@@ -330,6 +330,25 @@ which includes the following, with the IP address of the above controller node:

     Q_HOST=$SERVICE_HOST

     MATCHMAKER_REDIS_HOST=$SERVICE_HOST

+# Multi-Region Setup

+

+We want to setup two devstack (RegionOne and RegionTwo) with shared keystone

+(same users and services) and horizon.

+Keystone and Horizon will be located in RegionOne.

+Full spec is available at:

+https://wiki.openstack.org/wiki/Heat/Blueprints/Multi_Region_Support_for_Heat.

+

+In RegionOne:

+

+    REGION_NAME=RegionOne

+

+In RegionTwo:

+

+    disable_service horizon

+    KEYSTONE_SERVICE_HOST=<KEYSTONE_IP_ADDRESS_FROM_REGION_ONE>

+    KEYSTONE_AUTH_HOST=<KEYSTONE_IP_ADDRESS_FROM_REGION_ONE>

+    REGION_NAME=RegionTwo

+

 # Cells

 Cells is a new scaling option with a full spec at:

@@ -719,6 +719,109 @@ function policy_add {

     mv ${tmpfile} ${policy_file}

 }

+# Gets or creates user

+# Usage: get_or_create_user <username> <password> <project> <email>

+function get_or_create_user {

+    # Gets user id

+    USER_ID=$(

+        # Gets user id

+        openstack user show $1 -f value -c id 2>/dev/null ||

+        # Creates new user

+        openstack user create \

+            $1 \

+            --password "$2" \

+            --project $3 \

+            --email $4 \

+            -f value -c id

+    )

+    echo $USER_ID

+}

+

+# Gets or creates project

+# Usage: get_or_create_project <name>

+function get_or_create_project {

+    # Gets project id

+    PROJECT_ID=$(

+        # Gets project id

+        openstack project show $1 -f value -c id 2>/dev/null ||

+        # Creates new project if not exists

+        openstack project create $1 -f value -c id

+    )

+    echo $PROJECT_ID

+}

+

+# Gets or creates role

+# Usage: get_or_create_role <name>

+function get_or_create_role {

+    ROLE_ID=$(

+        # Gets role id

+        openstack role show $1 -f value -c id 2>/dev/null ||

+        # Creates role if not exists

+        openstack role create $1 -f value -c id

+    )

+    echo $ROLE_ID

+}

+

+# Gets or adds user role

+# Usage: get_or_add_user_role <role> <user> <project>

+function get_or_add_user_role {

+    # Gets user role id

+    USER_ROLE_ID=$(openstack user role list \

+        $2 \

+        --project $3 \

+        --column "ID" \

+        --column "Name" \

+        | grep " $1 " | get_field 1)

+    if [[ -z "$USER_ROLE_ID" ]]; then

+        # Adds role to user

+        USER_ROLE_ID=$(openstack role add \

+            $1 \

+            --user $2 \

+            --project $3 \

+            | grep " id " | get_field 2)

+    fi

+    echo $USER_ROLE_ID

+}

+

+# Gets or creates service

+# Usage: get_or_create_service <name> <type> <description>

+function get_or_create_service {

+    # Gets service id

+    SERVICE_ID=$(

+        # Gets service id

+        openstack service show $1 -f value -c id 2>/dev/null ||

+        # Creates new service if not exists

+        openstack service create \

+            $1 \

+            --type=$2 \

+            --description="$3" \

+            -f value -c id

+    )

+    echo $SERVICE_ID

+}

+

+# Gets or creates endpoint

+# Usage: get_or_create_endpoint <service> <region> <publicurl> <adminurl> <internalurl>

+function get_or_create_endpoint {

+    # Gets endpoint id

+    ENDPOINT_ID=$(openstack endpoint list \

+        --column "ID" \

+        --column "Region" \

+        --column "Service Name" \

+        | grep " $2 " \

+        | grep " $1 " | get_field 1)

+    if [[ -z "$ENDPOINT_ID" ]]; then

+        # Creates new endpoint

+        ENDPOINT_ID=$(openstack endpoint create \

+            $1 \

+            --region $2 \

+            --publicurl $3 \

+            --adminurl $4 \

+            --internalurl $5 \

+            | grep " id " | get_field 2)

+    fi

+    echo $ENDPOINT_ID

+}

 # Package Functions

 # =================

@@ -81,35 +81,22 @@ create_ceilometer_accounts() {

     # Ceilometer

     if [[ "$ENABLED_SERVICES" =~ "ceilometer-api" ]]; then

-        CEILOMETER_USER=$(openstack user create \

-            ceilometer \

-            --password "$SERVICE_PASSWORD" \

-            --project $SERVICE_TENANT \

-            --email ceilometer@example.com \

-            | grep " id " | get_field 2)

-        openstack role add \

-            $ADMIN_ROLE \

-            --project $SERVICE_TENANT \

-            --user $CEILOMETER_USER

+        CEILOMETER_USER=$(get_or_create_user "ceilometer" \

+            "$SERVICE_PASSWORD" $SERVICE_TENANT "ceilometer@example.com")

+        get_or_add_user_role $ADMIN_ROLE $CEILOMETER_USER $SERVICE_TENANT

+

         if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then

-            CEILOMETER_SERVICE=$(openstack service create \

-                ceilometer \

-                --type=metering \

-                --description="OpenStack Telemetry Service" \

-                | grep " id " | get_field 2)

-            openstack endpoint create \

-                $CEILOMETER_SERVICE \

-                --region RegionOne \

-                --publicurl "$CEILOMETER_SERVICE_PROTOCOL://$CEILOMETER_SERVICE_HOST:$CEILOMETER_SERVICE_PORT/" \

-                --adminurl "$CEILOMETER_SERVICE_PROTOCOL://$CEILOMETER_SERVICE_HOST:$CEILOMETER_SERVICE_PORT/" \

-                --internalurl "$CEILOMETER_SERVICE_PROTOCOL://$CEILOMETER_SERVICE_HOST:$CEILOMETER_SERVICE_PORT/"

+            CEILOMETER_SERVICE=$(get_or_create_service "ceilometer" \

+                "metering" "OpenStack Telemetry Service")

+            get_or_create_endpoint $CEILOMETER_SERVICE \

+                "$REGION_NAME" \

+                "$CEILOMETER_SERVICE_PROTOCOL://$CEILOMETER_SERVICE_HOST:$CEILOMETER_SERVICE_PORT/" \

+                "$CEILOMETER_SERVICE_PROTOCOL://$CEILOMETER_SERVICE_HOST:$CEILOMETER_SERVICE_PORT/" \

+                "$CEILOMETER_SERVICE_PROTOCOL://$CEILOMETER_SERVICE_HOST:$CEILOMETER_SERVICE_PORT/"

         fi

         if is_service_enabled swift; then

             # Ceilometer needs ResellerAdmin role to access swift account stats.

-            openstack role add \

-                --project $SERVICE_TENANT_NAME \

-                --user ceilometer \

-                ResellerAdmin

+            get_or_add_user_role "ResellerAdmin" "ceilometer" $SERVICE_TENANT_NAME

         fi

     fi

 }

@@ -339,39 +339,26 @@ function create_cinder_accounts {

     # Cinder

     if [[ "$ENABLED_SERVICES" =~ "c-api" ]]; then

-        CINDER_USER=$(openstack user create \

-            cinder \

-            --password "$SERVICE_PASSWORD" \

-            --project $SERVICE_TENANT \

-            --email cinder@example.com \

-            | grep " id " | get_field 2)

-        openstack role add \

-            $ADMIN_ROLE \

-            --project $SERVICE_TENANT \

-            --user $CINDER_USER

+

+        CINDER_USER=$(get_or_create_user "cinder" \

+            "$SERVICE_PASSWORD" $SERVICE_TENANT "cinder@example.com")

+        get_or_add_user_role $ADMIN_ROLE $CINDER_USER $SERVICE_TENANT

+

         if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then

-            CINDER_SERVICE=$(openstack service create \

-                cinder \

-                --type=volume \

-                --description="Cinder Volume Service" \

-                | grep " id " | get_field 2)

-            openstack endpoint create \

-                $CINDER_SERVICE \

-                --region RegionOne \

-                --publicurl "$CINDER_SERVICE_PROTOCOL://$CINDER_SERVICE_HOST:$CINDER_SERVICE_PORT/v1/\$(tenant_id)s" \

-                --adminurl "$CINDER_SERVICE_PROTOCOL://$CINDER_SERVICE_HOST:$CINDER_SERVICE_PORT/v1/\$(tenant_id)s" \

-                --internalurl "$CINDER_SERVICE_PROTOCOL://$CINDER_SERVICE_HOST:$CINDER_SERVICE_PORT/v1/\$(tenant_id)s"

-            CINDER_V2_SERVICE=$(openstack service create \

-                cinderv2 \

-                --type=volumev2 \

-                --description="Cinder Volume Service V2" \

-                | grep " id " | get_field 2)

-            openstack endpoint create \

-                $CINDER_V2_SERVICE \

-                --region RegionOne \

-                --publicurl "$CINDER_SERVICE_PROTOCOL://$CINDER_SERVICE_HOST:$CINDER_SERVICE_PORT/v2/\$(tenant_id)s" \

-                --adminurl "$CINDER_SERVICE_PROTOCOL://$CINDER_SERVICE_HOST:$CINDER_SERVICE_PORT/v2/\$(tenant_id)s" \

-                --internalurl "$CINDER_SERVICE_PROTOCOL://$CINDER_SERVICE_HOST:$CINDER_SERVICE_PORT/v2/\$(tenant_id)s"

+

+            CINDER_SERVICE=$(get_or_create_service "cinder" \

+                "volume" "Cinder Volume Service")

+            get_or_create_endpoint $CINDER_SERVICE "$REGION_NAME" \

+                "$CINDER_SERVICE_PROTOCOL://$CINDER_SERVICE_HOST:$CINDER_SERVICE_PORT/v1/\$(tenant_id)s" \

+                "$CINDER_SERVICE_PROTOCOL://$CINDER_SERVICE_HOST:$CINDER_SERVICE_PORT/v1/\$(tenant_id)s" \

+                "$CINDER_SERVICE_PROTOCOL://$CINDER_SERVICE_HOST:$CINDER_SERVICE_PORT/v1/\$(tenant_id)s"

+

+            CINDER_V2_SERVICE=$(get_or_create_service "cinderv2" \

+                "volumev2" "Cinder Volume Service V2")

+            get_or_create_endpoint $CINDER_V2_SERVICE "$REGION_NAME" \

+                "$CINDER_SERVICE_PROTOCOL://$CINDER_SERVICE_HOST:$CINDER_SERVICE_PORT/v2/\$(tenant_id)s" \

+                "$CINDER_SERVICE_PROTOCOL://$CINDER_SERVICE_HOST:$CINDER_SERVICE_PORT/v2/\$(tenant_id)s" \

+                "$CINDER_SERVICE_PROTOCOL://$CINDER_SERVICE_HOST:$CINDER_SERVICE_PORT/v2/\$(tenant_id)s"

         fi

     fi

 }

@@ -164,36 +164,28 @@ function configure_glance {

 function create_glance_accounts {

     if is_service_enabled g-api; then

-        openstack user create \

-            --password "$SERVICE_PASSWORD" \

-            --project $SERVICE_TENANT_NAME \

-            glance

-        openstack role add \

-            --project $SERVICE_TENANT_NAME \

-            --user glance \

-            service

+

+        GLANCE_USER=$(get_or_create_user "glance" \

+            "$SERVICE_PASSWORD" $SERVICE_TENANT_NAME "glance@example.com")

+        get_or_add_user_role service $GLANCE_USER $SERVICE_TENANT_NAME

+

         # required for swift access

         if is_service_enabled s-proxy; then

-            openstack user create \

-                --password "$SERVICE_PASSWORD" \

-                --project $SERVICE_TENANT_NAME \

-                glance-swift

-            openstack role add \

-                --project $SERVICE_TENANT_NAME \

-                --user glance-swift \

-                ResellerAdmin

+

+            GLANCE_SWIFT_USER=$(get_or_create_user "glance-swift" \

+                "$SERVICE_PASSWORD" $SERVICE_TENANT_NAME "glance-swift@example.com")

+            get_or_add_user_role "ResellerAdmin" $GLANCE_SWIFT_USER $SERVICE_TENANT_NAME

         fi

+

         if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then

-            openstack service create \

-                --type image \

-                --description "Glance Image Service" \

-                glance

-            openstack endpoint create \

-                --region RegionOne \

-                --publicurl "http://$GLANCE_HOSTPORT" \

-                --adminurl "http://$GLANCE_HOSTPORT" \

-                --internalurl "http://$GLANCE_HOSTPORT" \

-                glance

+

+            GLANCE_SERVICE=$(get_or_create_service "glance" \

+                "image" "Glance Image Service")

+            get_or_create_endpoint $GLANCE_SERVICE \

+                "$REGION_NAME" \

+                "http://$GLANCE_HOSTPORT" \

+                "http://$GLANCE_HOSTPORT" \

+                "http://$GLANCE_HOSTPORT"

         fi

     fi

 }

@@ -98,6 +98,8 @@ function configure_heat {

     iniset $HEAT_CONF database connection `database_connection_url heat`

     iniset $HEAT_CONF DEFAULT auth_encryption_key `hexdump -n 16 -v -e '/1 "%02x"' /dev/urandom`

+    iniset $HEAT_CONF DEFAULT region_name_for_services "$REGION_NAME"

+

     # logging

     iniset $HEAT_CONF DEFAULT debug $ENABLE_DEBUG_LOG_LEVEL

     iniset $HEAT_CONF DEFAULT use_syslog $SYSLOG

@@ -214,57 +216,44 @@ function create_heat_accounts {

     SERVICE_TENANT=$(openstack project list | awk "/ $SERVICE_TENANT_NAME / { print \$2 }")

     ADMIN_ROLE=$(openstack role list | awk "/ admin / { print \$2 }")

-    HEAT_USER=$(openstack user create \

-        heat \

-        --password "$SERVICE_PASSWORD" \

-        --project $SERVICE_TENANT \

-        --email heat@example.com \

-        | grep " id " | get_field 2)

-    openstack role add \

-        $ADMIN_ROLE \

-        --project $SERVICE_TENANT \

-        --user $HEAT_USER

+    HEAT_USER=$(get_or_create_user "heat" \

+        "$SERVICE_PASSWORD" $SERVICE_TENANT "heat@example.com")

+    get_or_add_user_role $ADMIN_ROLE $HEAT_USER $SERVICE_TENANT

+

     if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then

-        HEAT_SERVICE=$(openstack service create \

-            heat \

-            --type=orchestration \

-            --description="Heat Orchestration Service" \

-            | grep " id " | get_field 2)

-        openstack endpoint create \

-                $HEAT_SERVICE \

-                --region RegionOne \

-                --publicurl "$SERVICE_PROTOCOL://$HEAT_API_HOST:$HEAT_API_PORT/v1/\$(tenant_id)s" \

-                --adminurl "$SERVICE_PROTOCOL://$HEAT_API_HOST:$HEAT_API_PORT/v1/\$(tenant_id)s" \

-                --internalurl "$SERVICE_PROTOCOL://$HEAT_API_HOST:$HEAT_API_PORT/v1/\$(tenant_id)s"

-        HEAT_CFN_SERVICE=$(openstack service create \

-            heat \

-            --type=cloudformation \

-            --description="Heat CloudFormation Service" \

-            | grep " id " | get_field 2)

-        openstack endpoint create \

-                $HEAT_CFN_SERVICE \

-                --region RegionOne \

-                --publicurl "$SERVICE_PROTOCOL://$HEAT_API_CFN_HOST:$HEAT_API_CFN_PORT/v1" \

-                --adminurl "$SERVICE_PROTOCOL://$HEAT_API_CFN_HOST:$HEAT_API_CFN_PORT/v1" \

-                --internalurl "$SERVICE_PROTOCOL://$HEAT_API_CFN_HOST:$HEAT_API_CFN_PORT/v1"

+

+        HEAT_SERVICE=$(get_or_create_service "heat" \

+                "orchestration" "Heat Orchestration Service")

+        get_or_create_endpoint $HEAT_SERVICE \

+            "$REGION_NAME" \

+            "$SERVICE_PROTOCOL://$HEAT_API_HOST:$HEAT_API_PORT/v1/\$(tenant_id)s" \

+            "$SERVICE_PROTOCOL://$HEAT_API_HOST:$HEAT_API_PORT/v1/\$(tenant_id)s" \

+            "$SERVICE_PROTOCOL://$HEAT_API_HOST:$HEAT_API_PORT/v1/\$(tenant_id)s"

+

+        HEAT_CFN_SERVICE=$(get_or_create_service "heat-cfn" \

+                "cloudformation" "Heat CloudFormation Service")

+        get_or_create_endpoint $HEAT_CFN_SERVICE \

+            "$REGION_NAME" \

+            "$SERVICE_PROTOCOL://$HEAT_API_CFN_HOST:$HEAT_API_CFN_PORT/v1" \

+            "$SERVICE_PROTOCOL://$HEAT_API_CFN_HOST:$HEAT_API_CFN_PORT/v1" \

+            "$SERVICE_PROTOCOL://$HEAT_API_CFN_HOST:$HEAT_API_CFN_PORT/v1"

     fi

     # heat_stack_user role is for users created by Heat

-    openstack role create heat_stack_user

+    get_or_create_role "heat_stack_user"

     if [[ $HEAT_DEFERRED_AUTH == trusts ]]; then

+

         # heat_stack_owner role is given to users who create Heat stacks,

         # it's the default role used by heat to delegate to the heat service

         # user (for performing deferred operations via trusts), see heat.conf

-        HEAT_OWNER_ROLE=$(openstack role create \

-            heat_stack_owner \

-            | grep " id " | get_field 2)

+        HEAT_OWNER_ROLE=$(get_or_create_role "heat_stack_owner")

         # Give the role to the demo and admin users so they can create stacks

         # in either of the projects created by devstack

-        openstack role add $HEAT_OWNER_ROLE --project demo --user demo

-        openstack role add $HEAT_OWNER_ROLE --project demo --user admin

-        openstack role add $HEAT_OWNER_ROLE --project admin --user admin

+        get_or_add_user_role $HEAT_OWNER_ROLE demo demo

+        get_or_add_user_role $HEAT_OWNER_ROLE admin demo

+        get_or_add_user_role $HEAT_OWNER_ROLE admin admin

         iniset $HEAT_CONF DEFAULT deferred_auth_method trusts

     fi

@@ -272,21 +261,27 @@ function create_heat_accounts {

         # Note we have to pass token/endpoint here because the current endpoint and

         # version negotiation in OSC means just --os-identity-api-version=3 won't work

         KS_ENDPOINT_V3="$KEYSTONE_SERVICE_URI/v3"

+

         D_ID=$(openstack --os-token $OS_TOKEN --os-url=$KS_ENDPOINT_V3 \

-            --os-identity-api-version=3 domain create heat \

-            --description "Owns users and projects created by heat" \

-            | grep ' id ' | get_field 2)

-        iniset $HEAT_CONF DEFAULT stack_user_domain ${D_ID}

-

-        openstack --os-token $OS_TOKEN --os-url=$KS_ENDPOINT_V3 \

-            --os-identity-api-version=3 user create --password $SERVICE_PASSWORD \

-            --domain $D_ID heat_domain_admin \

-            --description "Manages users and projects created by heat"

-        openstack --os-token $OS_TOKEN --os-url=$KS_ENDPOINT_V3 \

-            --os-identity-api-version=3 role add \

-            --user heat_domain_admin --domain ${D_ID} admin

-        iniset $HEAT_CONF DEFAULT stack_domain_admin heat_domain_admin

-        iniset $HEAT_CONF DEFAULT stack_domain_admin_password $SERVICE_PASSWORD

+            --os-identity-api-version=3 domain list | grep ' heat ' | get_field 1)

+

+        if [[ -z "$D_ID" ]]; then

+            D_ID=$(openstack --os-token $OS_TOKEN --os-url=$KS_ENDPOINT_V3 \

+                --os-identity-api-version=3 domain create heat \

+                --description "Owns users and projects created by heat" \

+                | grep ' id ' | get_field 2)

+            iniset $HEAT_CONF DEFAULT stack_user_domain ${D_ID}

+

+            openstack --os-token $OS_TOKEN --os-url=$KS_ENDPOINT_V3 \

+                --os-identity-api-version=3 user create --password $SERVICE_PASSWORD \

+                --domain $D_ID heat_domain_admin \

+                --description "Manages users and projects created by heat"

+            openstack --os-token $OS_TOKEN --os-url=$KS_ENDPOINT_V3 \

+                --os-identity-api-version=3 role add \

+                --user heat_domain_admin --domain ${D_ID} admin

+            iniset $HEAT_CONF DEFAULT stack_domain_admin heat_domain_admin

+            iniset $HEAT_CONF DEFAULT stack_domain_admin_password $SERVICE_PASSWORD

+        fi

     fi

 }

@@ -223,28 +223,21 @@ function create_ironic_accounts {

     # Ironic

     if [[ "$ENABLED_SERVICES" =~ "ir-api" ]]; then

-        IRONIC_USER=$(openstack user create \

-            ironic \

-            --password "$SERVICE_PASSWORD" \

-            --project $SERVICE_TENANT \

-            --email ironic@example.com \

-            | grep " id " | get_field 2)

-        openstack role add \

-            $ADMIN_ROLE \

-            --project $SERVICE_TENANT \

-            --user $IRONIC_USER

+        # Get ironic user if exists

+

+        IRONIC_USER=$(get_or_create_user "ironic" \

+            "$SERVICE_PASSWORD" $SERVICE_TENANT "ironic@example.com")

+        get_or_add_user_role $ADMIN_ROLE $IRONIC_USER $SERVICE_TENANT

+

         if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then

-            IRONIC_SERVICE=$(openstack service create \

-                ironic \

-                --type=baremetal \

-                --description="Ironic baremetal provisioning service" \

-                | grep " id " | get_field 2)

-            openstack endpoint create \

-                $IRONIC_SERVICE \

-                --region RegionOne \

-                --publicurl "$IRONIC_SERVICE_PROTOCOL://$IRONIC_HOSTPORT" \

-                --adminurl "$IRONIC_SERVICE_PROTOCOL://$IRONIC_HOSTPORT" \

-                --internalurl "$IRONIC_SERVICE_PROTOCOL://$IRONIC_HOSTPORT"

+

+            IRONIC_SERVICE=$(get_or_create_service "ironic" \

+                "baremetal" "Ironic baremetal provisioning service")

+            get_or_create_endpoint $IRONIC_SERVICE \

+                "$REGION_NAME" \

+                "$IRONIC_SERVICE_PROTOCOL://$IRONIC_HOSTPORT" \

+                "$IRONIC_SERVICE_PROTOCOL://$IRONIC_HOSTPORT" \

+                "$IRONIC_SERVICE_PROTOCOL://$IRONIC_HOSTPORT"

         fi

     fi

 }

@@ -277,6 +277,8 @@ function configure_keystone {

         iniset $KEYSTONE_CONF DEFAULT logging_exception_prefix "%(process)d TRACE %(name)s %(instance)s"

         _config_keystone_apache_wsgi

     fi

+

+    iniset $KEYSTONE_CONF DEFAULT max_token_size 16384

 }

 function configure_keystone_extensions {

@@ -315,79 +317,55 @@ function configure_keystone_extensions {

 function create_keystone_accounts {

     # admin

-    ADMIN_TENANT=$(openstack project create \

-        admin \

-        | grep " id " | get_field 2)

-    ADMIN_USER=$(openstack user create \

-        admin \

-        --project "$ADMIN_TENANT" \

-        --email admin@example.com \

-        --password "$ADMIN_PASSWORD" \

-        | grep " id " | get_field 2)

-    ADMIN_ROLE=$(openstack role create \

-        admin \

-        | grep " id " | get_field 2)

-    openstack role add \

-        $ADMIN_ROLE \

-        --project $ADMIN_TENANT \

-        --user $ADMIN_USER

+    ADMIN_TENANT=$(get_or_create_project "admin")

+    ADMIN_USER=$(get_or_create_user "admin" \

+        "$ADMIN_PASSWORD" "$ADMIN_TENANT" "admin@example.com")

+    ADMIN_ROLE=$(get_or_create_role "admin")

+    get_or_add_user_role $ADMIN_ROLE $ADMIN_USER $ADMIN_TENANT

     # Create service project/role

-    openstack project create $SERVICE_TENANT_NAME

+    get_or_create_project "$SERVICE_TENANT_NAME"

     # Service role, so service users do not have to be admins

-    openstack role create service

+    get_or_create_role service

     # The ResellerAdmin role is used by Nova and Ceilometer so we need to keep it.

     # The admin role in swift allows a user to act as an admin for their tenant,

     # but ResellerAdmin is needed for a user to act as any tenant. The name of this

     # role is also configurable in swift-proxy.conf

-    openstack role create ResellerAdmin

+    get_or_create_role ResellerAdmin

     # The Member role is used by Horizon and Swift so we need to keep it:

-    MEMBER_ROLE=$(openstack role create \

-        Member \

-        | grep " id " | get_field 2)

+    MEMBER_ROLE=$(get_or_create_role "Member")

+

     # ANOTHER_ROLE demonstrates that an arbitrary role may be created and used

     # TODO(sleepsonthefloor): show how this can be used for rbac in the future!

-    ANOTHER_ROLE=$(openstack role create \

-        anotherrole \

-        | grep " id " | get_field 2)

+

+    ANOTHER_ROLE=$(get_or_create_role "anotherrole")

     # invisible tenant - admin can't see this one

-    INVIS_TENANT=$(openstack project create \

-        invisible_to_admin \

-        | grep " id " | get_field 2)

+    INVIS_TENANT=$(get_or_create_project "invisible_to_admin")

     # demo

-    DEMO_TENANT=$(openstack project create \

-        demo \

-        | grep " id " | get_field 2)

-    DEMO_USER=$(openstack user create \

-        demo \

-        --project $DEMO_TENANT \

-        --email demo@example.com \

-        --password "$ADMIN_PASSWORD" \

-        | grep " id " | get_field 2)

-

-    openstack role add --project $DEMO_TENANT --user $DEMO_USER $MEMBER_ROLE

-    openstack role add --project $DEMO_TENANT --user $ADMIN_USER $ADMIN_ROLE

-    openstack role add --project $DEMO_TENANT --user $DEMO_USER $ANOTHER_ROLE

-    openstack role add --project $INVIS_TENANT --user $DEMO_USER $MEMBER_ROLE

+    DEMO_TENANT=$(get_or_create_project "demo")

+    DEMO_USER=$(get_or_create_user "demo" \

+        "$ADMIN_PASSWORD" "$DEMO_TENANT" "demo@example.com")

+

+    get_or_add_user_role $MEMBER_ROLE $DEMO_USER $DEMO_TENANT

+    get_or_add_user_role $ADMIN_ROLE $ADMIN_USER $DEMO_TENANT

+    get_or_add_user_role $ANOTHER_ROLE $DEMO_USER $DEMO_TENANT

+    get_or_add_user_role $MEMBER_ROLE $DEMO_USER $INVIS_TENANT

     # Keystone

     if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then

-        KEYSTONE_SERVICE=$(openstack service create \

-            keystone \

-            --type identity \

-            --description "Keystone Identity Service" \

-            | grep " id " | get_field 2)

-        openstack endpoint create \

-            $KEYSTONE_SERVICE \

-            --region RegionOne \

-            --publicurl "$KEYSTONE_SERVICE_PROTOCOL://$KEYSTONE_SERVICE_HOST:$KEYSTONE_SERVICE_PORT/v$IDENTITY_API_VERSION" \

-            --adminurl "$KEYSTONE_AUTH_PROTOCOL://$KEYSTONE_AUTH_HOST:$KEYSTONE_AUTH_PORT/v$IDENTITY_API_VERSION" \

-            --internalurl "$KEYSTONE_SERVICE_PROTOCOL://$KEYSTONE_SERVICE_HOST:$KEYSTONE_SERVICE_PORT/v$IDENTITY_API_VERSION"

+

+        KEYSTONE_SERVICE=$(get_or_create_service "keystone" \

+            "identity" "Keystone Identity Service")

+        get_or_create_endpoint $KEYSTONE_SERVICE \

+            "$REGION_NAME" \

+            "$KEYSTONE_SERVICE_PROTOCOL://$KEYSTONE_SERVICE_HOST:$KEYSTONE_SERVICE_PORT/v$IDENTITY_API_VERSION" \

+            "$KEYSTONE_AUTH_PROTOCOL://$KEYSTONE_AUTH_HOST:$KEYSTONE_AUTH_PORT/v$IDENTITY_API_VERSION" \

+            "$KEYSTONE_SERVICE_PROTOCOL://$KEYSTONE_SERVICE_HOST:$KEYSTONE_SERVICE_PORT/v$IDENTITY_API_VERSION"

     fi

 }

@@ -178,29 +178,19 @@ function create_marconi_accounts {

     SERVICE_TENANT=$(openstack project list | awk "/ $SERVICE_TENANT_NAME / { print \$2 }")

     ADMIN_ROLE=$(openstack role list | awk "/ admin / { print \$2 }")

-    MARCONI_USER=$(openstack user create \

-        marconi \

-        --password "$SERVICE_PASSWORD" \

-        --project $SERVICE_TENANT \

-        --email marconi@example.com \

-        | grep " id " | get_field 2)

-    openstack role add \

-        $ADMIN_ROLE \

-        --project $SERVICE_TENANT \

-        --user $MARCONI_USER

+    MARCONI_USER=$(get_or_create_user "marconi" \

+        "$SERVICE_PASSWORD" $SERVICE_TENANT "marconi@example.com")

+    get_or_add_user_role $ADMIN_ROLE $MARCONI_USER $SERVICE_TENANT

     if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then

-        MARCONI_SERVICE=$(openstack service create \

-            marconi \

-            --type=queuing \

-            --description="Marconi Service" \

-            | grep " id " | get_field 2)

-        openstack endpoint create \

-            $MARCONI_SERVICE \

-            --region RegionOne \

-            --publicurl "$MARCONI_SERVICE_PROTOCOL://$MARCONI_SERVICE_HOST:$MARCONI_SERVICE_PORT" \

-            --adminurl "$MARCONI_SERVICE_PROTOCOL://$MARCONI_SERVICE_HOST:$MARCONI_SERVICE_PORT" \

-            --internalurl "$MARCONI_SERVICE_PROTOCOL://$MARCONI_SERVICE_HOST:$MARCONI_SERVICE_PORT"

+

+        MARCONI_SERVICE=$(get_or_create_service "marconi" \

+            "queuing" "Marconi Service")

+        get_or_create_endpoint $MARCONI_SERVICE \

+            "$REGION_NAME" \

+            "$MARCONI_SERVICE_PROTOCOL://$MARCONI_SERVICE_HOST:$MARCONI_SERVICE_PORT" \

+            "$MARCONI_SERVICE_PROTOCOL://$MARCONI_SERVICE_HOST:$MARCONI_SERVICE_PORT" \

+            "$MARCONI_SERVICE_PROTOCOL://$MARCONI_SERVICE_HOST:$MARCONI_SERVICE_PORT"

     fi

 }

@@ -307,7 +307,7 @@ function create_nova_conf_neutron {

     iniset $NOVA_CONF neutron admin_auth_url "$KEYSTONE_SERVICE_PROTOCOL://$KEYSTONE_SERVICE_HOST:$KEYSTONE_AUTH_PORT/v2.0"

     iniset $NOVA_CONF neutron auth_strategy "$Q_AUTH_STRATEGY"

     iniset $NOVA_CONF neutron admin_tenant_name "$SERVICE_TENANT_NAME"

-    iniset $NOVA_CONF neutron region_name "RegionOne"

+    iniset $NOVA_CONF neutron region_name "$REGION_NAME"

     iniset $NOVA_CONF neutron url "http://$Q_HOST:$Q_PORT"

     if [[ "$Q_USE_SECGROUP" == "True" ]]; then

@@ -350,28 +350,20 @@ function create_neutron_accounts {

     ADMIN_ROLE=$(openstack role list | awk "/ admin / { print \$2 }")

     if [[ "$ENABLED_SERVICES" =~ "q-svc" ]]; then

-        NEUTRON_USER=$(openstack user create \

-            neutron \

-            --password "$SERVICE_PASSWORD" \

-            --project $SERVICE_TENANT \

-            --email neutron@example.com \

-            | grep " id " | get_field 2)

-        openstack role add \

-            $ADMIN_ROLE \

-            --project $SERVICE_TENANT \

-            --user $NEUTRON_USER

+

+        NEUTRON_USER=$(get_or_create_user "neutron" \

+            "$SERVICE_PASSWORD" $SERVICE_TENANT "neutron@example.com")

+        get_or_add_user_role $ADMIN_ROLE $NEUTRON_USER $SERVICE_TENANT

+

         if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then

-            NEUTRON_SERVICE=$(openstack service create \

-                neutron \

-                --type=network \

-                --description="Neutron Service" \

-                | grep " id " | get_field 2)

-            openstack endpoint create \

-                $NEUTRON_SERVICE \

-                --region RegionOne \

-                --publicurl "http://$SERVICE_HOST:9696/" \

-                --adminurl "http://$SERVICE_HOST:9696/" \

-                --internalurl "http://$SERVICE_HOST:9696/"

+

+            NEUTRON_SERVICE=$(get_or_create_service "neutron" \

+                "network" "Neutron Service")

+            get_or_create_endpoint $NEUTRON_SERVICE \

+                "$REGION_NAME" \

+                "http://$SERVICE_HOST:9696/" \

+                "http://$SERVICE_HOST:9696/" \

+                "http://$SERVICE_HOST:9696/"

         fi

     fi

 }

@@ -333,39 +333,28 @@ create_nova_accounts() {

     # Nova

     if [[ "$ENABLED_SERVICES" =~ "n-api" ]]; then

-        NOVA_USER=$(openstack user create \

-            nova \

-            --password "$SERVICE_PASSWORD" \

-            --project $SERVICE_TENANT \

-            --email nova@example.com \

-            | grep " id " | get_field 2)

-        openstack role add \

-            $ADMIN_ROLE \

-            --project $SERVICE_TENANT \

-            --user $NOVA_USER

+

+        NOVA_USER=$(get_or_create_user "nova" \

+            "$SERVICE_PASSWORD" $SERVICE_TENANT "nova@example.com")

+        get_or_add_user_role $ADMIN_ROLE $NOVA_USER $SERVICE_TENANT

+

         if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then

-            NOVA_SERVICE=$(openstack service create \

-                nova \

-                --type=compute \

-                --description="Nova Compute Service" \

-                | grep " id " | get_field 2)

-            openstack endpoint create \

-                $NOVA_SERVICE \

-                --region RegionOne \

-                --publicurl "$NOVA_SERVICE_PROTOCOL://$NOVA_SERVICE_HOST:$NOVA_SERVICE_PORT/v2/\$(tenant_id)s" \

-                --adminurl "$NOVA_SERVICE_PROTOCOL://$NOVA_SERVICE_HOST:$NOVA_SERVICE_PORT/v2/\$(tenant_id)s" \

-                --internalurl "$NOVA_SERVICE_PROTOCOL://$NOVA_SERVICE_HOST:$NOVA_SERVICE_PORT/v2/\$(tenant_id)s"

-            NOVA_V3_SERVICE=$(openstack service create \

-                novav3 \

-                --type=computev3 \

-                --description="Nova Compute Service V3" \

-                | grep " id " | get_field 2)

-            openstack endpoint create \

-                $NOVA_V3_SERVICE \

-                --region RegionOne \

-                --publicurl "$NOVA_SERVICE_PROTOCOL://$NOVA_SERVICE_HOST:$NOVA_SERVICE_PORT/v3" \

-                --adminurl "$NOVA_SERVICE_PROTOCOL://$NOVA_SERVICE_HOST:$NOVA_SERVICE_PORT/v3" \

-                --internalurl "$NOVA_SERVICE_PROTOCOL://$NOVA_SERVICE_HOST:$NOVA_SERVICE_PORT/v3"

+

+            NOVA_SERVICE=$(get_or_create_service "nova" \

+                "compute" "Nova Compute Service")

+            get_or_create_endpoint $NOVA_SERVICE \

+                "$REGION_NAME" \

+                "$NOVA_SERVICE_PROTOCOL://$NOVA_SERVICE_HOST:$NOVA_SERVICE_PORT/v2/\$(tenant_id)s" \

+                "$NOVA_SERVICE_PROTOCOL://$NOVA_SERVICE_HOST:$NOVA_SERVICE_PORT/v2/\$(tenant_id)s" \

+                "$NOVA_SERVICE_PROTOCOL://$NOVA_SERVICE_HOST:$NOVA_SERVICE_PORT/v2/\$(tenant_id)s"

+

+            NOVA_V3_SERVICE=$(get_or_create_service "novav3" \

+                "computev3" "Nova Compute Service V3")

+            get_or_create_endpoint $NOVA_V3_SERVICE \

+                "$REGION_NAME" \

+                "$NOVA_SERVICE_PROTOCOL://$NOVA_SERVICE_HOST:$NOVA_SERVICE_PORT/v3" \

+                "$NOVA_SERVICE_PROTOCOL://$NOVA_SERVICE_HOST:$NOVA_SERVICE_PORT/v3" \

+                "$NOVA_SERVICE_PROTOCOL://$NOVA_SERVICE_HOST:$NOVA_SERVICE_PORT/v3"

         fi

     fi

@@ -374,40 +363,32 @@ create_nova_accounts() {

         if is_service_enabled swift; then

             # Nova needs ResellerAdmin role to download images when accessing

             # swift through the s3 api.

-            openstack role add \

-                --project $SERVICE_TENANT_NAME \

-                --user nova \

-                ResellerAdmin

+            get_or_add_user_role ResellerAdmin nova $SERVICE_TENANT_NAME

         fi

         # EC2

         if [[ "$KEYSTONE_CATALOG_BACKEND" = "sql" ]]; then

-            openstack service create \

-                --type ec2 \

-                --description "EC2 Compatibility Layer" \

-                ec2

-            openstack endpoint create \

-                --region RegionOne \

-                --publicurl "http://$SERVICE_HOST:8773/services/Cloud" \

-                --adminurl "http://$SERVICE_HOST:8773/services/Admin" \

-                --internalurl "http://$SERVICE_HOST:8773/services/Cloud" \

-                ec2

+

+            EC2_SERVICE=$(get_or_create_service "ec2" \

+                "ec2" "EC2 Compatibility Layer")

+            get_or_create_endpoint $EC2_SERVICE \

+                "$REGION_NAME" \

+                "http://$SERVICE_HOST:8773/services/Cloud" \

+                "http://$SERVICE_HOST:8773/services/Admin" \

+                "http://$SERVICE_HOST:8773/services/Cloud"

         fi

     fi

     # S3

     if is_service_enabled n-obj swift3; then

         if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then

-            openstack service create \

-                --type s3 \

-                --description "S3" \

-                s3

-            openstack endpoint create \

-                --region RegionOne \

-                --publicurl "http://$SERVICE_HOST:$S3_SERVICE_PORT" \

-                --adminurl "http://$SERVICE_HOST:$S3_SERVICE_PORT" \

-                --internalurl "http://$SERVICE_HOST:$S3_SERVICE_PORT" \

-                s3

+

+            S3_SERVICE=$(get_or_create_service "s3" "s3" "S3")

+            get_or_create_endpoint $S3_SERVICE \

+                "$REGION_NAME" \

+                "http://$SERVICE_HOST:$S3_SERVICE_PORT" \

+                "http://$SERVICE_HOST:$S3_SERVICE_PORT" \

+                "http://$SERVICE_HOST:$S3_SERVICE_PORT"

         fi

     fi

 }

@@ -60,29 +60,19 @@ function create_sahara_accounts {

     SERVICE_TENANT=$(openstack project list | awk "/ $SERVICE_TENANT_NAME / { print \$2 }")

     ADMIN_ROLE=$(openstack role list | awk "/ admin / { print \$2 }")

-    SAHARA_USER=$(openstack user create \

-        sahara \

-        --password "$SERVICE_PASSWORD" \

-        --project $SERVICE_TENANT \

-        --email sahara@example.com \

-        | grep " id " | get_field 2)

-    openstack role add \

-        $ADMIN_ROLE \

-        --project $SERVICE_TENANT \

-        --user $SAHARA_USER

+    SAHARA_USER=$(get_or_create_user "sahara" \

+        "$SERVICE_PASSWORD" $SERVICE_TENANT "sahara@example.com")

+    get_or_add_user_role $ADMIN_ROLE $SAHARA_USER $SERVICE_TENANT

     if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then

-        SAHARA_SERVICE=$(openstack service create \

-            sahara \

-            --type=data_processing \

-            --description="Sahara Data Processing" \

-            | grep " id " | get_field 2)

-        openstack endpoint create \

-            $SAHARA_SERVICE \

-            --region RegionOne \

-            --publicurl "$SAHARA_SERVICE_PROTOCOL://$SAHARA_SERVICE_HOST:$SAHARA_SERVICE_PORT/v1.1/\$(tenant_id)s" \

-            --adminurl "$SAHARA_SERVICE_PROTOCOL://$SAHARA_SERVICE_HOST:$SAHARA_SERVICE_PORT/v1.1/\$(tenant_id)s" \

-            --internalurl "$SAHARA_SERVICE_PROTOCOL://$SAHARA_SERVICE_HOST:$SAHARA_SERVICE_PORT/v1.1/\$(tenant_id)s"

+

+        SAHARA_SERVICE=$(get_or_create_service "sahara" \

+            "data_processing" "Sahara Data Processing")

+        get_or_create_endpoint $SAHARA_SERVICE \

+            "$REGION_NAME" \

+            "$SAHARA_SERVICE_PROTOCOL://$SAHARA_SERVICE_HOST:$SAHARA_SERVICE_PORT/v1.1/\$(tenant_id)s" \

+            "$SAHARA_SERVICE_PROTOCOL://$SAHARA_SERVICE_HOST:$SAHARA_SERVICE_PORT/v1.1/\$(tenant_id)s" \

+            "$SAHARA_SERVICE_PROTOCOL://$SAHARA_SERVICE_HOST:$SAHARA_SERVICE_PORT/v1.1/\$(tenant_id)s"

     fi

 }

@@ -542,50 +542,40 @@ function create_swift_accounts {

     SERVICE_TENANT=$(openstack project list | awk "/ $SERVICE_TENANT_NAME / { print \$2 }")

     ADMIN_ROLE=$(openstack role list | awk "/ admin / { print \$2 }")

-    SWIFT_USER=$(openstack user create \

-        swift \

-        --password "$SERVICE_PASSWORD" \

-        --project $SERVICE_TENANT \

-        --email=swift@example.com \

-        | grep " id " | get_field 2)

-    openstack role add \

-        $ADMIN_ROLE \

-        --project $SERVICE_TENANT \

-        --user $SWIFT_USER

+    SWIFT_USER=$(get_or_create_user "swift" \

+        "$SERVICE_PASSWORD" $SERVICE_TENANT "swift@example.com")

+    get_or_add_user_role $ADMIN_ROLE $SWIFT_USER $SERVICE_TENANT

     if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then

-        SWIFT_SERVICE=$(openstack service create \