73e27b83 |
#!/bin/bash |
b7d1fbbe |
#
# Initial data for Keystone using python-keystoneclient
# |
4a2b1c66 |
# Tenant User Roles |
77b0e1d8 |
# ------------------------------------------------------------------ |
4a2b1c66 |
# service glance admin
# service swift admin # if enabled
# service heat admin # if enabled
# service ceilometer admin # if enabled |
b297d2d0 |
# Tempest Only:
# alt_demo alt_demo Member |
b7d1fbbe |
#
# Variables set before calling this script:
# SERVICE_TOKEN - aka admin_token in keystone.conf
# SERVICE_ENDPOINT - local Keystone admin endpoint
# SERVICE_TENANT_NAME - name of tenant containing service accounts |
3f7c06f5 |
# SERVICE_HOST - host used for endpoint creation |
b7d1fbbe |
# ENABLED_SERVICES - stack.sh's list of services to start
# DEVSTACK_DIR - Top-level DevStack directory |
3f7c06f5 |
# KEYSTONE_CATALOG_BACKEND - used to determine service catalog creation
# Defaults
# -------- |
b7d1fbbe |
ADMIN_PASSWORD=${ADMIN_PASSWORD:-secrete}
SERVICE_PASSWORD=${SERVICE_PASSWORD:-$ADMIN_PASSWORD} |
d1f5243d |
export SERVICE_TOKEN=$SERVICE_TOKEN
export SERVICE_ENDPOINT=$SERVICE_ENDPOINT |
b7d1fbbe |
SERVICE_TENANT_NAME=${SERVICE_TENANT_NAME:-service} |
d1f5243d |
function get_id () { |
3f7c06f5 |
echo `"$@" | awk '/ id / { print $4 }'` |
d1f5243d |
}
|
d835de89 |
# Lookups
SERVICE_TENANT=$(keystone tenant-list | awk "/ $SERVICE_TENANT_NAME / { print \$2 }")
ADMIN_ROLE=$(keystone role-list | awk "/ admin / { print \$2 }") |
671c16e6 |
MEMBER_ROLE=$(keystone role-list | awk "/ Member / { print \$2 }") |
73e27b83 |
|
0bd2410d |
|
73e27b83 |
# Roles |
3f7c06f5 |
# -----
|
901eed70 |
# The ResellerAdmin role is used by Nova and Ceilometer so we need to keep it.
# The admin role in swift allows a user to act as an admin for their tenant,
# but ResellerAdmin is needed for a user to act as any tenant. The name of this
# role is also configurable in swift-proxy.conf
RESELLER_ROLE=$(get_id keystone role-create --name=ResellerAdmin) |
73e27b83 |
|
671c16e6 |
|
3f7c06f5 |
# Services
# -------- |
b7d1fbbe |
|
a0dce264 |
if [[ "$ENABLED_SERVICES" =~ "n-api" ]] && [[ "$ENABLED_SERVICES" =~ "swift" ]]; then
NOVA_USER=$(keystone user-list | awk "/ nova / { print \$2 }") |
77b0e1d8 |
# Nova needs ResellerAdmin role to download images when accessing |
901eed70 |
# swift through the s3 api. |
3f7c06f5 |
keystone user-role-add \
--tenant_id $SERVICE_TENANT \
--user_id $NOVA_USER \
--role_id $RESELLER_ROLE |
9c7c9083 |
fi |
b7d1fbbe |
|
bfdad75e |
# Heat
if [[ "$ENABLED_SERVICES" =~ "heat" ]]; then
HEAT_USER=$(get_id keystone user-create --name=heat \
--pass="$SERVICE_PASSWORD" \
--tenant_id $SERVICE_TENANT \
--email=heat@example.com)
keystone user-role-add --tenant_id $SERVICE_TENANT \
--user_id $HEAT_USER \
--role_id $ADMIN_ROLE |
053a5f84 |
# heat_stack_user role is for users created by Heat
keystone role-create --name heat_stack_user |
bfdad75e |
if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then |
36cf7ee1 |
HEAT_CFN_SERVICE=$(get_id keystone service-create \ |
bb421bed |
--name=heat-cfn \
--type=cloudformation \
--description="Heat CloudFormation Service") |
bfdad75e |
keystone endpoint-create \
--region RegionOne \ |
e2790210 |
--service_id $HEAT_CFN_SERVICE \
--publicurl "http://$SERVICE_HOST:$HEAT_API_CFN_PORT/v1" \
--adminurl "http://$SERVICE_HOST:$HEAT_API_CFN_PORT/v1" \
--internalurl "http://$SERVICE_HOST:$HEAT_API_CFN_PORT/v1" |
bb421bed |
HEAT_SERVICE=$(get_id keystone service-create \
--name=heat \
--type=orchestration \
--description="Heat Service")
keystone endpoint-create \
--region RegionOne \
--service_id $HEAT_SERVICE \
--publicurl "http://$SERVICE_HOST:$HEAT_API_PORT/v1/\$(tenant_id)s" \
--adminurl "http://$SERVICE_HOST:$HEAT_API_PORT/v1/\$(tenant_id)s" \
--internalurl "http://$SERVICE_HOST:$HEAT_API_PORT/v1/\$(tenant_id)s" |
bfdad75e |
fi
fi
|
3f7c06f5 |
# Glance
if [[ "$ENABLED_SERVICES" =~ "g-api" ]]; then
GLANCE_USER=$(get_id keystone user-create \
--name=glance \
--pass="$SERVICE_PASSWORD" \
--tenant_id $SERVICE_TENANT \
--email=glance@example.com)
keystone user-role-add \
--tenant_id $SERVICE_TENANT \
--user_id $GLANCE_USER \
--role_id $ADMIN_ROLE
if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
GLANCE_SERVICE=$(get_id keystone service-create \
--name=glance \
--type=image \
--description="Glance Image Service")
keystone endpoint-create \
--region RegionOne \
--service_id $GLANCE_SERVICE \ |
8d6c9bca |
--publicurl "http://$SERVICE_HOST:9292" \
--adminurl "http://$SERVICE_HOST:9292" \
--internalurl "http://$SERVICE_HOST:9292" |
3f7c06f5 |
fi
fi
# Swift
if [[ "$ENABLED_SERVICES" =~ "swift" ]]; then
SWIFT_USER=$(get_id keystone user-create \
--name=swift \
--pass="$SERVICE_PASSWORD" \
--tenant_id $SERVICE_TENANT \
--email=swift@example.com)
keystone user-role-add \
--tenant_id $SERVICE_TENANT \
--user_id $SWIFT_USER \
--role_id $ADMIN_ROLE
if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
SWIFT_SERVICE=$(get_id keystone service-create \
--name=swift \
--type="object-store" \
--description="Swift Service")
keystone endpoint-create \
--region RegionOne \
--service_id $SWIFT_SERVICE \
--publicurl "http://$SERVICE_HOST:8080/v1/AUTH_\$(tenant_id)s" \ |
8d6c9bca |
--adminurl "http://$SERVICE_HOST:8080" \ |
3f7c06f5 |
--internalurl "http://$SERVICE_HOST:8080/v1/AUTH_\$(tenant_id)s"
fi
fi
|
4a2b1c66 |
if [[ "$ENABLED_SERVICES" =~ "ceilometer" ]]; then
CEILOMETER_USER=$(get_id keystone user-create --name=ceilometer \
--pass="$SERVICE_PASSWORD" \
--tenant_id $SERVICE_TENANT \
--email=ceilometer@example.com)
keystone user-role-add --tenant_id $SERVICE_TENANT \
--user_id $CEILOMETER_USER \
--role_id $ADMIN_ROLE |
901eed70 |
# Ceilometer needs ResellerAdmin role to access swift account stats.
keystone user-role-add --tenant_id $SERVICE_TENANT \
--user_id $CEILOMETER_USER \
--role_id $RESELLER_ROLE |
f36afe58 |
if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
CEILOMETER_SERVICE=$(get_id keystone service-create \
--name=ceilometer \
--type=metering \
--description="Ceilometer Service")
keystone endpoint-create \
--region RegionOne \
--service_id $CEILOMETER_SERVICE \
--publicurl "http://$SERVICE_HOST:8777/" \
--adminurl "http://$SERVICE_HOST:8777/" \
--internalurl "http://$SERVICE_HOST:8777/"
fi
fi
|
3f7c06f5 |
# EC2
if [[ "$ENABLED_SERVICES" =~ "n-api" ]]; then
if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
EC2_SERVICE=$(get_id keystone service-create \
--name=ec2 \
--type=ec2 \
--description="EC2 Compatibility Layer")
keystone endpoint-create \
--region RegionOne \
--service_id $EC2_SERVICE \
--publicurl "http://$SERVICE_HOST:8773/services/Cloud" \
--adminurl "http://$SERVICE_HOST:8773/services/Admin" \
--internalurl "http://$SERVICE_HOST:8773/services/Cloud"
fi
fi
# S3
if [[ "$ENABLED_SERVICES" =~ "n-obj" || "$ENABLED_SERVICES" =~ "swift" ]]; then
if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
S3_SERVICE=$(get_id keystone service-create \
--name=s3 \
--type=s3 \
--description="S3")
keystone endpoint-create \
--region RegionOne \
--service_id $S3_SERVICE \
--publicurl "http://$SERVICE_HOST:$S3_SERVICE_PORT" \
--adminurl "http://$SERVICE_HOST:$S3_SERVICE_PORT" \
--internalurl "http://$SERVICE_HOST:$S3_SERVICE_PORT"
fi |
a3a496f9 |
fi |
b297d2d0 |
if [[ "$ENABLED_SERVICES" =~ "tempest" ]]; then
# Tempest has some tests that validate various authorization checks
# between two regular users in separate tenants |
3f7c06f5 |
ALT_DEMO_TENANT=$(get_id keystone tenant-create \
--name=alt_demo)
ALT_DEMO_USER=$(get_id keystone user-create \
--name=alt_demo \
--pass="$ADMIN_PASSWORD" \
--email=alt_demo@example.com)
keystone user-role-add \
--tenant_id $ALT_DEMO_TENANT \
--user_id $ALT_DEMO_USER \
--role_id $MEMBER_ROLE |
b297d2d0 |
fi |