Browse code
Merge "Allow putting service users in a seperate domain"
Jenkins authored on 2016/04/21 06:49:01Showing 6 changed files
| ... | ... |
@@ -840,27 +840,49 @@ function get_or_create_role {
|
| 840 | 840 |
echo $role_id |
| 841 | 841 |
} |
| 842 | 842 |
|
| 843 |
+# Returns the domain parts of a function call if present |
|
| 844 |
+# Usage: _get_domain_args [<user_domain> <project_domain>] |
|
| 845 |
+function _get_domain_args {
|
|
| 846 |
+ local domain |
|
| 847 |
+ domain="" |
|
| 848 |
+ |
|
| 849 |
+ if [[ -n "$1" ]]; then |
|
| 850 |
+ domain="$domain --user-domain $1" |
|
| 851 |
+ fi |
|
| 852 |
+ if [[ -n "$2" ]]; then |
|
| 853 |
+ domain="$domain --project-domain $2" |
|
| 854 |
+ fi |
|
| 855 |
+ |
|
| 856 |
+ echo $domain |
|
| 857 |
+} |
|
| 858 |
+ |
|
| 843 | 859 |
# Gets or adds user role to project |
| 844 |
-# Usage: get_or_add_user_project_role <role> <user> <project> |
|
| 860 |
+# Usage: get_or_add_user_project_role <role> <user> <project> [<user_domain> <project_domain>] |
|
| 845 | 861 |
function get_or_add_user_project_role {
|
| 846 | 862 |
local user_role_id |
| 863 |
+ |
|
| 864 |
+ domain_args=$(_get_domain_args $4 $5) |
|
| 865 |
+ |
|
| 847 | 866 |
# Gets user role id |
| 848 | 867 |
user_role_id=$(openstack role list \ |
| 849 | 868 |
--user $2 \ |
| 850 | 869 |
--column "ID" \ |
| 851 | 870 |
--project $3 \ |
| 852 | 871 |
--column "Name" \ |
| 872 |
+ $domain_args \ |
|
| 853 | 873 |
| grep " $1 " | get_field 1) |
| 854 | 874 |
if [[ -z "$user_role_id" ]]; then |
| 855 | 875 |
# Adds role to user and get it |
| 856 | 876 |
openstack role add $1 \ |
| 857 | 877 |
--user $2 \ |
| 858 |
- --project $3 |
|
| 878 |
+ --project $3 \ |
|
| 879 |
+ $domain_args |
|
| 859 | 880 |
user_role_id=$(openstack role list \ |
| 860 | 881 |
--user $2 \ |
| 861 | 882 |
--column "ID" \ |
| 862 | 883 |
--project $3 \ |
| 863 | 884 |
--column "Name" \ |
| 885 |
+ $domain_args \ |
|
| 864 | 886 |
| grep " $1 " | get_field 1) |
| 865 | 887 |
fi |
| 866 | 888 |
echo $user_role_id |
| ... | ... |
@@ -173,8 +173,8 @@ function configure_glance {
|
| 173 | 173 |
|
| 174 | 174 |
iniset $GLANCE_SWIFT_STORE_CONF ref1 key $SERVICE_PASSWORD |
| 175 | 175 |
iniset $GLANCE_SWIFT_STORE_CONF ref1 auth_address $KEYSTONE_SERVICE_URI/v3 |
| 176 |
- iniset $GLANCE_SWIFT_STORE_CONF ref1 user_domain_id default |
|
| 177 |
- iniset $GLANCE_SWIFT_STORE_CONF ref1 project_domain_id default |
|
| 176 |
+ iniset $GLANCE_SWIFT_STORE_CONF ref1 user_domain_name $SERVICE_DOMAIN_NAME |
|
| 177 |
+ iniset $GLANCE_SWIFT_STORE_CONF ref1 project_domain_name $SERVICE_DOMAIN_NAME |
|
| 178 | 178 |
iniset $GLANCE_SWIFT_STORE_CONF ref1 auth_version 3 |
| 179 | 179 |
|
| 180 | 180 |
# commenting is not strictly necessary but it's confusing to have bad values in conf |
| ... | ... |
@@ -288,11 +288,7 @@ function create_glance_accounts {
|
| 288 | 288 |
|
| 289 | 289 |
# required for swift access |
| 290 | 290 |
if is_service_enabled s-proxy; then |
| 291 |
- |
|
| 292 |
- local glance_swift_user |
|
| 293 |
- glance_swift_user=$(get_or_create_user "glance-swift" \ |
|
| 294 |
- "$SERVICE_PASSWORD" "default" "glance-swift@example.com") |
|
| 295 |
- get_or_add_user_project_role "ResellerAdmin" $glance_swift_user $SERVICE_PROJECT_NAME |
|
| 291 |
+ create_service_user "glance-swift" "ResellerAdmin" |
|
| 296 | 292 |
fi |
| 297 | 293 |
|
| 298 | 294 |
get_or_create_service "glance" "image" "Glance Image Service" |
| ... | ... |
@@ -106,7 +106,9 @@ KEYSTONE_SERVICE_PROTOCOL=${KEYSTONE_SERVICE_PROTOCOL:-$SERVICE_PROTOCOL}
|
| 106 | 106 |
|
| 107 | 107 |
# Bind hosts |
| 108 | 108 |
KEYSTONE_ADMIN_BIND_HOST=${KEYSTONE_ADMIN_BIND_HOST:-$KEYSTONE_SERVICE_HOST}
|
| 109 |
+ |
|
| 109 | 110 |
# Set the project for service accounts in Keystone |
| 111 |
+SERVICE_DOMAIN_NAME=${SERVICE_DOMAIN_NAME:-Default}
|
|
| 110 | 112 |
SERVICE_PROJECT_NAME=${SERVICE_PROJECT_NAME:-service}
|
| 111 | 113 |
|
| 112 | 114 |
# Note 2016-03 : SERVICE_TENANT_NAME is kept for backwards |
| ... | ... |
@@ -373,6 +375,7 @@ function create_keystone_accounts {
|
| 373 | 373 |
get_or_add_user_domain_role $admin_role $admin_user default |
| 374 | 374 |
|
| 375 | 375 |
# Create service project/role |
| 376 |
+ get_or_create_domain "$SERVICE_DOMAIN_NAME" |
|
| 376 | 377 |
get_or_create_project "$SERVICE_PROJECT_NAME" default |
| 377 | 378 |
|
| 378 | 379 |
# Service role, so service users do not have to be admins |
| ... | ... |
@@ -445,9 +448,8 @@ function create_keystone_accounts {
|
| 445 | 445 |
function create_service_user {
|
| 446 | 446 |
local role=${2:-service}
|
| 447 | 447 |
|
| 448 |
- local user |
|
| 449 |
- user=$(get_or_create_user "$1" "$SERVICE_PASSWORD" default) |
|
| 450 |
- get_or_add_user_project_role "$role" "$user" "$SERVICE_PROJECT_NAME" |
|
| 448 |
+ get_or_create_user "$1" "$SERVICE_PASSWORD" "$SERVICE_DOMAIN_NAME" |
|
| 449 |
+ get_or_add_user_project_role "$role" "$1" "$SERVICE_PROJECT_NAME" "$SERVICE_DOMAIN_NAME" "$SERVICE_DOMAIN_NAME" |
|
| 451 | 450 |
} |
| 452 | 451 |
|
| 453 | 452 |
# Configure the service to use the auth token middleware. |
| ... | ... |
@@ -467,9 +469,9 @@ function configure_auth_token_middleware {
|
| 467 | 467 |
iniset $conf_file $section auth_url $KEYSTONE_AUTH_URI |
| 468 | 468 |
iniset $conf_file $section username $admin_user |
| 469 | 469 |
iniset $conf_file $section password $SERVICE_PASSWORD |
| 470 |
- iniset $conf_file $section user_domain_id default |
|
| 470 |
+ iniset $conf_file $section user_domain_name "$SERVICE_DOMAIN_NAME" |
|
| 471 | 471 |
iniset $conf_file $section project_name $SERVICE_PROJECT_NAME |
| 472 |
- iniset $conf_file $section project_domain_id default |
|
| 472 |
+ iniset $conf_file $section project_domain_name "$SERVICE_DOMAIN_NAME" |
|
| 473 | 473 |
|
| 474 | 474 |
iniset $conf_file $section auth_uri $KEYSTONE_SERVICE_URI |
| 475 | 475 |
iniset $conf_file $section cafile $SSL_BUNDLE_FILE |
| ... | ... |
@@ -491,9 +491,9 @@ function create_nova_conf_neutron {
|
| 491 | 491 |
iniset $NOVA_CONF neutron auth_url "$KEYSTONE_SERVICE_PROTOCOL://$KEYSTONE_SERVICE_HOST:$KEYSTONE_AUTH_PORT/v3" |
| 492 | 492 |
iniset $NOVA_CONF neutron username "$Q_ADMIN_USERNAME" |
| 493 | 493 |
iniset $NOVA_CONF neutron password "$SERVICE_PASSWORD" |
| 494 |
- iniset $NOVA_CONF neutron user_domain_name "Default" |
|
| 494 |
+ iniset $NOVA_CONF neutron user_domain_name "$SERVICE_DOMAIN_NAME" |
|
| 495 | 495 |
iniset $NOVA_CONF neutron project_name "$SERVICE_PROJECT_NAME" |
| 496 |
- iniset $NOVA_CONF neutron project_domain_name "Default" |
|
| 496 |
+ iniset $NOVA_CONF neutron project_domain_name "$SERVICE_DOMAIN_NAME" |
|
| 497 | 497 |
iniset $NOVA_CONF neutron auth_strategy "$Q_AUTH_STRATEGY" |
| 498 | 498 |
iniset $NOVA_CONF neutron region_name "$REGION_NAME" |
| 499 | 499 |
iniset $NOVA_CONF neutron url "${Q_PROTOCOL}://$Q_HOST:$Q_PORT"
|
| ... | ... |
@@ -439,7 +439,7 @@ function create_nova_accounts {
|
| 439 | 439 |
if is_service_enabled swift; then |
| 440 | 440 |
# Nova needs ResellerAdmin role to download images when accessing |
| 441 | 441 |
# swift through the s3 api. |
| 442 |
- get_or_add_user_project_role ResellerAdmin nova $SERVICE_PROJECT_NAME |
|
| 442 |
+ get_or_add_user_project_role ResellerAdmin nova $SERVICE_PROJECT_NAME $SERVICE_DOMAIN_NAME $SERVICE_DOMAIN_NAME |
|
| 443 | 443 |
fi |
| 444 | 444 |
fi |
| 445 | 445 |
|
| ... | ... |
@@ -846,7 +846,9 @@ function swift_configure_tempurls {
|
| 846 | 846 |
# note we are using swift credentials! |
| 847 | 847 |
OS_USERNAME=swift \ |
| 848 | 848 |
OS_PASSWORD=$SERVICE_PASSWORD \ |
| 849 |
+ OS_USER_DOMAIN_NAME=$SERVICE_DOMAIN_NAME \ |
|
| 849 | 850 |
OS_PROJECT_NAME=$SERVICE_PROJECT_NAME \ |
| 851 |
+ OS_PROJECT_DOMAIN_NAME=$SERVICE_DOMAIN_NAME \ |
|
| 850 | 852 |
openstack object store account \ |
| 851 | 853 |
set --property "Temp-URL-Key=$SWIFT_TEMPURL_KEY" |
| 852 | 854 |
} |