Merge "Isolate creating service users"

This commit is contained in:
Jenkins 2015-02-09 17:59:36 +00:00 committed by Gerrit Code Review
commit 5e781bd9d0
13 changed files with 30 additions and 61 deletions

View File

@ -176,12 +176,8 @@ function stop_tuskar {
# create_tuskar_accounts() - Set up common required tuskar accounts # create_tuskar_accounts() - Set up common required tuskar accounts
function create_tuskar_accounts { function create_tuskar_accounts {
# migrated from files/keystone_data.sh
local service_tenant=$(openstack project list | awk "/ $SERVICE_TENANT_NAME / { print \$2 }")
local admin_role=$(openstack role list | awk "/ admin / { print \$2 }")
local tuskar_user=$(get_or_create_user "tuskar" "$SERVICE_PASSWORD") create_service_user "tuskar" "admin"
get_or_add_user_role $admin_role $tuskar_user $service_tenant
if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then

View File

@ -105,13 +105,10 @@ function is_ceilometer_enabled {
# SERVICE_TENANT_NAME ceilometer ResellerAdmin (if Swift is enabled) # SERVICE_TENANT_NAME ceilometer ResellerAdmin (if Swift is enabled)
function create_ceilometer_accounts { function create_ceilometer_accounts {
local service_tenant=$(openstack project list | awk "/ $SERVICE_TENANT_NAME / { print \$2 }")
local admin_role=$(openstack role list | awk "/ admin / { print \$2 }")
# Ceilometer # Ceilometer
if [[ "$ENABLED_SERVICES" =~ "ceilometer-api" ]]; then if [[ "$ENABLED_SERVICES" =~ "ceilometer-api" ]]; then
local ceilometer_user=$(get_or_create_user "ceilometer" "$SERVICE_PASSWORD")
get_or_add_user_role $admin_role $ceilometer_user $service_tenant create_service_user "ceilometer" "admin"
if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
local ceilometer_service=$(get_or_create_service "ceilometer" \ local ceilometer_service=$(get_or_create_service "ceilometer" \

View File

@ -330,14 +330,10 @@ function configure_cinder {
# Migrated from keystone_data.sh # Migrated from keystone_data.sh
function create_cinder_accounts { function create_cinder_accounts {
local service_tenant=$(openstack project list | awk "/ $SERVICE_TENANT_NAME / { print \$2 }")
local admin_role=$(openstack role list | awk "/ admin / { print \$2 }")
# Cinder # Cinder
if [[ "$ENABLED_SERVICES" =~ "c-api" ]]; then if [[ "$ENABLED_SERVICES" =~ "c-api" ]]; then
local cinder_user=$(get_or_create_user "cinder" "$SERVICE_PASSWORD") create_service_user "cinder" "admin"
get_or_add_user_role $admin_role $cinder_user $service_tenant
if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then

View File

@ -232,8 +232,7 @@ function configure_glance {
function create_glance_accounts { function create_glance_accounts {
if is_service_enabled g-api; then if is_service_enabled g-api; then
local glance_user=$(get_or_create_user "glance" "$SERVICE_PASSWORD") create_service_user "glance"
get_or_add_user_role service $glance_user $SERVICE_TENANT_NAME
# required for swift access # required for swift access
if is_service_enabled s-proxy; then if is_service_enabled s-proxy; then

View File

@ -242,12 +242,7 @@ function stop_heat {
# create_heat_accounts() - Set up common required heat accounts # create_heat_accounts() - Set up common required heat accounts
function create_heat_accounts { function create_heat_accounts {
# migrated from files/keystone_data.sh create_service_user "heat" "admin"
local service_tenant=$(openstack project list | awk "/ $SERVICE_TENANT_NAME / { print \$2 }")
local admin_role=$(openstack role list | awk "/ admin / { print \$2 }")
local heat_user=$(get_or_create_user "heat" "$SERVICE_PASSWORD")
get_or_add_user_role $admin_role $heat_user $service_tenant
if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then

View File

@ -358,15 +358,11 @@ function create_ironic_cache_dir {
# service ironic admin # if enabled # service ironic admin # if enabled
function create_ironic_accounts { function create_ironic_accounts {
local service_tenant=$(openstack project list | awk "/ $SERVICE_TENANT_NAME / { print \$2 }")
local admin_role=$(openstack role list | awk "/ admin / { print \$2 }")
# Ironic # Ironic
if [[ "$ENABLED_SERVICES" =~ "ir-api" ]]; then if [[ "$ENABLED_SERVICES" =~ "ir-api" ]]; then
# Get ironic user if exists # Get ironic user if exists
local ironic_user=$(get_or_create_user "ironic" "$SERVICE_PASSWORD") create_service_user "ironic" "admin"
get_or_add_user_role $admin_role $ironic_user $service_tenant
if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then

View File

@ -415,6 +415,20 @@ function create_keystone_accounts {
fi fi
} }
# Create a user that is capable of verifying keystone tokens for use with auth_token middleware.
#
# create_service_user <name> [role]
#
# The role defaults to the service role. It is allowed to be provided as optional as historically
# a lot of projects have configured themselves with the admin or other role here if they are
# using this user for other purposes beyond simply auth_token middleware.
function create_service_user {
local role=${2:-service}
local user=$(get_or_create_user "$1" "$SERVICE_PASSWORD")
get_or_add_user_role "$role" "$user" "$SERVICE_TENANT_NAME"
}
# Configure the service to use the auth token middleware. # Configure the service to use the auth token middleware.
# #
# configure_auth_token_middleware conf_file admin_user signing_dir [section] # configure_auth_token_middleware conf_file admin_user signing_dir [section]

View File

@ -508,14 +508,9 @@ function create_neutron_cache_dir {
# Migrated from keystone_data.sh # Migrated from keystone_data.sh
function create_neutron_accounts { function create_neutron_accounts {
local service_tenant=$(openstack project list | awk "/ $SERVICE_TENANT_NAME / { print \$2 }")
local service_role=$(openstack role list | awk "/ service / { print \$2 }")
if [[ "$ENABLED_SERVICES" =~ "q-svc" ]]; then if [[ "$ENABLED_SERVICES" =~ "q-svc" ]]; then
local neutron_user=$(get_or_create_user "neutron" "$SERVICE_PASSWORD") create_service_user "neutron"
get_or_add_user_role $service_role $neutron_user $service_tenant
if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then

View File

@ -353,14 +353,10 @@ function configure_nova {
# SERVICE_TENANT_NAME nova ResellerAdmin (if Swift is enabled) # SERVICE_TENANT_NAME nova ResellerAdmin (if Swift is enabled)
function create_nova_accounts { function create_nova_accounts {
local service_tenant=$(openstack project list | awk "/ $SERVICE_TENANT_NAME / { print \$2 }")
local admin_role=$(openstack role list | awk "/ admin / { print \$2 }")
# Nova # Nova
if [[ "$ENABLED_SERVICES" =~ "n-api" ]]; then if [[ "$ENABLED_SERVICES" =~ "n-api" ]]; then
local nova_user=$(get_or_create_user "nova" "$SERVICE_PASSWORD") create_service_user "nova" "admin"
get_or_add_user_role $admin_role $nova_user $service_tenant
if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then

View File

@ -61,11 +61,7 @@ TEMPEST_SERVICES+=,sahara
# service sahara admin # service sahara admin
function create_sahara_accounts { function create_sahara_accounts {
local service_tenant=$(openstack project list | awk "/ $SERVICE_TENANT_NAME / { print \$2 }") create_service_user "sahara" "admin"
local admin_role=$(openstack role list | awk "/ admin / { print \$2 }")
local sahara_user=$(get_or_create_user "sahara" "$SERVICE_PASSWORD")
get_or_add_user_role $admin_role $sahara_user $service_tenant
if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then

View File

@ -601,12 +601,9 @@ function create_swift_accounts {
KEYSTONE_CATALOG_BACKEND=${KEYSTONE_CATALOG_BACKEND:-sql} KEYSTONE_CATALOG_BACKEND=${KEYSTONE_CATALOG_BACKEND:-sql}
local service_tenant=$(openstack project list | awk "/ $SERVICE_TENANT_NAME / { print \$2 }")
local admin_role=$(openstack role list | awk "/ admin / { print \$2 }")
local another_role=$(openstack role list | awk "/ anotherrole / { print \$2 }") local another_role=$(openstack role list | awk "/ anotherrole / { print \$2 }")
local swift_user=$(get_or_create_user "swift" "$SERVICE_PASSWORD") create_service_user "swift" "admin"
get_or_add_user_role $admin_role $swift_user $service_tenant
if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
@ -623,7 +620,7 @@ function create_swift_accounts {
die_if_not_set $LINENO swift_tenant_test1 "Failure creating swift_tenant_test1" die_if_not_set $LINENO swift_tenant_test1 "Failure creating swift_tenant_test1"
SWIFT_USER_TEST1=$(get_or_create_user swiftusertest1 $swiftusertest1_password "test@example.com") SWIFT_USER_TEST1=$(get_or_create_user swiftusertest1 $swiftusertest1_password "test@example.com")
die_if_not_set $LINENO SWIFT_USER_TEST1 "Failure creating SWIFT_USER_TEST1" die_if_not_set $LINENO SWIFT_USER_TEST1 "Failure creating SWIFT_USER_TEST1"
get_or_add_user_role $admin_role $SWIFT_USER_TEST1 $swift_tenant_test1 get_or_add_user_role admin $SWIFT_USER_TEST1 $swift_tenant_test1
local swift_user_test3=$(get_or_create_user swiftusertest3 $swiftusertest3_password "test3@example.com") local swift_user_test3=$(get_or_create_user swiftusertest3 $swiftusertest3_password "test3@example.com")
die_if_not_set $LINENO swift_user_test3 "Failure creating swift_user_test3" die_if_not_set $LINENO swift_user_test3 "Failure creating swift_user_test3"
@ -634,7 +631,7 @@ function create_swift_accounts {
local swift_user_test2=$(get_or_create_user swiftusertest2 $swiftusertest2_password "test2@example.com") local swift_user_test2=$(get_or_create_user swiftusertest2 $swiftusertest2_password "test2@example.com")
die_if_not_set $LINENO swift_user_test2 "Failure creating swift_user_test2" die_if_not_set $LINENO swift_user_test2 "Failure creating swift_user_test2"
get_or_add_user_role $admin_role $swift_user_test2 $swift_tenant_test2 get_or_add_user_role admin $swift_user_test2 $swift_tenant_test2
local swift_domain=$(get_or_create_domain swift_test 'Used for swift functional testing') local swift_domain=$(get_or_create_domain swift_test 'Used for swift functional testing')
die_if_not_set $LINENO swift_domain "Failure creating swift_test domain" die_if_not_set $LINENO swift_domain "Failure creating swift_test domain"
@ -644,7 +641,7 @@ function create_swift_accounts {
local swift_user_test4=$(get_or_create_user swiftusertest4 $swiftusertest4_password "test4@example.com" $swift_domain) local swift_user_test4=$(get_or_create_user swiftusertest4 $swiftusertest4_password "test4@example.com" $swift_domain)
die_if_not_set $LINENO swift_user_test4 "Failure creating swift_user_test4" die_if_not_set $LINENO swift_user_test4 "Failure creating swift_user_test4"
get_or_add_user_role $admin_role $swift_user_test4 $swift_tenant_test4 get_or_add_user_role admin $swift_user_test4 $swift_tenant_test4
} }
# init_swift() - Initialize rings # init_swift() - Initialize rings

View File

@ -79,13 +79,9 @@ function setup_trove_logging {
# service trove admin # if enabled # service trove admin # if enabled
function create_trove_accounts { function create_trove_accounts {
local service_tenant=$(openstack project list | awk "/ $SERVICE_TENANT_NAME / { print \$2 }")
local service_role=$(openstack role list | awk "/ admin / { print \$2 }")
if [[ "$ENABLED_SERVICES" =~ "trove" ]]; then if [[ "$ENABLED_SERVICES" =~ "trove" ]]; then
local trove_user=$(get_or_create_user "trove" "$SERVICE_PASSWORD") create_service_user "trove" "admin"
get_or_add_user_role $service_role $trove_user $service_tenant
if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then

View File

@ -215,11 +215,7 @@ function stop_zaqar {
} }
function create_zaqar_accounts { function create_zaqar_accounts {
local service_tenant=$(openstack project list | awk "/ $SERVICE_TENANT_NAME / { print \$2 }") create_service_user "zaqar" "admin"
ADMIN_ROLE=$(openstack role list | awk "/ admin / { print \$2 }")
local zaqar_user=$(get_or_create_user "zaqar" "$SERVICE_PASSWORD")
get_or_add_user_role $ADMIN_ROLE $zaqar_user $service_tenant
if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then