Browse code
Use service role with glance service
glance just used to admin role for token validation,
the service role is sufficient for this.
glance also needs an user with enough permission to use swift,
so creating a dedictated service user for swift usage when s-proxy is
enabled.
Change-Id: I6df3905e5db35ea3421468ca1ee6d8de3271f8d1
Attila Fazekas authored on 2014/01/21 19:13:55Showing 2 changed files
| ... | ... |
@@ -2,12 +2,14 @@ |
| 2 | 2 |
# |
| 3 | 3 |
# Initial data for Keystone using python-keystoneclient |
| 4 | 4 |
# |
| 5 |
-# Tenant User Roles |
|
| 5 |
+# Tenant User Roles |
|
| 6 | 6 |
# ------------------------------------------------------------------ |
| 7 |
-# service glance admin |
|
| 8 |
-# service heat service # if enabled |
|
| 7 |
+# service glance service |
|
| 8 |
+# service glance-swift ResellerAdmin |
|
| 9 |
+# service heat service # if enabled |
|
| 10 |
+# service ceilometer admin # if enabled |
|
| 9 | 11 |
# Tempest Only: |
| 10 |
-# alt_demo alt_demo Member |
|
| 12 |
+# alt_demo alt_demo Member |
|
| 11 | 13 |
# |
| 12 | 14 |
# Variables set before calling this script: |
| 13 | 15 |
# SERVICE_TOKEN - aka admin_token in keystone.conf |
| ... | ... |
@@ -96,7 +98,19 @@ if [[ "$ENABLED_SERVICES" =~ "g-api" ]]; then |
| 96 | 96 |
keystone user-role-add \ |
| 97 | 97 |
--tenant $SERVICE_TENANT_NAME \ |
| 98 | 98 |
--user glance \ |
| 99 |
- --role admin |
|
| 99 |
+ --role service |
|
| 100 |
+ # required for swift access |
|
| 101 |
+ if [[ "$ENABLED_SERVICES" =~ "s-proxy" ]]; then |
|
| 102 |
+ keystone user-create \ |
|
| 103 |
+ --name=glance-swift \ |
|
| 104 |
+ --pass="$SERVICE_PASSWORD" \ |
|
| 105 |
+ --tenant $SERVICE_TENANT_NAME \ |
|
| 106 |
+ --email=glance-swift@example.com |
|
| 107 |
+ keystone user-role-add \ |
|
| 108 |
+ --tenant $SERVICE_TENANT_NAME \ |
|
| 109 |
+ --user glance-swift \ |
|
| 110 |
+ --role ResellerAdmin |
|
| 111 |
+ fi |
|
| 100 | 112 |
if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then |
| 101 | 113 |
keystone service-create \ |
| 102 | 114 |
--name=glance \ |
| ... | ... |
@@ -124,7 +124,7 @@ function configure_glance() {
|
| 124 | 124 |
if is_service_enabled s-proxy; then |
| 125 | 125 |
iniset $GLANCE_API_CONF DEFAULT default_store swift |
| 126 | 126 |
iniset $GLANCE_API_CONF DEFAULT swift_store_auth_address $KEYSTONE_SERVICE_PROTOCOL://$KEYSTONE_SERVICE_HOST:$KEYSTONE_SERVICE_PORT/v2.0/ |
| 127 |
- iniset $GLANCE_API_CONF DEFAULT swift_store_user $SERVICE_TENANT_NAME:glance |
|
| 127 |
+ iniset $GLANCE_API_CONF DEFAULT swift_store_user $SERVICE_TENANT_NAME:glance-swift |
|
| 128 | 128 |
iniset $GLANCE_API_CONF DEFAULT swift_store_key $SERVICE_PASSWORD |
| 129 | 129 |
iniset $GLANCE_API_CONF DEFAULT swift_store_create_container_on_put True |
| 130 | 130 |
|