From a7d0c6fa2c443b2b4b5f4680faff09c6b2bd00d2 Mon Sep 17 00:00:00 2001 From: Lance Bragstad Date: Mon, 18 Jun 2018 15:06:48 +0000 Subject: [PATCH] Use `member` instead of `Member` Keystone now provides a set of default roles in addition to `admin` by default [0]. This is done during the `keystone-manage bootstrap` process. This change aligns the `Member` role override from devstack with the `member` role provided from keystone. [0] https://review.openstack.org/#/c/572243/ Change-Id: I3da3530aa73a8a1500116bcefdcba7b947d5e05e Closes-Bug: 1777359 --- lib/horizon | 2 +- lib/keystone | 29 ++++++++++------------------- 2 files changed, 11 insertions(+), 20 deletions(-) diff --git a/lib/horizon b/lib/horizon index fab41bbeca..293a627c78 100644 --- a/lib/horizon +++ b/lib/horizon @@ -87,7 +87,7 @@ function configure_horizon { _horizon_config_set $local_settings "" WEBROOT \"$HORIZON_APACHE_ROOT/\" _horizon_config_set $local_settings "" COMPRESS_OFFLINE True - _horizon_config_set $local_settings "" OPENSTACK_KEYSTONE_DEFAULT_ROLE \"Member\" + _horizon_config_set $local_settings "" OPENSTACK_KEYSTONE_DEFAULT_ROLE \"member\" _horizon_config_set $local_settings "" OPENSTACK_HOST \"${KEYSTONE_SERVICE_HOST}\" diff --git a/lib/keystone b/lib/keystone index 696e351ab0..7978feaf16 100644 --- a/lib/keystone +++ b/lib/keystone @@ -309,30 +309,32 @@ function configure_keystone { # service -- -- # -- -- service # -- -- ResellerAdmin -# -- -- Member +# -- -- member # demo admin admin -# demo demo Member, anotherrole +# demo demo member, anotherrole # alt_demo admin admin -# alt_demo alt_demo Member, anotherrole -# invisible_to_admin demo Member +# alt_demo alt_demo member, anotherrole +# invisible_to_admin demo member # Group Users Roles Project # ------------------------------------------------------------------ # admins admin admin admin -# nonadmins demo, alt_demo Member, anotherrole demo, alt_demo +# nonadmins demo, alt_demo member, anotherrole demo, alt_demo # Migrated from keystone_data.sh function create_keystone_accounts { - # The keystone bootstrapping process (performed via keystone-manage bootstrap) - # creates an admin user, admin role and admin project. As a sanity check - # we exercise the CLI to retrieve the IDs for these values. + # The keystone bootstrapping process (performed via keystone-manage + # bootstrap) creates an admin user, admin role, member role, and admin + # project. As a sanity check we exercise the CLI to retrieve the IDs for + # these values. local admin_project admin_project=$(openstack project show "admin" -f value -c id) local admin_user admin_user=$(openstack user show "admin" -f value -c id) local admin_role="admin" + local member_role="member" get_or_add_user_domain_role $admin_role $admin_user default @@ -349,17 +351,6 @@ function create_keystone_accounts { # role is also configurable in swift-proxy.conf get_or_create_role ResellerAdmin - # The Member role is used by Horizon and Swift so we need to keep it: - local member_role="member" - - # Capital Member role is legacy hard coded in Horizon / Swift - # configs. Keep it around. - get_or_create_role "Member" - - # The reality is that the rest of the roles listed below honestly - # should work by symbolic names. - get_or_create_role $member_role - # another_role demonstrates that an arbitrary role may be created and used # TODO(sleepsonthefloor): show how this can be used for rbac in the future! local another_role="anotherrole"