Currently, the function create_heat_accounts uses the OS_URL and
OS_TOKEN environment variables. This is a bad choice for several
reasons, most importantly we are sending the "ADMIN_TOKEN" value
as a header. There is also no reason to not use a standard admin
user to create these resources.
Change-Id: I70b41d69917b9e53ad09c2c61e022ef09a50acfd
... | ... |
@@ -866,6 +866,32 @@ function get_or_add_user_project_role { |
866 | 866 |
echo $user_role_id |
867 | 867 |
} |
868 | 868 |
|
869 |
+# Gets or adds user role to domain |
|
870 |
+# Usage: get_or_add_user_domain_role <role> <user> <domain> |
|
871 |
+function get_or_add_user_domain_role { |
|
872 |
+ local user_role_id |
|
873 |
+ # Gets user role id |
|
874 |
+ user_role_id=$(openstack role list \ |
|
875 |
+ --user $2 \ |
|
876 |
+ --column "ID" \ |
|
877 |
+ --domain $3 \ |
|
878 |
+ --column "Name" \ |
|
879 |
+ | grep " $1 " | get_field 1) |
|
880 |
+ if [[ -z "$user_role_id" ]]; then |
|
881 |
+ # Adds role to user and get it |
|
882 |
+ openstack role add $1 \ |
|
883 |
+ --user $2 \ |
|
884 |
+ --domain $3 |
|
885 |
+ user_role_id=$(openstack role list \ |
|
886 |
+ --user $2 \ |
|
887 |
+ --column "ID" \ |
|
888 |
+ --domain $3 \ |
|
889 |
+ --column "Name" \ |
|
890 |
+ | grep " $1 " | get_field 1) |
|
891 |
+ fi |
|
892 |
+ echo $user_role_id |
|
893 |
+} |
|
894 |
+ |
|
869 | 895 |
# Gets or adds group role to project |
870 | 896 |
# Usage: get_or_add_group_project_role <role> <group> <project> |
871 | 897 |
function get_or_add_group_project_role { |
... | ... |
@@ -402,28 +402,13 @@ function create_heat_accounts { |
402 | 402 |
fi |
403 | 403 |
|
404 | 404 |
if [[ "$HEAT_STACK_DOMAIN" == "True" ]]; then |
405 |
- # Note we have to pass token/endpoint here because the current endpoint and |
|
406 |
- # version negotiation in OSC means just --os-identity-api-version=3 won't work |
|
407 |
- D_ID=$(openstack --os-token $OS_TOKEN --os-url=$KEYSTONE_SERVICE_URI_V3 \ |
|
408 |
- --os-identity-api-version=3 domain list | grep ' heat ' | get_field 1) |
|
409 |
- |
|
410 |
- if [[ -z "$D_ID" ]]; then |
|
411 |
- D_ID=$(openstack --os-token $OS_TOKEN --os-url=$KEYSTONE_SERVICE_URI_V3 \ |
|
412 |
- --os-identity-api-version=3 domain create heat \ |
|
413 |
- --description "Owns users and projects created by heat" \ |
|
414 |
- | grep ' id ' | get_field 2) |
|
415 |
- iniset $HEAT_CONF DEFAULT stack_user_domain_id ${D_ID} |
|
416 |
- |
|
417 |
- openstack --os-token $OS_TOKEN --os-url=$KEYSTONE_SERVICE_URI_V3 \ |
|
418 |
- --os-identity-api-version=3 user create --password $SERVICE_PASSWORD \ |
|
419 |
- --domain $D_ID heat_domain_admin \ |
|
420 |
- --description "Manages users and projects created by heat" |
|
421 |
- openstack --os-token $OS_TOKEN --os-url=$KEYSTONE_SERVICE_URI_V3 \ |
|
422 |
- --os-identity-api-version=3 role add \ |
|
423 |
- --user heat_domain_admin --domain ${D_ID} admin |
|
424 |
- iniset $HEAT_CONF DEFAULT stack_domain_admin heat_domain_admin |
|
425 |
- iniset $HEAT_CONF DEFAULT stack_domain_admin_password $SERVICE_PASSWORD |
|
426 |
- fi |
|
405 |
+ # domain -> heat and user -> heat_domain_admin |
|
406 |
+ domain_id=$(get_or_create_domain heat 'Owns users and projects created by heat') |
|
407 |
+ iniset $HEAT_CONF DEFAULT stack_user_domain_id ${domain_id} |
|
408 |
+ get_or_create_user heat_domain_admin $SERVICE_PASSWORD heat |
|
409 |
+ get_or_add_user_domain_role admin heat_domain_admin heat |
|
410 |
+ iniset $HEAT_CONF DEFAULT stack_domain_admin heat_domain_admin |
|
411 |
+ iniset $HEAT_CONF DEFAULT stack_domain_admin_password $SERVICE_PASSWORD |
|
427 | 412 |
fi |
428 | 413 |
} |
429 | 414 |
|