Browse code
update create_heat_accounts, don't use os_url and os_token
Currently, the function create_heat_accounts uses the OS_URL and
OS_TOKEN environment variables. This is a bad choice for several
reasons, most importantly we are sending the "ADMIN_TOKEN" value
as a header. There is also no reason to not use a standard admin
user to create these resources.
Change-Id: I70b41d69917b9e53ad09c2c61e022ef09a50acfd
Steve Martinelli authored on 2015/12/20 15:27:30Showing 2 changed files
| ... | ... |
@@ -866,6 +866,32 @@ function get_or_add_user_project_role {
|
| 866 | 866 |
echo $user_role_id |
| 867 | 867 |
} |
| 868 | 868 |
|
| 869 |
+# Gets or adds user role to domain |
|
| 870 |
+# Usage: get_or_add_user_domain_role <role> <user> <domain> |
|
| 871 |
+function get_or_add_user_domain_role {
|
|
| 872 |
+ local user_role_id |
|
| 873 |
+ # Gets user role id |
|
| 874 |
+ user_role_id=$(openstack role list \ |
|
| 875 |
+ --user $2 \ |
|
| 876 |
+ --column "ID" \ |
|
| 877 |
+ --domain $3 \ |
|
| 878 |
+ --column "Name" \ |
|
| 879 |
+ | grep " $1 " | get_field 1) |
|
| 880 |
+ if [[ -z "$user_role_id" ]]; then |
|
| 881 |
+ # Adds role to user and get it |
|
| 882 |
+ openstack role add $1 \ |
|
| 883 |
+ --user $2 \ |
|
| 884 |
+ --domain $3 |
|
| 885 |
+ user_role_id=$(openstack role list \ |
|
| 886 |
+ --user $2 \ |
|
| 887 |
+ --column "ID" \ |
|
| 888 |
+ --domain $3 \ |
|
| 889 |
+ --column "Name" \ |
|
| 890 |
+ | grep " $1 " | get_field 1) |
|
| 891 |
+ fi |
|
| 892 |
+ echo $user_role_id |
|
| 893 |
+} |
|
| 894 |
+ |
|
| 869 | 895 |
# Gets or adds group role to project |
| 870 | 896 |
# Usage: get_or_add_group_project_role <role> <group> <project> |
| 871 | 897 |
function get_or_add_group_project_role {
|
| ... | ... |
@@ -402,28 +402,13 @@ function create_heat_accounts {
|
| 402 | 402 |
fi |
| 403 | 403 |
|
| 404 | 404 |
if [[ "$HEAT_STACK_DOMAIN" == "True" ]]; then |
| 405 |
- # Note we have to pass token/endpoint here because the current endpoint and |
|
| 406 |
- # version negotiation in OSC means just --os-identity-api-version=3 won't work |
|
| 407 |
- D_ID=$(openstack --os-token $OS_TOKEN --os-url=$KEYSTONE_SERVICE_URI_V3 \ |
|
| 408 |
- --os-identity-api-version=3 domain list | grep ' heat ' | get_field 1) |
|
| 409 |
- |
|
| 410 |
- if [[ -z "$D_ID" ]]; then |
|
| 411 |
- D_ID=$(openstack --os-token $OS_TOKEN --os-url=$KEYSTONE_SERVICE_URI_V3 \ |
|
| 412 |
- --os-identity-api-version=3 domain create heat \ |
|
| 413 |
- --description "Owns users and projects created by heat" \ |
|
| 414 |
- | grep ' id ' | get_field 2) |
|
| 415 |
- iniset $HEAT_CONF DEFAULT stack_user_domain_id ${D_ID}
|
|
| 416 |
- |
|
| 417 |
- openstack --os-token $OS_TOKEN --os-url=$KEYSTONE_SERVICE_URI_V3 \ |
|
| 418 |
- --os-identity-api-version=3 user create --password $SERVICE_PASSWORD \ |
|
| 419 |
- --domain $D_ID heat_domain_admin \ |
|
| 420 |
- --description "Manages users and projects created by heat" |
|
| 421 |
- openstack --os-token $OS_TOKEN --os-url=$KEYSTONE_SERVICE_URI_V3 \ |
|
| 422 |
- --os-identity-api-version=3 role add \ |
|
| 423 |
- --user heat_domain_admin --domain ${D_ID} admin
|
|
| 424 |
- iniset $HEAT_CONF DEFAULT stack_domain_admin heat_domain_admin |
|
| 425 |
- iniset $HEAT_CONF DEFAULT stack_domain_admin_password $SERVICE_PASSWORD |
|
| 426 |
- fi |
|
| 405 |
+ # domain -> heat and user -> heat_domain_admin |
|
| 406 |
+ domain_id=$(get_or_create_domain heat 'Owns users and projects created by heat') |
|
| 407 |
+ iniset $HEAT_CONF DEFAULT stack_user_domain_id ${domain_id}
|
|
| 408 |
+ get_or_create_user heat_domain_admin $SERVICE_PASSWORD heat |
|
| 409 |
+ get_or_add_user_domain_role admin heat_domain_admin heat |
|
| 410 |
+ iniset $HEAT_CONF DEFAULT stack_domain_admin heat_domain_admin |
|
| 411 |
+ iniset $HEAT_CONF DEFAULT stack_domain_admin_password $SERVICE_PASSWORD |
|
| 427 | 412 |
fi |
| 428 | 413 |
} |
| 429 | 414 |
|