openstack/devstack
Code Issues Proposed changes

Use devstack-system-admin for keystone objects creation

Browse Source 
This is needed so we can set keystone into enforcing secure RBAC.
This also adjusts lib/glance, which already partially used
devstack-system-admin.

Change-Id: I6df8ad23a3077a8420340167a748ae23ad094962
This commit is contained in:
Grzegorz Grasza 2021-10-26 10:37:07 +02:00
parent 6d55b2a439
commit ae40825df6
2 changed files with 26 additions and 26 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

46
functions-common
View File

@ -867,10 +867,10 @@ function get_or_create_domain {
# Gets domain id # Gets domain id
domain_id=$( domain_id=$(
# Gets domain id # Gets domain id
openstack domain show $1 \ openstack --os-cloud devstack-system-admin domain show $1 \
-f value -c id 2>/dev/null || -f value -c id 2>/dev/null ||
# Creates new domain # Creates new domain
openstack domain create $1 \ openstack --os-cloud devstack-system-admin domain create $1 \
--description "$2" \ --description "$2" \
-f value -c id -f value -c id
) )
@ -885,7 +885,7 @@ function get_or_create_group {
# Gets group id # Gets group id
group_id=$( group_id=$(
# Creates new group with --or-show # Creates new group with --or-show
openstack group create $1 \ openstack --os-cloud devstack-system-admin group create $1 \
--domain $2 --description "$desc" --or-show \ --domain $2 --description "$desc" --or-show \
-f value -c id -f value -c id
) )
@ -904,7 +904,7 @@ function get_or_create_user {
# Gets user id # Gets user id
user_id=$( user_id=$(
# Creates new user with --or-show # Creates new user with --or-show
openstack user create \ openstack --os-cloud devstack-system-admin user create \
$1 \ $1 \
--password "$2" \ --password "$2" \
--domain=$3 \ --domain=$3 \
@ -921,7 +921,7 @@ function get_or_create_project {
local project_id local project_id
project_id=$( project_id=$(
# Creates new project with --or-show # Creates new project with --or-show
openstack project create $1 \ openstack --os-cloud devstack-system-admin project create $1 \
--domain=$2 \ --domain=$2 \
--or-show -f value -c id --or-show -f value -c id
) )
@ -934,7 +934,7 @@ function get_or_create_role {
local role_id local role_id
role_id=$( role_id=$(
# Creates role with --or-show # Creates role with --or-show
openstack role create $1 \ openstack --os-cloud devstack-system-admin role create $1 \
--or-show -f value -c id --or-show -f value -c id
) )
echo $role_id echo $role_id
@ -964,7 +964,7 @@ function get_or_add_user_project_role {
domain_args=$(_get_domain_args $4 $5) domain_args=$(_get_domain_args $4 $5)
# Gets user role id # Gets user role id
user_role_id=$(openstack role assignment list \ user_role_id=$(openstack --os-cloud devstack-system-admin role assignment list \
--role $1 \ --role $1 \
--user $2 \ --user $2 \
--project $3 \ --project $3 \
@ -972,11 +972,11 @@ function get_or_add_user_project_role {
| grep '^|\s[a-f0-9]\+' | get_field 1) | grep '^|\s[a-f0-9]\+' | get_field 1)
if [[ -z "$user_role_id" ]]; then if [[ -z "$user_role_id" ]]; then
# Adds role to user and get it # Adds role to user and get it
openstack role add $1 \ openstack --os-cloud devstack-system-admin role add $1 \
--user $2 \ --user $2 \
--project $3 \ --project $3 \
$domain_args $domain_args
user_role_id=$(openstack role assignment list \ user_role_id=$(openstack --os-cloud devstack-system-admin role assignment list \
--role $1 \ --role $1 \
--user $2 \ --user $2 \
--project $3 \ --project $3 \
@ -991,17 +991,17 @@ function get_or_add_user_project_role {
function get_or_add_user_domain_role { function get_or_add_user_domain_role {
local user_role_id local user_role_id
# Gets user role id # Gets user role id
user_role_id=$(openstack role assignment list \ user_role_id=$(openstack --os-cloud devstack-system-admin role assignment list \
--role $1 \ --role $1 \
--user $2 \ --user $2 \
--domain $3 \ --domain $3 \
| grep '^|\s[a-f0-9]\+' | get_field 1) | grep '^|\s[a-f0-9]\+' | get_field 1)
if [[ -z "$user_role_id" ]]; then if [[ -z "$user_role_id" ]]; then
# Adds role to user and get it # Adds role to user and get it
openstack role add $1 \ openstack --os-cloud devstack-system-admin role add $1 \
--user $2 \ --user $2 \
--domain $3 --domain $3
user_role_id=$(openstack role assignment list \ user_role_id=$(openstack --os-cloud devstack-system-admin role assignment list \
--role $1 \ --role $1 \
--user $2 \ --user $2 \
--domain $3 \ --domain $3 \
@ -1019,7 +1019,7 @@ function get_or_add_user_system_role {
domain_args=$(_get_domain_args $4) domain_args=$(_get_domain_args $4)
# Gets user role id # Gets user role id
user_role_id=$(openstack role assignment list \ user_role_id=$(openstack --os-cloud devstack-system-admin role assignment list \
--role $1 \ --role $1 \
--user $2 \ --user $2 \
--system $3 \ --system $3 \
@ -1027,11 +1027,11 @@ function get_or_add_user_system_role {
-f value -c Role) -f value -c Role)
if [[ -z "$user_role_id" ]]; then if [[ -z "$user_role_id" ]]; then
# Adds role to user and get it # Adds role to user and get it
openstack role add $1 \ openstack --os-cloud devstack-system-admin role add $1 \
--user $2 \ --user $2 \
--system $3 \ --system $3 \
$domain_args $domain_args
user_role_id=$(openstack role assignment list \ user_role_id=$(openstack --os-cloud devstack-system-admin role assignment list \
--role $1 \ --role $1 \
--user $2 \ --user $2 \
--system $3 \ --system $3 \
@ -1046,17 +1046,17 @@ function get_or_add_user_system_role {
function get_or_add_group_project_role { function get_or_add_group_project_role {
local group_role_id local group_role_id
# Gets group role id # Gets group role id
group_role_id=$(openstack role assignment list \ group_role_id=$(openstack --os-cloud devstack-system-admin role assignment list \
--role $1 \ --role $1 \
--group $2 \ --group $2 \
--project $3 \ --project $3 \
-f value) -f value)
if [[ -z "$group_role_id" ]]; then if [[ -z "$group_role_id" ]]; then
# Adds role to group and get it # Adds role to group and get it
openstack role add $1 \ openstack --os-cloud devstack-system-admin role add $1 \
--group $2 \ --group $2 \
--project $3 --project $3
group_role_id=$(openstack role assignment list \ group_role_id=$(openstack --os-cloud devstack-system-admin role assignment list \
--role $1 \ --role $1 \
--group $2 \ --group $2 \
--project $3 \ --project $3 \
@ -1072,9 +1072,9 @@ function get_or_create_service {
# Gets service id # Gets service id
service_id=$( service_id=$(
# Gets service id # Gets service id
openstack service show $2 -f value -c id 2>/dev/null || openstack --os-cloud devstack-system-admin service show $2 -f value -c id 2>/dev/null ||
# Creates new service if not exists # Creates new service if not exists
openstack service create \ openstack --os-cloud devstack-system-admin service create \
$2 \ $2 \
--name $1 \ --name $1 \
--description="$3" \ --description="$3" \
@ -1087,14 +1087,14 @@ function get_or_create_service {
# Usage: _get_or_create_endpoint_with_interface <service> <interface> <url> <region> # Usage: _get_or_create_endpoint_with_interface <service> <interface> <url> <region>
function _get_or_create_endpoint_with_interface { function _get_or_create_endpoint_with_interface {
local endpoint_id local endpoint_id
endpoint_id=$(openstack endpoint list \ endpoint_id=$(openstack --os-cloud devstack-system-admin endpoint list \
--service $1 \ --service $1 \
--interface $2 \ --interface $2 \
--region $4 \ --region $4 \
-c ID -f value) -c ID -f value)
if [[ -z "$endpoint_id" ]]; then if [[ -z "$endpoint_id" ]]; then
# Creates new endpoint # Creates new endpoint
endpoint_id=$(openstack endpoint create \ endpoint_id=$(openstack --os-cloud devstack-system-admin endpoint create \
$1 $2 $3 --region $4 -f value -c id) $1 $2 $3 --region $4 -f value -c id)
fi fi
@ -1128,7 +1128,7 @@ function get_or_create_endpoint {
# Get a URL from the identity service # Get a URL from the identity service
# Usage: get_endpoint_url <service> <interface> # Usage: get_endpoint_url <service> <interface>
function get_endpoint_url { function get_endpoint_url {
echo $(openstack endpoint list \ echo $(openstack --os-cloud devstack-system-admin endpoint list \
--service $1 --interface $2 \ --service $1 --interface $2 \
-c URL -f value) -c URL -f value)
} }

6
lib/glance
View File

@ -311,11 +311,11 @@ function configure_glance_quotas {
iniset $GLANCE_API_CONF oslo_limit auth_url $KEYSTONE_SERVICE_URI iniset $GLANCE_API_CONF oslo_limit auth_url $KEYSTONE_SERVICE_URI
iniset $GLANCE_API_CONF oslo_limit system_scope "'all'" iniset $GLANCE_API_CONF oslo_limit system_scope "'all'"
iniset $GLANCE_API_CONF oslo_limit endpoint_id \ iniset $GLANCE_API_CONF oslo_limit endpoint_id \
$(openstack endpoint list --service glance -f value -c ID) $(openstack --os-cloud devstack-system-admin endpoint list --service glance -f value -c ID)
# Allow the glance service user to read quotas # Allow the glance service user to read quotas
openstack role add --user glance --user-domain Default --system all \ openstack --os-cloud devstack-system-admin role add --user glance --user-domain Default \
reader --system all reader
} }
# configure_glance() - Set config files, create data dirs, etc # configure_glance() - Set config files, create data dirs, etc