The code for creating service users is almost exactly the same. Abstract
this into a function that can be reused and standardized.
Change-Id: I3a4edbff0a928da7ef9b0097a5a8d508fdfab7ff
... | ... |
@@ -176,12 +176,8 @@ function stop_tuskar { |
176 | 176 |
|
177 | 177 |
# create_tuskar_accounts() - Set up common required tuskar accounts |
178 | 178 |
function create_tuskar_accounts { |
179 |
- # migrated from files/keystone_data.sh |
|
180 |
- local service_tenant=$(openstack project list | awk "/ $SERVICE_TENANT_NAME / { print \$2 }") |
|
181 |
- local admin_role=$(openstack role list | awk "/ admin / { print \$2 }") |
|
182 | 179 |
|
183 |
- local tuskar_user=$(get_or_create_user "tuskar" "$SERVICE_PASSWORD") |
|
184 |
- get_or_add_user_role $admin_role $tuskar_user $service_tenant |
|
180 |
+ create_service_user "tuskar" "admin" |
|
185 | 181 |
|
186 | 182 |
if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then |
187 | 183 |
|
... | ... |
@@ -105,13 +105,10 @@ function is_ceilometer_enabled { |
105 | 105 |
# SERVICE_TENANT_NAME ceilometer ResellerAdmin (if Swift is enabled) |
106 | 106 |
function create_ceilometer_accounts { |
107 | 107 |
|
108 |
- local service_tenant=$(openstack project list | awk "/ $SERVICE_TENANT_NAME / { print \$2 }") |
|
109 |
- local admin_role=$(openstack role list | awk "/ admin / { print \$2 }") |
|
110 |
- |
|
111 | 108 |
# Ceilometer |
112 | 109 |
if [[ "$ENABLED_SERVICES" =~ "ceilometer-api" ]]; then |
113 |
- local ceilometer_user=$(get_or_create_user "ceilometer" "$SERVICE_PASSWORD") |
|
114 |
- get_or_add_user_role $admin_role $ceilometer_user $service_tenant |
|
110 |
+ |
|
111 |
+ create_service_user "ceilometer" "admin" |
|
115 | 112 |
|
116 | 113 |
if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then |
117 | 114 |
local ceilometer_service=$(get_or_create_service "ceilometer" \ |
... | ... |
@@ -330,14 +330,10 @@ function configure_cinder { |
330 | 330 |
# Migrated from keystone_data.sh |
331 | 331 |
function create_cinder_accounts { |
332 | 332 |
|
333 |
- local service_tenant=$(openstack project list | awk "/ $SERVICE_TENANT_NAME / { print \$2 }") |
|
334 |
- local admin_role=$(openstack role list | awk "/ admin / { print \$2 }") |
|
335 |
- |
|
336 | 333 |
# Cinder |
337 | 334 |
if [[ "$ENABLED_SERVICES" =~ "c-api" ]]; then |
338 | 335 |
|
339 |
- local cinder_user=$(get_or_create_user "cinder" "$SERVICE_PASSWORD") |
|
340 |
- get_or_add_user_role $admin_role $cinder_user $service_tenant |
|
336 |
+ create_service_user "cinder" "admin" |
|
341 | 337 |
|
342 | 338 |
if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then |
343 | 339 |
|
... | ... |
@@ -232,8 +232,7 @@ function configure_glance { |
232 | 232 |
function create_glance_accounts { |
233 | 233 |
if is_service_enabled g-api; then |
234 | 234 |
|
235 |
- local glance_user=$(get_or_create_user "glance" "$SERVICE_PASSWORD") |
|
236 |
- get_or_add_user_role service $glance_user $SERVICE_TENANT_NAME |
|
235 |
+ create_service_user "glance" |
|
237 | 236 |
|
238 | 237 |
# required for swift access |
239 | 238 |
if is_service_enabled s-proxy; then |
... | ... |
@@ -246,12 +246,7 @@ function stop_heat { |
246 | 246 |
|
247 | 247 |
# create_heat_accounts() - Set up common required heat accounts |
248 | 248 |
function create_heat_accounts { |
249 |
- # migrated from files/keystone_data.sh |
|
250 |
- local service_tenant=$(openstack project list | awk "/ $SERVICE_TENANT_NAME / { print \$2 }") |
|
251 |
- local admin_role=$(openstack role list | awk "/ admin / { print \$2 }") |
|
252 |
- |
|
253 |
- local heat_user=$(get_or_create_user "heat" "$SERVICE_PASSWORD") |
|
254 |
- get_or_add_user_role $admin_role $heat_user $service_tenant |
|
249 |
+ create_service_user "heat" "admin" |
|
255 | 250 |
|
256 | 251 |
if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then |
257 | 252 |
|
... | ... |
@@ -358,15 +358,11 @@ function create_ironic_cache_dir { |
358 | 358 |
# service ironic admin # if enabled |
359 | 359 |
function create_ironic_accounts { |
360 | 360 |
|
361 |
- local service_tenant=$(openstack project list | awk "/ $SERVICE_TENANT_NAME / { print \$2 }") |
|
362 |
- local admin_role=$(openstack role list | awk "/ admin / { print \$2 }") |
|
363 |
- |
|
364 | 361 |
# Ironic |
365 | 362 |
if [[ "$ENABLED_SERVICES" =~ "ir-api" ]]; then |
366 | 363 |
# Get ironic user if exists |
367 | 364 |
|
368 |
- local ironic_user=$(get_or_create_user "ironic" "$SERVICE_PASSWORD") |
|
369 |
- get_or_add_user_role $admin_role $ironic_user $service_tenant |
|
365 |
+ create_service_user "ironic" "admin" |
|
370 | 366 |
|
371 | 367 |
if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then |
372 | 368 |
|
... | ... |
@@ -414,6 +414,20 @@ function create_keystone_accounts { |
414 | 414 |
fi |
415 | 415 |
} |
416 | 416 |
|
417 |
+# Create a user that is capable of verifying keystone tokens for use with auth_token middleware. |
|
418 |
+# |
|
419 |
+# create_service_user <name> [role] |
|
420 |
+# |
|
421 |
+# The role defaults to the service role. It is allowed to be provided as optional as historically |
|
422 |
+# a lot of projects have configured themselves with the admin or other role here if they are |
|
423 |
+# using this user for other purposes beyond simply auth_token middleware. |
|
424 |
+function create_service_user { |
|
425 |
+ local role=${2:-service} |
|
426 |
+ |
|
427 |
+ local user=$(get_or_create_user "$1" "$SERVICE_PASSWORD") |
|
428 |
+ get_or_add_user_role "$role" "$user" "$SERVICE_TENANT_NAME" |
|
429 |
+} |
|
430 |
+ |
|
417 | 431 |
# Configure the service to use the auth token middleware. |
418 | 432 |
# |
419 | 433 |
# configure_auth_token_middleware conf_file admin_user signing_dir [section] |
... | ... |
@@ -507,14 +507,9 @@ function create_neutron_cache_dir { |
507 | 507 |
|
508 | 508 |
# Migrated from keystone_data.sh |
509 | 509 |
function create_neutron_accounts { |
510 |
- |
|
511 |
- local service_tenant=$(openstack project list | awk "/ $SERVICE_TENANT_NAME / { print \$2 }") |
|
512 |
- local service_role=$(openstack role list | awk "/ service / { print \$2 }") |
|
513 |
- |
|
514 | 510 |
if [[ "$ENABLED_SERVICES" =~ "q-svc" ]]; then |
515 | 511 |
|
516 |
- local neutron_user=$(get_or_create_user "neutron" "$SERVICE_PASSWORD") |
|
517 |
- get_or_add_user_role $service_role $neutron_user $service_tenant |
|
512 |
+ create_service_user "neutron" |
|
518 | 513 |
|
519 | 514 |
if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then |
520 | 515 |
|
... | ... |
@@ -353,14 +353,10 @@ function configure_nova { |
353 | 353 |
# SERVICE_TENANT_NAME nova ResellerAdmin (if Swift is enabled) |
354 | 354 |
function create_nova_accounts { |
355 | 355 |
|
356 |
- local service_tenant=$(openstack project list | awk "/ $SERVICE_TENANT_NAME / { print \$2 }") |
|
357 |
- local admin_role=$(openstack role list | awk "/ admin / { print \$2 }") |
|
358 |
- |
|
359 | 356 |
# Nova |
360 | 357 |
if [[ "$ENABLED_SERVICES" =~ "n-api" ]]; then |
361 | 358 |
|
362 |
- local nova_user=$(get_or_create_user "nova" "$SERVICE_PASSWORD") |
|
363 |
- get_or_add_user_role $admin_role $nova_user $service_tenant |
|
359 |
+ create_service_user "nova" "admin" |
|
364 | 360 |
|
365 | 361 |
if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then |
366 | 362 |
|
... | ... |
@@ -61,11 +61,7 @@ TEMPEST_SERVICES+=,sahara |
61 | 61 |
# service sahara admin |
62 | 62 |
function create_sahara_accounts { |
63 | 63 |
|
64 |
- local service_tenant=$(openstack project list | awk "/ $SERVICE_TENANT_NAME / { print \$2 }") |
|
65 |
- local admin_role=$(openstack role list | awk "/ admin / { print \$2 }") |
|
66 |
- |
|
67 |
- local sahara_user=$(get_or_create_user "sahara" "$SERVICE_PASSWORD") |
|
68 |
- get_or_add_user_role $admin_role $sahara_user $service_tenant |
|
64 |
+ create_service_user "sahara" "admin" |
|
69 | 65 |
|
70 | 66 |
if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then |
71 | 67 |
|
... | ... |
@@ -601,12 +601,9 @@ function create_swift_accounts { |
601 | 601 |
|
602 | 602 |
KEYSTONE_CATALOG_BACKEND=${KEYSTONE_CATALOG_BACKEND:-sql} |
603 | 603 |
|
604 |
- local service_tenant=$(openstack project list | awk "/ $SERVICE_TENANT_NAME / { print \$2 }") |
|
605 |
- local admin_role=$(openstack role list | awk "/ admin / { print \$2 }") |
|
606 | 604 |
local another_role=$(openstack role list | awk "/ anotherrole / { print \$2 }") |
607 | 605 |
|
608 |
- local swift_user=$(get_or_create_user "swift" "$SERVICE_PASSWORD") |
|
609 |
- get_or_add_user_role $admin_role $swift_user $service_tenant |
|
606 |
+ create_service_user "swift" "admin" |
|
610 | 607 |
|
611 | 608 |
if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then |
612 | 609 |
|
... | ... |
@@ -623,7 +620,7 @@ function create_swift_accounts { |
623 | 623 |
die_if_not_set $LINENO swift_tenant_test1 "Failure creating swift_tenant_test1" |
624 | 624 |
SWIFT_USER_TEST1=$(get_or_create_user swiftusertest1 $swiftusertest1_password "test@example.com") |
625 | 625 |
die_if_not_set $LINENO SWIFT_USER_TEST1 "Failure creating SWIFT_USER_TEST1" |
626 |
- get_or_add_user_role $admin_role $SWIFT_USER_TEST1 $swift_tenant_test1 |
|
626 |
+ get_or_add_user_role admin $SWIFT_USER_TEST1 $swift_tenant_test1 |
|
627 | 627 |
|
628 | 628 |
local swift_user_test3=$(get_or_create_user swiftusertest3 $swiftusertest3_password "test3@example.com") |
629 | 629 |
die_if_not_set $LINENO swift_user_test3 "Failure creating swift_user_test3" |
... | ... |
@@ -634,7 +631,7 @@ function create_swift_accounts { |
634 | 634 |
|
635 | 635 |
local swift_user_test2=$(get_or_create_user swiftusertest2 $swiftusertest2_password "test2@example.com") |
636 | 636 |
die_if_not_set $LINENO swift_user_test2 "Failure creating swift_user_test2" |
637 |
- get_or_add_user_role $admin_role $swift_user_test2 $swift_tenant_test2 |
|
637 |
+ get_or_add_user_role admin $swift_user_test2 $swift_tenant_test2 |
|
638 | 638 |
|
639 | 639 |
local swift_domain=$(get_or_create_domain swift_test 'Used for swift functional testing') |
640 | 640 |
die_if_not_set $LINENO swift_domain "Failure creating swift_test domain" |
... | ... |
@@ -644,7 +641,7 @@ function create_swift_accounts { |
644 | 644 |
|
645 | 645 |
local swift_user_test4=$(get_or_create_user swiftusertest4 $swiftusertest4_password "test4@example.com" $swift_domain) |
646 | 646 |
die_if_not_set $LINENO swift_user_test4 "Failure creating swift_user_test4" |
647 |
- get_or_add_user_role $admin_role $swift_user_test4 $swift_tenant_test4 |
|
647 |
+ get_or_add_user_role admin $swift_user_test4 $swift_tenant_test4 |
|
648 | 648 |
} |
649 | 649 |
|
650 | 650 |
# init_swift() - Initialize rings |
... | ... |
@@ -79,13 +79,9 @@ function setup_trove_logging { |
79 | 79 |
# service trove admin # if enabled |
80 | 80 |
|
81 | 81 |
function create_trove_accounts { |
82 |
- local service_tenant=$(openstack project list | awk "/ $SERVICE_TENANT_NAME / { print \$2 }") |
|
83 |
- local service_role=$(openstack role list | awk "/ admin / { print \$2 }") |
|
84 |
- |
|
85 | 82 |
if [[ "$ENABLED_SERVICES" =~ "trove" ]]; then |
86 | 83 |
|
87 |
- local trove_user=$(get_or_create_user "trove" "$SERVICE_PASSWORD") |
|
88 |
- get_or_add_user_role $service_role $trove_user $service_tenant |
|
84 |
+ create_service_user "trove" "admin" |
|
89 | 85 |
|
90 | 86 |
if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then |
91 | 87 |
|
... | ... |
@@ -215,11 +215,7 @@ function stop_zaqar { |
215 | 215 |
} |
216 | 216 |
|
217 | 217 |
function create_zaqar_accounts { |
218 |
- local service_tenant=$(openstack project list | awk "/ $SERVICE_TENANT_NAME / { print \$2 }") |
|
219 |
- ADMIN_ROLE=$(openstack role list | awk "/ admin / { print \$2 }") |
|
220 |
- |
|
221 |
- local zaqar_user=$(get_or_create_user "zaqar" "$SERVICE_PASSWORD") |
|
222 |
- get_or_add_user_role $ADMIN_ROLE $zaqar_user $service_tenant |
|
218 |
+ create_service_user "zaqar" "admin" |
|
223 | 219 |
|
224 | 220 |
if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then |
225 | 221 |
|