Use devstack-system-admin for keystone objects creation
This is needed so we can set keystone into enforcing secure RBAC. This also adjusts lib/glance, which already partially used devstack-system-admin. Change-Id: I6df8ad23a3077a8420340167a748ae23ad094962
This commit is contained in:
Grzegorz Grasza
parent
6d55b2a439
commit
ae40825df6
@ -867,10 +867,10 @@ function get_or_create_domain {
|
||||
# Gets domain id
|
||||
domain_id=$(
|
||||
# Gets domain id
|
||||
openstack domain show $1 \
|
||||
openstack --os-cloud devstack-system-admin domain show $1 \
|
||||
-f value -c id 2>/dev/null ||
|
||||
# Creates new domain
|
||||
openstack domain create $1 \
|
||||
openstack --os-cloud devstack-system-admin domain create $1 \
|
||||
--description "$2" \
|
||||
-f value -c id
|
||||
)
|
||||
@ -885,7 +885,7 @@ function get_or_create_group {
|
||||
# Gets group id
|
||||
group_id=$(
|
||||
# Creates new group with --or-show
|
||||
openstack group create $1 \
|
||||
openstack --os-cloud devstack-system-admin group create $1 \
|
||||
--domain $2 --description "$desc" --or-show \
|
||||
-f value -c id
|
||||
)
|
||||
@ -904,7 +904,7 @@ function get_or_create_user {
|
||||
# Gets user id
|
||||
user_id=$(
|
||||
# Creates new user with --or-show
|
||||
openstack user create \
|
||||
openstack --os-cloud devstack-system-admin user create \
|
||||
$1 \
|
||||
--password "$2" \
|
||||
--domain=$3 \
|
||||
@ -921,7 +921,7 @@ function get_or_create_project {
|
||||
local project_id
|
||||
project_id=$(
|
||||
# Creates new project with --or-show
|
||||
openstack project create $1 \
|
||||
openstack --os-cloud devstack-system-admin project create $1 \
|
||||
--domain=$2 \
|
||||
--or-show -f value -c id
|
||||
)
|
||||
@ -934,7 +934,7 @@ function get_or_create_role {
|
||||
local role_id
|
||||
role_id=$(
|
||||
# Creates role with --or-show
|
||||
openstack role create $1 \
|
||||
openstack --os-cloud devstack-system-admin role create $1 \
|
||||
--or-show -f value -c id
|
||||
)
|
||||
echo $role_id
|
||||
@ -964,7 +964,7 @@ function get_or_add_user_project_role {
|
||||
domain_args=$(_get_domain_args $4 $5)
|
||||
|
||||
# Gets user role id
|
||||
user_role_id=$(openstack role assignment list \
|
||||
user_role_id=$(openstack --os-cloud devstack-system-admin role assignment list \
|
||||
--role $1 \
|
||||
--user $2 \
|
||||
--project $3 \
|
||||
@ -972,11 +972,11 @@ function get_or_add_user_project_role {
|
||||
| grep '^|\s[a-f0-9]\+' | get_field 1)
|
||||
if [[ -z "$user_role_id" ]]; then
|
||||
# Adds role to user and get it
|
||||
openstack role add $1 \
|
||||
openstack --os-cloud devstack-system-admin role add $1 \
|
||||
--user $2 \
|
||||
--project $3 \
|
||||
$domain_args
|
||||
user_role_id=$(openstack role assignment list \
|
||||
user_role_id=$(openstack --os-cloud devstack-system-admin role assignment list \
|
||||
--role $1 \
|
||||
--user $2 \
|
||||
--project $3 \
|
||||
@ -991,17 +991,17 @@ function get_or_add_user_project_role {
|
||||
function get_or_add_user_domain_role {
|
||||
local user_role_id
|
||||
# Gets user role id
|
||||
user_role_id=$(openstack role assignment list \
|
||||
user_role_id=$(openstack --os-cloud devstack-system-admin role assignment list \
|
||||
--role $1 \
|
||||
--user $2 \
|
||||
--domain $3 \
|
||||
| grep '^|\s[a-f0-9]\+' | get_field 1)
|
||||
if [[ -z "$user_role_id" ]]; then
|
||||
# Adds role to user and get it
|
||||
openstack role add $1 \
|
||||
openstack --os-cloud devstack-system-admin role add $1 \
|
||||
--user $2 \
|
||||
--domain $3
|
||||
user_role_id=$(openstack role assignment list \
|
||||
user_role_id=$(openstack --os-cloud devstack-system-admin role assignment list \
|
||||
--role $1 \
|
||||
--user $2 \
|
||||
--domain $3 \
|
||||
@ -1019,7 +1019,7 @@ function get_or_add_user_system_role {
|
||||
domain_args=$(_get_domain_args $4)
|
||||
|
||||
# Gets user role id
|
||||
user_role_id=$(openstack role assignment list \
|
||||
user_role_id=$(openstack --os-cloud devstack-system-admin role assignment list \
|
||||
--role $1 \
|
||||
--user $2 \
|
||||
--system $3 \
|
||||
@ -1027,11 +1027,11 @@ function get_or_add_user_system_role {
|
||||
-f value -c Role)
|
||||
if [[ -z "$user_role_id" ]]; then
|
||||
# Adds role to user and get it
|
||||
openstack role add $1 \
|
||||
openstack --os-cloud devstack-system-admin role add $1 \
|
||||
--user $2 \
|
||||
--system $3 \
|
||||
$domain_args
|
||||
user_role_id=$(openstack role assignment list \
|
||||
user_role_id=$(openstack --os-cloud devstack-system-admin role assignment list \
|
||||
--role $1 \
|
||||
--user $2 \
|
||||
--system $3 \
|
||||
@ -1046,17 +1046,17 @@ function get_or_add_user_system_role {
|
||||
function get_or_add_group_project_role {
|
||||
local group_role_id
|
||||
# Gets group role id
|
||||
group_role_id=$(openstack role assignment list \
|
||||
group_role_id=$(openstack --os-cloud devstack-system-admin role assignment list \
|
||||
--role $1 \
|
||||
--group $2 \
|
||||
--project $3 \
|
||||
-f value)
|
||||
if [[ -z "$group_role_id" ]]; then
|
||||
# Adds role to group and get it
|
||||
openstack role add $1 \
|
||||
openstack --os-cloud devstack-system-admin role add $1 \
|
||||
--group $2 \
|
||||
--project $3
|
||||
group_role_id=$(openstack role assignment list \
|
||||
group_role_id=$(openstack --os-cloud devstack-system-admin role assignment list \
|
||||
--role $1 \
|
||||
--group $2 \
|
||||
--project $3 \
|
||||
@ -1072,9 +1072,9 @@ function get_or_create_service {
|
||||
# Gets service id
|
||||
service_id=$(
|
||||
# Gets service id
|
||||
openstack service show $2 -f value -c id 2>/dev/null ||
|
||||
openstack --os-cloud devstack-system-admin service show $2 -f value -c id 2>/dev/null ||
|
||||
# Creates new service if not exists
|
||||
openstack service create \
|
||||
openstack --os-cloud devstack-system-admin service create \
|
||||
$2 \
|
||||
--name $1 \
|
||||
--description="$3" \
|
||||
@ -1087,14 +1087,14 @@ function get_or_create_service {
|
||||
# Usage: _get_or_create_endpoint_with_interface <service> <interface> <url> <region>
|
||||
function _get_or_create_endpoint_with_interface {
|
||||
local endpoint_id
|
||||
endpoint_id=$(openstack endpoint list \
|
||||
endpoint_id=$(openstack --os-cloud devstack-system-admin endpoint list \
|
||||
--service $1 \
|
||||
--interface $2 \
|
||||
--region $4 \
|
||||
-c ID -f value)
|
||||
if [[ -z "$endpoint_id" ]]; then
|
||||
# Creates new endpoint
|
||||
endpoint_id=$(openstack endpoint create \
|
||||
endpoint_id=$(openstack --os-cloud devstack-system-admin endpoint create \
|
||||
$1 $2 $3 --region $4 -f value -c id)
|
||||
fi
|
||||
|
||||
@ -1128,7 +1128,7 @@ function get_or_create_endpoint {
|
||||
# Get a URL from the identity service
|
||||
# Usage: get_endpoint_url <service> <interface>
|
||||
function get_endpoint_url {
|
||||
echo $(openstack endpoint list \
|
||||
echo $(openstack --os-cloud devstack-system-admin endpoint list \
|
||||
--service $1 --interface $2 \
|
||||
-c URL -f value)
|
||||
}
|
||||
|
||||
@ -311,11 +311,11 @@ function configure_glance_quotas {
|
||||
iniset $GLANCE_API_CONF oslo_limit auth_url $KEYSTONE_SERVICE_URI
|
||||
iniset $GLANCE_API_CONF oslo_limit system_scope "'all'"
|
||||
iniset $GLANCE_API_CONF oslo_limit endpoint_id \
|
||||
$(openstack endpoint list --service glance -f value -c ID)
|
||||
$(openstack --os-cloud devstack-system-admin endpoint list --service glance -f value -c ID)
|
||||
|
||||
# Allow the glance service user to read quotas
|
||||
openstack role add --user glance --user-domain Default --system all \
|
||||
reader
|
||||
openstack --os-cloud devstack-system-admin role add --user glance --user-domain Default \
|
||||
--system all reader
|
||||
}
|
||||
|
||||
# configure_glance() - Set config files, create data dirs, etc
|
||||
|
||||
Loading…
Reference in New Issue
Block a user