Complete moving Keystone setup out of keystone_data.sh

* Move remaining role creation to create_keystone_accounts()
* Move glance creation to create_glance_accounts()
* Move nova/ec2/s3 creation to create_nova_accounts()
* Move ceilometer creation to create_ceilometer_accounts()
* Move tempest creation to create_tempest_accounts()
* Convert moved code to use OpenStackClient for setup
* files/keystone_data.sh is removed

Note that the SERVICE_TENANT and ADMIN_ROLE lookups in the other service
implementations are not necessary with OSC, all operations can be done
using names rather than requiring IDs.

Change-Id: I4283ca0036ae39fd44ed2eed834b69d78e4f8257
This commit is contained in:
Dean Troyer 2014-03-03 14:31:29 -06:00
parent c880fb41b0
commit 42a59c2bfa
8 changed files with 147 additions and 169 deletions

View File

@ -9,7 +9,7 @@ if is_service_enabled tempest; then
install_tempest
elif [[ "$1" == "stack" && "$2" == "post-config" ]]; then
# Tempest config must come after layer 2 services are running
:
create_tempest_accounts
elif [[ "$1" == "stack" && "$2" == "extra" ]]; then
echo_summary "Initializing Tempest"
configure_tempest

View File

@ -1,146 +0,0 @@
#!/bin/bash
#
# Initial data for Keystone using python-keystoneclient
#
# Tenant User Roles
# ------------------------------------------------------------------
# service glance service
# service glance-swift ResellerAdmin
# service heat service # if enabled
# service ceilometer admin # if enabled
# Tempest Only:
# alt_demo alt_demo Member
#
# Variables set before calling this script:
# SERVICE_TOKEN - aka admin_token in keystone.conf
# SERVICE_ENDPOINT - local Keystone admin endpoint
# SERVICE_TENANT_NAME - name of tenant containing service accounts
# SERVICE_HOST - host used for endpoint creation
# ENABLED_SERVICES - stack.sh's list of services to start
# DEVSTACK_DIR - Top-level DevStack directory
# KEYSTONE_CATALOG_BACKEND - used to determine service catalog creation
# Defaults
# --------
ADMIN_PASSWORD=${ADMIN_PASSWORD:-secrete}
SERVICE_PASSWORD=${SERVICE_PASSWORD:-$ADMIN_PASSWORD}
export SERVICE_TOKEN=$SERVICE_TOKEN
export SERVICE_ENDPOINT=$SERVICE_ENDPOINT
SERVICE_TENANT_NAME=${SERVICE_TENANT_NAME:-service}
# Roles
# -----
# The ResellerAdmin role is used by Nova and Ceilometer so we need to keep it.
# The admin role in swift allows a user to act as an admin for their tenant,
# but ResellerAdmin is needed for a user to act as any tenant. The name of this
# role is also configurable in swift-proxy.conf
keystone role-create --name=ResellerAdmin
# Service role, so service users do not have to be admins
keystone role-create --name=service
# Services
# --------
if [[ "$ENABLED_SERVICES" =~ "n-api" ]] && [[ "$ENABLED_SERVICES" =~ "s-proxy" || "$ENABLED_SERVICES" =~ "swift" ]]; then
# Nova needs ResellerAdmin role to download images when accessing
# swift through the s3 api.
keystone user-role-add \
--tenant $SERVICE_TENANT_NAME \
--user nova \
--role ResellerAdmin
fi
# Glance
if [[ "$ENABLED_SERVICES" =~ "g-api" ]]; then
keystone user-create \
--name=glance \
--pass="$SERVICE_PASSWORD" \
--tenant $SERVICE_TENANT_NAME \
--email=glance@example.com
keystone user-role-add \
--tenant $SERVICE_TENANT_NAME \
--user glance \
--role service
# required for swift access
if [[ "$ENABLED_SERVICES" =~ "s-proxy" ]]; then
keystone user-create \
--name=glance-swift \
--pass="$SERVICE_PASSWORD" \
--tenant $SERVICE_TENANT_NAME \
--email=glance-swift@example.com
keystone user-role-add \
--tenant $SERVICE_TENANT_NAME \
--user glance-swift \
--role ResellerAdmin
fi
if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
keystone service-create \
--name=glance \
--type=image \
--description="Glance Image Service"
keystone endpoint-create \
--region RegionOne \
--service glance \
--publicurl "http://$SERVICE_HOST:9292" \
--adminurl "http://$SERVICE_HOST:9292" \
--internalurl "http://$SERVICE_HOST:9292"
fi
fi
# Ceilometer
if [[ "$ENABLED_SERVICES" =~ "ceilometer" ]] && [[ "$ENABLED_SERVICES" =~ "s-proxy" || "$ENABLED_SERVICES" =~ "swift" ]]; then
# Ceilometer needs ResellerAdmin role to access swift account stats.
keystone user-role-add --tenant $SERVICE_TENANT_NAME \
--user ceilometer \
--role ResellerAdmin
fi
# EC2
if [[ "$ENABLED_SERVICES" =~ "n-api" ]]; then
if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
keystone service-create \
--name=ec2 \
--type=ec2 \
--description="EC2 Compatibility Layer"
keystone endpoint-create \
--region RegionOne \
--service ec2 \
--publicurl "http://$SERVICE_HOST:8773/services/Cloud" \
--adminurl "http://$SERVICE_HOST:8773/services/Admin" \
--internalurl "http://$SERVICE_HOST:8773/services/Cloud"
fi
fi
# S3
if [[ "$ENABLED_SERVICES" =~ "n-obj" || "$ENABLED_SERVICES" =~ "swift3" ]]; then
if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
keystone service-create \
--name=s3 \
--type=s3 \
--description="S3"
keystone endpoint-create \
--region RegionOne \
--service s3 \
--publicurl "http://$SERVICE_HOST:$S3_SERVICE_PORT" \
--adminurl "http://$SERVICE_HOST:$S3_SERVICE_PORT" \
--internalurl "http://$SERVICE_HOST:$S3_SERVICE_PORT"
fi
fi
if [[ "$ENABLED_SERVICES" =~ "tempest" ]]; then
# Tempest has some tests that validate various authorization checks
# between two regular users in separate tenants
keystone tenant-create \
--name=alt_demo
keystone user-create \
--name=alt_demo \
--pass="$ADMIN_PASSWORD" \
--email=alt_demo@example.com
keystone user-role-add \
--tenant alt_demo \
--user alt_demo \
--role Member
fi

View File

@ -69,6 +69,11 @@ function is_ceilometer_enabled {
# create_ceilometer_accounts() - Set up common required ceilometer accounts
# Project User Roles
# ------------------------------------------------------------------
# SERVICE_TENANT_NAME ceilometer admin
# SERVICE_TENANT_NAME ceilometer ResellerAdmin (if Swift is enabled)
create_ceilometer_accounts() {
SERVICE_TENANT=$(openstack project list | awk "/ $SERVICE_TENANT_NAME / { print \$2 }")
@ -99,6 +104,13 @@ create_ceilometer_accounts() {
--adminurl "$CEILOMETER_SERVICE_PROTOCOL://$CEILOMETER_SERVICE_HOST:$CEILOMETER_SERVICE_PORT/" \
--internalurl "$CEILOMETER_SERVICE_PROTOCOL://$CEILOMETER_SERVICE_HOST:$CEILOMETER_SERVICE_PORT/"
fi
if is_service_enabled swift; then
# Ceilometer needs ResellerAdmin role to access swift account stats.
openstack role add \
--project $SERVICE_TENANT_NAME \
--user ceilometer \
ResellerAdmin
fi
fi
}

View File

@ -159,6 +159,49 @@ function configure_glance {
cp -p $GLANCE_DIR/etc/schema-image.json $GLANCE_SCHEMA_JSON
}
# create_glance_accounts() - Set up common required glance accounts
# Project User Roles
# ------------------------------------------------------------------
# SERVICE_TENANT_NAME glance service
# SERVICE_TENANT_NAME glance-swift ResellerAdmin (if Swift is enabled)
function create_glance_accounts {
if is_service_enabled g-api; then
openstack user create \
--password "$SERVICE_PASSWORD" \
--project $SERVICE_TENANT_NAME \
glance
openstack role add \
--project $SERVICE_TENANT_NAME \
--user glance \
service
# required for swift access
if is_service_enabled s-proxy; then
openstack user create \
--password "$SERVICE_PASSWORD" \
--project $SERVICE_TENANT_NAME \
glance-swift
openstack role add \
--project $SERVICE_TENANT_NAME \
--user glance-swift \
ResellerAdmin
fi
if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
openstack service create \
--type image \
--description "Glance Image Service" \
glance
openstack endpoint create \
--region RegionOne \
--publicurl "http://$GLANCE_HOSTPORT" \
--adminurl "http://$GLANCE_HOSTPORT" \
--internalurl "http://$GLANCE_HOSTPORT" \
glance
fi
fi
}
# create_glance_cache_dir() - Part of the init_glance() process
function create_glance_cache_dir {
# Create cache dir

View File

@ -266,9 +266,11 @@ function configure_keystone {
# Tenant User Roles
# ------------------------------------------------------------------
# service -- --
# -- -- Member
# admin admin admin
# service -- --
# -- -- service
# -- -- ResellerAdmin
# -- -- Member
# demo admin admin
# demo demo Member, anotherrole
# invisible_to_admin demo Member
@ -294,10 +296,17 @@ function create_keystone_accounts {
--project $ADMIN_TENANT \
--user $ADMIN_USER
# service
SERVICE_TENANT=$(openstack project create \
$SERVICE_TENANT_NAME \
| grep " id " | get_field 2)
# Create service project/role
openstack project create $SERVICE_TENANT_NAME
# Service role, so service users do not have to be admins
openstack role create service
# The ResellerAdmin role is used by Nova and Ceilometer so we need to keep it.
# The admin role in swift allows a user to act as an admin for their tenant,
# but ResellerAdmin is needed for a user to act as any tenant. The name of this
# role is also configurable in swift-proxy.conf
openstack role create ResellerAdmin
# The Member role is used by Horizon and Swift so we need to keep it:
MEMBER_ROLE=$(openstack role create \

View File

@ -316,9 +316,10 @@ function configure_nova {
# create_nova_accounts() - Set up common required nova accounts
# Tenant User Roles
# Project User Roles
# ------------------------------------------------------------------
# service nova admin, [ResellerAdmin (swift only)]
# SERVICE_TENANT_NAME nova admin
# SERVICE_TENANT_NAME nova ResellerAdmin (if Swift is enabled)
# Migrated from keystone_data.sh
create_nova_accounts() {
@ -363,6 +364,48 @@ create_nova_accounts() {
--internalurl "$NOVA_SERVICE_PROTOCOL://$NOVA_SERVICE_HOST:$NOVA_SERVICE_PORT/v3"
fi
fi
if is_service_enabled n-api; then
# Swift
if is_service_enabled swift; then
# Nova needs ResellerAdmin role to download images when accessing
# swift through the s3 api.
openstack role add \
--project $SERVICE_TENANT_NAME \
--user nova \
ResellerAdmin
fi
# EC2
if [[ "$KEYSTONE_CATALOG_BACKEND" = "sql" ]]; then
openstack service create \
--type ec2 \
--description "EC2 Compatibility Layer" \
ec2
openstack endpoint create \
--region RegionOne \
--publicurl "http://$SERVICE_HOST:8773/services/Cloud" \
--adminurl "http://$SERVICE_HOST:8773/services/Admin" \
--internalurl "http://$SERVICE_HOST:8773/services/Cloud" \
ec2
fi
fi
# S3
if is_service_enabled n-obj swift3; then
if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
openstack service create \
--type s3 \
--description "S3" \
s3
openstack endpoint create \
--region RegionOne \
--publicurl "http://$SERVICE_HOST:$S3_SERVICE_PORT" \
--adminurl "http://$SERVICE_HOST:$S3_SERVICE_PORT" \
--internalurl "http://$SERVICE_HOST:$S3_SERVICE_PORT" \
s3
fi
fi
}
# create_nova_conf() - Create a new nova.conf file

View File

@ -358,6 +358,30 @@ function configure_tempest {
$errexit
}
# create_tempest_accounts() - Set up common required tempest accounts
# Project User Roles
# ------------------------------------------------------------------
# alt_demo alt_demo Member
# Migrated from keystone_data.sh
function create_tempest_accounts {
if is_service_enabled tempest; then
# Tempest has some tests that validate various authorization checks
# between two regular users in separate tenants
openstack project create \
alt_demo
openstack user create \
--project alt_demo \
--password "$ADMIN_PASSWORD" \
alt_demo
openstack role add \
--project alt_demo \
--user alt_demo \
Member
fi
}
# install_tempest() - Collect source and prepare
function install_tempest {
git_clone $TEMPEST_REPO $TEMPEST_DIR $TEMPEST_BRANCH

View File

@ -907,14 +907,13 @@ if is_service_enabled key; then
SERVICE_ENDPOINT=http://$KEYSTONE_AUTH_HOST:$KEYSTONE_AUTH_PORT_INT/v2.0
fi
# Do the keystone-specific bits from keystone_data.sh
export OS_SERVICE_TOKEN=$SERVICE_TOKEN
export OS_SERVICE_ENDPOINT=$SERVICE_ENDPOINT
# Add temporarily to make openstackclient work
# Setup OpenStackclient token-flow auth
export OS_TOKEN=$SERVICE_TOKEN
export OS_URL=$SERVICE_ENDPOINT
create_keystone_accounts
create_nova_accounts
create_glance_accounts
create_cinder_accounts
create_neutron_accounts
@ -922,7 +921,7 @@ if is_service_enabled key; then
create_ceilometer_accounts
fi
if is_service_enabled swift || is_service_enabled s-proxy; then
if is_service_enabled swift; then
create_swift_accounts
fi
@ -930,20 +929,14 @@ if is_service_enabled key; then
create_heat_accounts
fi
# ``keystone_data.sh`` creates services, admin and demo users, and roles.
ADMIN_PASSWORD=$ADMIN_PASSWORD SERVICE_TENANT_NAME=$SERVICE_TENANT_NAME SERVICE_PASSWORD=$SERVICE_PASSWORD \
SERVICE_TOKEN=$SERVICE_TOKEN SERVICE_ENDPOINT=$SERVICE_ENDPOINT SERVICE_HOST=$SERVICE_HOST \
S3_SERVICE_PORT=$S3_SERVICE_PORT KEYSTONE_CATALOG_BACKEND=$KEYSTONE_CATALOG_BACKEND \
DEVSTACK_DIR=$TOP_DIR ENABLED_SERVICES=$ENABLED_SERVICES \
bash -x $FILES/keystone_data.sh
# Set up auth creds now that keystone is bootstrapped
# Begone token-flow auth
unset OS_TOKEN OS_URL
# Set up password-flow auth creds now that keystone is bootstrapped
export OS_AUTH_URL=$SERVICE_ENDPOINT
export OS_TENANT_NAME=admin
export OS_USERNAME=admin
export OS_PASSWORD=$ADMIN_PASSWORD
unset OS_SERVICE_TOKEN OS_SERVICE_ENDPOINT
fi