Merge "Isolate creating service users"
This commit is contained in:
commit
5e781bd9d0
@ -176,12 +176,8 @@ function stop_tuskar {
|
|||||||
|
|
||||||
# create_tuskar_accounts() - Set up common required tuskar accounts
|
# create_tuskar_accounts() - Set up common required tuskar accounts
|
||||||
function create_tuskar_accounts {
|
function create_tuskar_accounts {
|
||||||
# migrated from files/keystone_data.sh
|
|
||||||
local service_tenant=$(openstack project list | awk "/ $SERVICE_TENANT_NAME / { print \$2 }")
|
|
||||||
local admin_role=$(openstack role list | awk "/ admin / { print \$2 }")
|
|
||||||
|
|
||||||
local tuskar_user=$(get_or_create_user "tuskar" "$SERVICE_PASSWORD")
|
create_service_user "tuskar" "admin"
|
||||||
get_or_add_user_role $admin_role $tuskar_user $service_tenant
|
|
||||||
|
|
||||||
if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
|
if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
|
||||||
|
|
||||||
|
@ -105,13 +105,10 @@ function is_ceilometer_enabled {
|
|||||||
# SERVICE_TENANT_NAME ceilometer ResellerAdmin (if Swift is enabled)
|
# SERVICE_TENANT_NAME ceilometer ResellerAdmin (if Swift is enabled)
|
||||||
function create_ceilometer_accounts {
|
function create_ceilometer_accounts {
|
||||||
|
|
||||||
local service_tenant=$(openstack project list | awk "/ $SERVICE_TENANT_NAME / { print \$2 }")
|
|
||||||
local admin_role=$(openstack role list | awk "/ admin / { print \$2 }")
|
|
||||||
|
|
||||||
# Ceilometer
|
# Ceilometer
|
||||||
if [[ "$ENABLED_SERVICES" =~ "ceilometer-api" ]]; then
|
if [[ "$ENABLED_SERVICES" =~ "ceilometer-api" ]]; then
|
||||||
local ceilometer_user=$(get_or_create_user "ceilometer" "$SERVICE_PASSWORD")
|
|
||||||
get_or_add_user_role $admin_role $ceilometer_user $service_tenant
|
create_service_user "ceilometer" "admin"
|
||||||
|
|
||||||
if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
|
if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
|
||||||
local ceilometer_service=$(get_or_create_service "ceilometer" \
|
local ceilometer_service=$(get_or_create_service "ceilometer" \
|
||||||
|
@ -330,14 +330,10 @@ function configure_cinder {
|
|||||||
# Migrated from keystone_data.sh
|
# Migrated from keystone_data.sh
|
||||||
function create_cinder_accounts {
|
function create_cinder_accounts {
|
||||||
|
|
||||||
local service_tenant=$(openstack project list | awk "/ $SERVICE_TENANT_NAME / { print \$2 }")
|
|
||||||
local admin_role=$(openstack role list | awk "/ admin / { print \$2 }")
|
|
||||||
|
|
||||||
# Cinder
|
# Cinder
|
||||||
if [[ "$ENABLED_SERVICES" =~ "c-api" ]]; then
|
if [[ "$ENABLED_SERVICES" =~ "c-api" ]]; then
|
||||||
|
|
||||||
local cinder_user=$(get_or_create_user "cinder" "$SERVICE_PASSWORD")
|
create_service_user "cinder" "admin"
|
||||||
get_or_add_user_role $admin_role $cinder_user $service_tenant
|
|
||||||
|
|
||||||
if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
|
if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
|
||||||
|
|
||||||
|
@ -232,8 +232,7 @@ function configure_glance {
|
|||||||
function create_glance_accounts {
|
function create_glance_accounts {
|
||||||
if is_service_enabled g-api; then
|
if is_service_enabled g-api; then
|
||||||
|
|
||||||
local glance_user=$(get_or_create_user "glance" "$SERVICE_PASSWORD")
|
create_service_user "glance"
|
||||||
get_or_add_user_role service $glance_user $SERVICE_TENANT_NAME
|
|
||||||
|
|
||||||
# required for swift access
|
# required for swift access
|
||||||
if is_service_enabled s-proxy; then
|
if is_service_enabled s-proxy; then
|
||||||
|
7
lib/heat
7
lib/heat
@ -242,12 +242,7 @@ function stop_heat {
|
|||||||
|
|
||||||
# create_heat_accounts() - Set up common required heat accounts
|
# create_heat_accounts() - Set up common required heat accounts
|
||||||
function create_heat_accounts {
|
function create_heat_accounts {
|
||||||
# migrated from files/keystone_data.sh
|
create_service_user "heat" "admin"
|
||||||
local service_tenant=$(openstack project list | awk "/ $SERVICE_TENANT_NAME / { print \$2 }")
|
|
||||||
local admin_role=$(openstack role list | awk "/ admin / { print \$2 }")
|
|
||||||
|
|
||||||
local heat_user=$(get_or_create_user "heat" "$SERVICE_PASSWORD")
|
|
||||||
get_or_add_user_role $admin_role $heat_user $service_tenant
|
|
||||||
|
|
||||||
if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
|
if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
|
||||||
|
|
||||||
|
@ -358,15 +358,11 @@ function create_ironic_cache_dir {
|
|||||||
# service ironic admin # if enabled
|
# service ironic admin # if enabled
|
||||||
function create_ironic_accounts {
|
function create_ironic_accounts {
|
||||||
|
|
||||||
local service_tenant=$(openstack project list | awk "/ $SERVICE_TENANT_NAME / { print \$2 }")
|
|
||||||
local admin_role=$(openstack role list | awk "/ admin / { print \$2 }")
|
|
||||||
|
|
||||||
# Ironic
|
# Ironic
|
||||||
if [[ "$ENABLED_SERVICES" =~ "ir-api" ]]; then
|
if [[ "$ENABLED_SERVICES" =~ "ir-api" ]]; then
|
||||||
# Get ironic user if exists
|
# Get ironic user if exists
|
||||||
|
|
||||||
local ironic_user=$(get_or_create_user "ironic" "$SERVICE_PASSWORD")
|
create_service_user "ironic" "admin"
|
||||||
get_or_add_user_role $admin_role $ironic_user $service_tenant
|
|
||||||
|
|
||||||
if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
|
if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
|
||||||
|
|
||||||
|
14
lib/keystone
14
lib/keystone
@ -415,6 +415,20 @@ function create_keystone_accounts {
|
|||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
|
# Create a user that is capable of verifying keystone tokens for use with auth_token middleware.
|
||||||
|
#
|
||||||
|
# create_service_user <name> [role]
|
||||||
|
#
|
||||||
|
# The role defaults to the service role. It is allowed to be provided as optional as historically
|
||||||
|
# a lot of projects have configured themselves with the admin or other role here if they are
|
||||||
|
# using this user for other purposes beyond simply auth_token middleware.
|
||||||
|
function create_service_user {
|
||||||
|
local role=${2:-service}
|
||||||
|
|
||||||
|
local user=$(get_or_create_user "$1" "$SERVICE_PASSWORD")
|
||||||
|
get_or_add_user_role "$role" "$user" "$SERVICE_TENANT_NAME"
|
||||||
|
}
|
||||||
|
|
||||||
# Configure the service to use the auth token middleware.
|
# Configure the service to use the auth token middleware.
|
||||||
#
|
#
|
||||||
# configure_auth_token_middleware conf_file admin_user signing_dir [section]
|
# configure_auth_token_middleware conf_file admin_user signing_dir [section]
|
||||||
|
@ -508,14 +508,9 @@ function create_neutron_cache_dir {
|
|||||||
|
|
||||||
# Migrated from keystone_data.sh
|
# Migrated from keystone_data.sh
|
||||||
function create_neutron_accounts {
|
function create_neutron_accounts {
|
||||||
|
|
||||||
local service_tenant=$(openstack project list | awk "/ $SERVICE_TENANT_NAME / { print \$2 }")
|
|
||||||
local service_role=$(openstack role list | awk "/ service / { print \$2 }")
|
|
||||||
|
|
||||||
if [[ "$ENABLED_SERVICES" =~ "q-svc" ]]; then
|
if [[ "$ENABLED_SERVICES" =~ "q-svc" ]]; then
|
||||||
|
|
||||||
local neutron_user=$(get_or_create_user "neutron" "$SERVICE_PASSWORD")
|
create_service_user "neutron"
|
||||||
get_or_add_user_role $service_role $neutron_user $service_tenant
|
|
||||||
|
|
||||||
if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
|
if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
|
||||||
|
|
||||||
|
6
lib/nova
6
lib/nova
@ -353,14 +353,10 @@ function configure_nova {
|
|||||||
# SERVICE_TENANT_NAME nova ResellerAdmin (if Swift is enabled)
|
# SERVICE_TENANT_NAME nova ResellerAdmin (if Swift is enabled)
|
||||||
function create_nova_accounts {
|
function create_nova_accounts {
|
||||||
|
|
||||||
local service_tenant=$(openstack project list | awk "/ $SERVICE_TENANT_NAME / { print \$2 }")
|
|
||||||
local admin_role=$(openstack role list | awk "/ admin / { print \$2 }")
|
|
||||||
|
|
||||||
# Nova
|
# Nova
|
||||||
if [[ "$ENABLED_SERVICES" =~ "n-api" ]]; then
|
if [[ "$ENABLED_SERVICES" =~ "n-api" ]]; then
|
||||||
|
|
||||||
local nova_user=$(get_or_create_user "nova" "$SERVICE_PASSWORD")
|
create_service_user "nova" "admin"
|
||||||
get_or_add_user_role $admin_role $nova_user $service_tenant
|
|
||||||
|
|
||||||
if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
|
if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
|
||||||
|
|
||||||
|
@ -61,11 +61,7 @@ TEMPEST_SERVICES+=,sahara
|
|||||||
# service sahara admin
|
# service sahara admin
|
||||||
function create_sahara_accounts {
|
function create_sahara_accounts {
|
||||||
|
|
||||||
local service_tenant=$(openstack project list | awk "/ $SERVICE_TENANT_NAME / { print \$2 }")
|
create_service_user "sahara" "admin"
|
||||||
local admin_role=$(openstack role list | awk "/ admin / { print \$2 }")
|
|
||||||
|
|
||||||
local sahara_user=$(get_or_create_user "sahara" "$SERVICE_PASSWORD")
|
|
||||||
get_or_add_user_role $admin_role $sahara_user $service_tenant
|
|
||||||
|
|
||||||
if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
|
if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
|
||||||
|
|
||||||
|
11
lib/swift
11
lib/swift
@ -601,12 +601,9 @@ function create_swift_accounts {
|
|||||||
|
|
||||||
KEYSTONE_CATALOG_BACKEND=${KEYSTONE_CATALOG_BACKEND:-sql}
|
KEYSTONE_CATALOG_BACKEND=${KEYSTONE_CATALOG_BACKEND:-sql}
|
||||||
|
|
||||||
local service_tenant=$(openstack project list | awk "/ $SERVICE_TENANT_NAME / { print \$2 }")
|
|
||||||
local admin_role=$(openstack role list | awk "/ admin / { print \$2 }")
|
|
||||||
local another_role=$(openstack role list | awk "/ anotherrole / { print \$2 }")
|
local another_role=$(openstack role list | awk "/ anotherrole / { print \$2 }")
|
||||||
|
|
||||||
local swift_user=$(get_or_create_user "swift" "$SERVICE_PASSWORD")
|
create_service_user "swift" "admin"
|
||||||
get_or_add_user_role $admin_role $swift_user $service_tenant
|
|
||||||
|
|
||||||
if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
|
if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
|
||||||
|
|
||||||
@ -623,7 +620,7 @@ function create_swift_accounts {
|
|||||||
die_if_not_set $LINENO swift_tenant_test1 "Failure creating swift_tenant_test1"
|
die_if_not_set $LINENO swift_tenant_test1 "Failure creating swift_tenant_test1"
|
||||||
SWIFT_USER_TEST1=$(get_or_create_user swiftusertest1 $swiftusertest1_password "test@example.com")
|
SWIFT_USER_TEST1=$(get_or_create_user swiftusertest1 $swiftusertest1_password "test@example.com")
|
||||||
die_if_not_set $LINENO SWIFT_USER_TEST1 "Failure creating SWIFT_USER_TEST1"
|
die_if_not_set $LINENO SWIFT_USER_TEST1 "Failure creating SWIFT_USER_TEST1"
|
||||||
get_or_add_user_role $admin_role $SWIFT_USER_TEST1 $swift_tenant_test1
|
get_or_add_user_role admin $SWIFT_USER_TEST1 $swift_tenant_test1
|
||||||
|
|
||||||
local swift_user_test3=$(get_or_create_user swiftusertest3 $swiftusertest3_password "test3@example.com")
|
local swift_user_test3=$(get_or_create_user swiftusertest3 $swiftusertest3_password "test3@example.com")
|
||||||
die_if_not_set $LINENO swift_user_test3 "Failure creating swift_user_test3"
|
die_if_not_set $LINENO swift_user_test3 "Failure creating swift_user_test3"
|
||||||
@ -634,7 +631,7 @@ function create_swift_accounts {
|
|||||||
|
|
||||||
local swift_user_test2=$(get_or_create_user swiftusertest2 $swiftusertest2_password "test2@example.com")
|
local swift_user_test2=$(get_or_create_user swiftusertest2 $swiftusertest2_password "test2@example.com")
|
||||||
die_if_not_set $LINENO swift_user_test2 "Failure creating swift_user_test2"
|
die_if_not_set $LINENO swift_user_test2 "Failure creating swift_user_test2"
|
||||||
get_or_add_user_role $admin_role $swift_user_test2 $swift_tenant_test2
|
get_or_add_user_role admin $swift_user_test2 $swift_tenant_test2
|
||||||
|
|
||||||
local swift_domain=$(get_or_create_domain swift_test 'Used for swift functional testing')
|
local swift_domain=$(get_or_create_domain swift_test 'Used for swift functional testing')
|
||||||
die_if_not_set $LINENO swift_domain "Failure creating swift_test domain"
|
die_if_not_set $LINENO swift_domain "Failure creating swift_test domain"
|
||||||
@ -644,7 +641,7 @@ function create_swift_accounts {
|
|||||||
|
|
||||||
local swift_user_test4=$(get_or_create_user swiftusertest4 $swiftusertest4_password "test4@example.com" $swift_domain)
|
local swift_user_test4=$(get_or_create_user swiftusertest4 $swiftusertest4_password "test4@example.com" $swift_domain)
|
||||||
die_if_not_set $LINENO swift_user_test4 "Failure creating swift_user_test4"
|
die_if_not_set $LINENO swift_user_test4 "Failure creating swift_user_test4"
|
||||||
get_or_add_user_role $admin_role $swift_user_test4 $swift_tenant_test4
|
get_or_add_user_role admin $swift_user_test4 $swift_tenant_test4
|
||||||
}
|
}
|
||||||
|
|
||||||
# init_swift() - Initialize rings
|
# init_swift() - Initialize rings
|
||||||
|
@ -79,13 +79,9 @@ function setup_trove_logging {
|
|||||||
# service trove admin # if enabled
|
# service trove admin # if enabled
|
||||||
|
|
||||||
function create_trove_accounts {
|
function create_trove_accounts {
|
||||||
local service_tenant=$(openstack project list | awk "/ $SERVICE_TENANT_NAME / { print \$2 }")
|
|
||||||
local service_role=$(openstack role list | awk "/ admin / { print \$2 }")
|
|
||||||
|
|
||||||
if [[ "$ENABLED_SERVICES" =~ "trove" ]]; then
|
if [[ "$ENABLED_SERVICES" =~ "trove" ]]; then
|
||||||
|
|
||||||
local trove_user=$(get_or_create_user "trove" "$SERVICE_PASSWORD")
|
create_service_user "trove" "admin"
|
||||||
get_or_add_user_role $service_role $trove_user $service_tenant
|
|
||||||
|
|
||||||
if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
|
if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
|
||||||
|
|
||||||
|
@ -215,11 +215,7 @@ function stop_zaqar {
|
|||||||
}
|
}
|
||||||
|
|
||||||
function create_zaqar_accounts {
|
function create_zaqar_accounts {
|
||||||
local service_tenant=$(openstack project list | awk "/ $SERVICE_TENANT_NAME / { print \$2 }")
|
create_service_user "zaqar" "admin"
|
||||||
ADMIN_ROLE=$(openstack role list | awk "/ admin / { print \$2 }")
|
|
||||||
|
|
||||||
local zaqar_user=$(get_or_create_user "zaqar" "$SERVICE_PASSWORD")
|
|
||||||
get_or_add_user_role $ADMIN_ROLE $zaqar_user $service_tenant
|
|
||||||
|
|
||||||
if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
|
if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user