0806681c3b..71dda76727 100644 --- a/functions-common +++ b/functions-common @@ -840,27 +840,49 @@ function get_or_create_role { echo $role_id } +# Returns the domain parts of a function call if present +# Usage: _get_domain_args [ ] +function _get_domain_args { + local domain + domain="" + + if [[ -n "$1" ]]; then + domain="$domain --user-domain $1" + fi + if [[ -n "$2" ]]; then + domain="$domain --project-domain $2" + fi + + echo $domain +} + # Gets or adds user role to project -# Usage: get_or_add_user_project_role +# Usage: get_or_add_user_project_role [ ] function get_or_add_user_project_role { local user_role_id + + domain_args=$(_get_domain_args $4 $5) + # Gets user role id user_role_id=$(openstack role list \ --user $2 \ --column "ID" \ --project $3 \ --column "Name" \ + $domain_args \ | grep " $1 " | get_field 1) if [[ -z "$user_role_id" ]]; then # Adds role to user and get it openstack role add $1 \ --user $2 \ - --project $3 + --project $3 \ + $domain_args user_role_id=$(openstack role list \ --user $2 \ --column "ID" \ --project $3 \ --column "Name" \ + $domain_args \ | grep " $1 " | get_field 1) fi echo $user_role_id diff --git a/lib/glance b/lib/glance index 3743e161c4..f2a6db6edc 100644 --- a/lib/glance +++ b/lib/glance @@ -173,8 +173,8 @@ function configure_glance { iniset $GLANCE_SWIFT_STORE_CONF ref1 key $SERVICE_PASSWORD iniset $GLANCE_SWIFT_STORE_CONF ref1 auth_address $KEYSTONE_SERVICE_URI/v3 - iniset $GLANCE_SWIFT_STORE_CONF ref1 user_domain_id default - iniset $GLANCE_SWIFT_STORE_CONF ref1 project_domain_id default + iniset $GLANCE_SWIFT_STORE_CONF ref1 user_domain_name $SERVICE_DOMAIN_NAME + iniset $GLANCE_SWIFT_STORE_CONF ref1 project_domain_name $SERVICE_DOMAIN_NAME iniset $GLANCE_SWIFT_STORE_CONF ref1 auth_version 3 # commenting is not strictly necessary but it's confusing to have bad values in conf @@ -288,11 +288,7 @@ function create_glance_accounts { # required for swift access if is_service_enabled s-proxy; then - - local glance_swift_user - glance_swift_user=$(get_or_create_user "glance-swift" \ - "$SERVICE_PASSWORD" "default" "glance-swift@example.com") - get_or_add_user_project_role "ResellerAdmin" $glance_swift_user $SERVICE_PROJECT_NAME + create_service_user "glance-swift" "ResellerAdmin" fi get_or_create_service "glance" "image" "Glance Image Service" diff --git a/lib/keystone b/lib/keystone index c6208aec4c..542bd05609 100644 --- a/lib/keystone +++ b/lib/keystone @@ -106,7 +106,9 @@ KEYSTONE_SERVICE_PROTOCOL=${KEYSTONE_SERVICE_PROTOCOL:-$SERVICE_PROTOCOL} # Bind hosts KEYSTONE_ADMIN_BIND_HOST=${KEYSTONE_ADMIN_BIND_HOST:-$KEYSTONE_SERVICE_HOST} + # Set the project for service accounts in Keystone +SERVICE_DOMAIN_NAME=${SERVICE_DOMAIN_NAME:-Default} SERVICE_PROJECT_NAME=${SERVICE_PROJECT_NAME:-service} # Note 2016-03 : SERVICE_TENANT_NAME is kept for backwards @@ -373,6 +375,7 @@ function create_keystone_accounts { get_or_add_user_domain_role $admin_role $admin_user default # Create service project/role + get_or_create_domain "$SERVICE_DOMAIN_NAME" get_or_create_project "$SERVICE_PROJECT_NAME" default # Service role, so service users do not have to be admins @@ -445,9 +448,8 @@ function create_keystone_accounts { function create_service_user { local role=${2:-service} - local user - user=$(get_or_create_user "$1" "$SERVICE_PASSWORD" default) - get_or_add_user_project_role "$role" "$user" "$SERVICE_PROJECT_NAME" + get_or_create_user "$1" "$SERVICE_PASSWORD" "$SERVICE_DOMAIN_NAME" + get_or_add_user_project_role "$role" "$1" "$SERVICE_PROJECT_NAME" "$SERVICE_DOMAIN_NAME" "$SERVICE_DOMAIN_NAME" } # Configure the service to use the auth token middleware. @@ -467,9 +469,9 @@ function configure_auth_token_middleware { iniset $conf_file $section auth_url $KEYSTONE_AUTH_URI iniset $conf_file $section username $admin_user iniset $conf_file $section password $SERVICE_PASSWORD - iniset $conf_file $section user_domain_id default + iniset $conf_file $section user_domain_name "$SERVICE_DOMAIN_NAME" iniset $conf_file $section project_name $SERVICE_PROJECT_NAME - iniset $conf_file $section project_domain_id default + iniset $conf_file $section project_domain_name "$SERVICE_DOMAIN_NAME" iniset $conf_file $section auth_uri $KEYSTONE_SERVICE_URI iniset $conf_file $section cafile $SSL_BUNDLE_FILE diff --git a/lib/neutron-legacy b/lib/neutron-legacy index c2729cb5d2..a3571594b6 100644 --- a/lib/neutron-legacy +++ b/lib/neutron-legacy @@ -491,9 +491,9 @@ function create_nova_conf_neutron { iniset $NOVA_CONF neutron auth_url "$KEYSTONE_SERVICE_PROTOCOL://$KEYSTONE_SERVICE_HOST:$KEYSTONE_AUTH_PORT/v3" iniset $NOVA_CONF neutron username "$Q_ADMIN_USERNAME" iniset $NOVA_CONF neutron password "$SERVICE_PASSWORD" - iniset $NOVA_CONF neutron user_domain_name "Default" + iniset $NOVA_CONF neutron user_domain_name "$SERVICE_DOMAIN_NAME" iniset $NOVA_CONF neutron project_name "$SERVICE_PROJECT_NAME" - iniset $NOVA_CONF neutron project_domain_name "Default" + iniset $NOVA_CONF neutron project_domain_name "$SERVICE_DOMAIN_NAME" iniset $NOVA_CONF neutron auth_strategy "$Q_AUTH_STRATEGY" iniset $NOVA_CONF neutron region_name "$REGION_NAME" iniset $NOVA_CONF neutron url "${Q_PROTOCOL}://$Q_HOST:$Q_PORT" diff --git a/lib/nova b/lib/nova index 7c22910a1d..818ecc4f1b 100644 --- a/lib/nova +++ b/lib/nova @@ -439,7 +439,7 @@ function create_nova_accounts { if is_service_enabled swift; then # Nova needs ResellerAdmin role to download images when accessing # swift through the s3 api. - get_or_add_user_project_role ResellerAdmin nova $SERVICE_PROJECT_NAME + get_or_add_user_project_role ResellerAdmin nova $SERVICE_PROJECT_NAME $SERVICE_DOMAIN_NAME $SERVICE_DOMAIN_NAME fi fi diff --git a/lib/swift b/lib/swift index f47608cd6e..8cb94efa66 100644 --- a/lib/swift +++ b/lib/swift @@ -846,7 +846,9 @@ function swift_configure_tempurls { # note we are using swift credentials! OS_USERNAME=swift \ OS_PASSWORD=$SERVICE_PASSWORD \ + OS_USER_DOMAIN_NAME=$SERVICE_DOMAIN_NAME \ OS_PROJECT_NAME=$SERVICE_PROJECT_NAME \ + OS_PROJECT_DOMAIN_NAME=$SERVICE_DOMAIN_NAME \ openstack object store account \ set --property "Temp-URL-Key=$SWIFT_TEMPURL_KEY" }