Browse code
Always add the service role to service users
When creating a service user we allow the user to be created with a
different role. Currently in auth_token middleware we want to check that
the service token is specified with the service role so we should always
add the service role and optionally add additional roles.
Change-Id: Ie954a679674b4795079b539ebc8d4d2dcbd7dacc
Jamie Lennox authored on 2016/12/13 13:47:11Showing 1 changed files
| ... | ... |
@@ -445,14 +445,16 @@ function create_keystone_accounts {
|
| 445 | 445 |
# |
| 446 | 446 |
# create_service_user <name> [role] |
| 447 | 447 |
# |
| 448 |
-# The role defaults to the service role. It is allowed to be provided as optional as historically |
|
| 448 |
+# We always add the service role, other roles are also allowed to be added as historically |
|
| 449 | 449 |
# a lot of projects have configured themselves with the admin or other role here if they are |
| 450 | 450 |
# using this user for other purposes beyond simply auth_token middleware. |
| 451 | 451 |
function create_service_user {
|
| 452 |
- local role=${2:-service}
|
|
| 453 |
- |
|
| 454 | 452 |
get_or_create_user "$1" "$SERVICE_PASSWORD" "$SERVICE_DOMAIN_NAME" |
| 455 |
- get_or_add_user_project_role "$role" "$1" "$SERVICE_PROJECT_NAME" "$SERVICE_DOMAIN_NAME" "$SERVICE_DOMAIN_NAME" |
|
| 453 |
+ get_or_add_user_project_role service "$1" "$SERVICE_PROJECT_NAME" "$SERVICE_DOMAIN_NAME" "$SERVICE_DOMAIN_NAME" |
|
| 454 |
+ |
|
| 455 |
+ if [[ -n "$2" ]]; then |
|
| 456 |
+ get_or_add_user_project_role "$2" "$1" "$SERVICE_PROJECT_NAME" "$SERVICE_DOMAIN_NAME" "$SERVICE_DOMAIN_NAME" |
|
| 457 |
+ fi |
|
| 456 | 458 |
} |
| 457 | 459 |
|
| 458 | 460 |
# Configure the service to use the auth token middleware. |