@@ -176,12 +176,8 @@ function stop_tuskar {

 # create_tuskar_accounts() - Set up common required tuskar accounts

 function create_tuskar_accounts {

-    # migrated from files/keystone_data.sh

-    local service_tenant=$(openstack project list | awk "/ $SERVICE_TENANT_NAME / { print \$2 }")

-    local admin_role=$(openstack role list | awk "/ admin / { print \$2 }")

-    local tuskar_user=$(get_or_create_user "tuskar" "$SERVICE_PASSWORD")

-    get_or_add_user_role $admin_role $tuskar_user $service_tenant

+    create_service_user "tuskar" "admin"

     if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then

@@ -105,13 +105,10 @@ function is_ceilometer_enabled {

 # SERVICE_TENANT_NAME  ceilometer   ResellerAdmin (if Swift is enabled)

 function create_ceilometer_accounts {

-    local service_tenant=$(openstack project list | awk "/ $SERVICE_TENANT_NAME / { print \$2 }")

-    local admin_role=$(openstack role list | awk "/ admin / { print \$2 }")

-

     # Ceilometer

     if [[ "$ENABLED_SERVICES" =~ "ceilometer-api" ]]; then

-        local ceilometer_user=$(get_or_create_user "ceilometer" "$SERVICE_PASSWORD")

-        get_or_add_user_role $admin_role $ceilometer_user $service_tenant

+

+        create_service_user "ceilometer" "admin"

         if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then

             local ceilometer_service=$(get_or_create_service "ceilometer" \

@@ -330,14 +330,10 @@ function configure_cinder {

 # Migrated from keystone_data.sh

 function create_cinder_accounts {

-    local service_tenant=$(openstack project list | awk "/ $SERVICE_TENANT_NAME / { print \$2 }")

-    local admin_role=$(openstack role list | awk "/ admin / { print \$2 }")

-

     # Cinder

     if [[ "$ENABLED_SERVICES" =~ "c-api" ]]; then

-        local cinder_user=$(get_or_create_user "cinder" "$SERVICE_PASSWORD")

-        get_or_add_user_role $admin_role $cinder_user $service_tenant

+        create_service_user "cinder" "admin"

         if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then

@@ -232,8 +232,7 @@ function configure_glance {

 function create_glance_accounts {

     if is_service_enabled g-api; then

-        local glance_user=$(get_or_create_user "glance" "$SERVICE_PASSWORD")

-        get_or_add_user_role service $glance_user $SERVICE_TENANT_NAME

+        create_service_user "glance"

         # required for swift access

         if is_service_enabled s-proxy; then

@@ -246,12 +246,7 @@ function stop_heat {

 # create_heat_accounts() - Set up common required heat accounts

 function create_heat_accounts {

-    # migrated from files/keystone_data.sh

-    local service_tenant=$(openstack project list | awk "/ $SERVICE_TENANT_NAME / { print \$2 }")

-    local admin_role=$(openstack role list | awk "/ admin / { print \$2 }")

-

-    local heat_user=$(get_or_create_user "heat" "$SERVICE_PASSWORD")

-    get_or_add_user_role $admin_role $heat_user $service_tenant

+    create_service_user "heat" "admin"

     if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then

@@ -358,15 +358,11 @@ function create_ironic_cache_dir {

 # service              ironic     admin        # if enabled

 function create_ironic_accounts {

-    local service_tenant=$(openstack project list | awk "/ $SERVICE_TENANT_NAME / { print \$2 }")

-    local admin_role=$(openstack role list | awk "/ admin / { print \$2 }")

-

     # Ironic

     if [[ "$ENABLED_SERVICES" =~ "ir-api" ]]; then

         # Get ironic user if exists

-        local ironic_user=$(get_or_create_user "ironic" "$SERVICE_PASSWORD")

-        get_or_add_user_role $admin_role $ironic_user $service_tenant

+        create_service_user "ironic" "admin"

         if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then

@@ -414,6 +414,20 @@ function create_keystone_accounts {

     fi

 }

+# Create a user that is capable of verifying keystone tokens for use with auth_token middleware.

+#

+# create_service_user <name> [role]

+#

+# The role defaults to the service role. It is allowed to be provided as optional as historically

+# a lot of projects have configured themselves with the admin or other role here if they are

+# using this user for other purposes beyond simply auth_token middleware.

+function create_service_user {

+    local role=${2:-service}

+

+    local user=$(get_or_create_user "$1" "$SERVICE_PASSWORD")

+    get_or_add_user_role "$role" "$user" "$SERVICE_TENANT_NAME"

+}

+

 # Configure the service to use the auth token middleware.

 #

 # configure_auth_token_middleware conf_file admin_user signing_dir [section]

@@ -507,14 +507,9 @@ function create_neutron_cache_dir {

 # Migrated from keystone_data.sh

 function create_neutron_accounts {

-

-    local service_tenant=$(openstack project list | awk "/ $SERVICE_TENANT_NAME / { print \$2 }")

-    local service_role=$(openstack role list | awk "/ service / { print \$2 }")

-

     if [[ "$ENABLED_SERVICES" =~ "q-svc" ]]; then

-        local neutron_user=$(get_or_create_user "neutron" "$SERVICE_PASSWORD")

-        get_or_add_user_role $service_role $neutron_user $service_tenant

+        create_service_user "neutron"

         if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then

@@ -353,14 +353,10 @@ function configure_nova {

 # SERVICE_TENANT_NAME  nova         ResellerAdmin (if Swift is enabled)

 function create_nova_accounts {

-    local service_tenant=$(openstack project list | awk "/ $SERVICE_TENANT_NAME / { print \$2 }")

-    local admin_role=$(openstack role list | awk "/ admin / { print \$2 }")

-

     # Nova

     if [[ "$ENABLED_SERVICES" =~ "n-api" ]]; then

-        local nova_user=$(get_or_create_user "nova" "$SERVICE_PASSWORD")

-        get_or_add_user_role $admin_role $nova_user $service_tenant

+        create_service_user "nova" "admin"

         if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then

@@ -61,11 +61,7 @@ TEMPEST_SERVICES+=,sahara

 # service     sahara    admin

 function create_sahara_accounts {

-    local service_tenant=$(openstack project list | awk "/ $SERVICE_TENANT_NAME / { print \$2 }")

-    local admin_role=$(openstack role list | awk "/ admin / { print \$2 }")

-

-    local sahara_user=$(get_or_create_user "sahara" "$SERVICE_PASSWORD")

-    get_or_add_user_role $admin_role $sahara_user $service_tenant

+    create_service_user "sahara" "admin"

     if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then

@@ -601,12 +601,9 @@ function create_swift_accounts {

     KEYSTONE_CATALOG_BACKEND=${KEYSTONE_CATALOG_BACKEND:-sql}

-    local service_tenant=$(openstack project list | awk "/ $SERVICE_TENANT_NAME / { print \$2 }")

-    local admin_role=$(openstack role list | awk "/ admin / { print \$2 }")

     local another_role=$(openstack role list | awk "/ anotherrole / { print \$2 }")

-    local swift_user=$(get_or_create_user "swift" "$SERVICE_PASSWORD")

-    get_or_add_user_role $admin_role $swift_user $service_tenant

+    create_service_user "swift" "admin"

     if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then

@@ -623,7 +620,7 @@ function create_swift_accounts {

     die_if_not_set $LINENO swift_tenant_test1 "Failure creating swift_tenant_test1"

     SWIFT_USER_TEST1=$(get_or_create_user swiftusertest1 $swiftusertest1_password "test@example.com")

     die_if_not_set $LINENO SWIFT_USER_TEST1 "Failure creating SWIFT_USER_TEST1"

-    get_or_add_user_role $admin_role $SWIFT_USER_TEST1 $swift_tenant_test1

+    get_or_add_user_role admin $SWIFT_USER_TEST1 $swift_tenant_test1

     local swift_user_test3=$(get_or_create_user swiftusertest3 $swiftusertest3_password "test3@example.com")

     die_if_not_set $LINENO swift_user_test3 "Failure creating swift_user_test3"

@@ -634,7 +631,7 @@ function create_swift_accounts {

     local swift_user_test2=$(get_or_create_user swiftusertest2 $swiftusertest2_password "test2@example.com")

     die_if_not_set $LINENO swift_user_test2 "Failure creating swift_user_test2"

-    get_or_add_user_role $admin_role $swift_user_test2 $swift_tenant_test2

+    get_or_add_user_role admin $swift_user_test2 $swift_tenant_test2

     local swift_domain=$(get_or_create_domain swift_test 'Used for swift functional testing')

     die_if_not_set $LINENO swift_domain "Failure creating swift_test domain"

@@ -644,7 +641,7 @@ function create_swift_accounts {

     local swift_user_test4=$(get_or_create_user swiftusertest4 $swiftusertest4_password "test4@example.com" $swift_domain)

     die_if_not_set $LINENO swift_user_test4 "Failure creating swift_user_test4"

-    get_or_add_user_role $admin_role $swift_user_test4 $swift_tenant_test4

+    get_or_add_user_role admin $swift_user_test4 $swift_tenant_test4

 }

 # init_swift() - Initialize rings

@@ -79,13 +79,9 @@ function setup_trove_logging {

 # service              trove     admin        # if enabled

 function create_trove_accounts {

-    local service_tenant=$(openstack project list | awk "/ $SERVICE_TENANT_NAME / { print \$2 }")

-    local service_role=$(openstack role list | awk "/ admin / { print \$2 }")

-

     if [[ "$ENABLED_SERVICES" =~ "trove" ]]; then

-        local trove_user=$(get_or_create_user "trove" "$SERVICE_PASSWORD")

-        get_or_add_user_role $service_role $trove_user $service_tenant

+        create_service_user "trove" "admin"

         if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then

@@ -215,11 +215,7 @@ function stop_zaqar {

 }

 function create_zaqar_accounts {

-    local service_tenant=$(openstack project list | awk "/ $SERVICE_TENANT_NAME / { print \$2 }")

-    ADMIN_ROLE=$(openstack role list | awk "/ admin / { print \$2 }")

-

-    local zaqar_user=$(get_or_create_user "zaqar" "$SERVICE_PASSWORD")

-    get_or_add_user_role $ADMIN_ROLE $zaqar_user $service_tenant

+    create_service_user "zaqar" "admin"

     if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then