This includes requiring a domain when creating a user. This will allow us to
control where users are created in a later patch.
Adding the token to the user creation call is required because of a bad
interaction between OpenStackClient, os-client-config and keystoneclient
when dealing with v2 authentication but v3 API calls. It will be cleaned
up when we switch to v3 credentials.
Change-Id: I6ef50fd384d423bc0f13ee1016a8bdbb0650ecd9
Implements: bp keystonev3
... | ... |
@@ -675,9 +675,8 @@ function get_or_create_domain { |
675 | 675 |
} |
676 | 676 |
|
677 | 677 |
# Gets or creates group |
678 |
-# Usage: get_or_create_group <groupname> [<domain> <description>] |
|
678 |
+# Usage: get_or_create_group <groupname> <domain> [<description>] |
|
679 | 679 |
function get_or_create_group { |
680 |
- local domain=${2:+--domain ${2}} |
|
681 | 680 |
local desc="${3:-}" |
682 | 681 |
local os_url="$KEYSTONE_SERVICE_URI_V3" |
683 | 682 |
# Gets group id |
... | ... |
@@ -685,34 +684,30 @@ function get_or_create_group { |
685 | 685 |
# Creates new group with --or-show |
686 | 686 |
openstack --os-token=$OS_TOKEN --os-url=$os_url \ |
687 | 687 |
--os-identity-api-version=3 group create $1 \ |
688 |
- $domain --description "$desc" --or-show \ |
|
688 |
+ --domain $2 --description "$desc" --or-show \ |
|
689 | 689 |
-f value -c id |
690 | 690 |
) |
691 | 691 |
echo $group_id |
692 | 692 |
} |
693 | 693 |
|
694 | 694 |
# Gets or creates user |
695 |
-# Usage: get_or_create_user <username> <password> [<email> [<domain>]] |
|
695 |
+# Usage: get_or_create_user <username> <password> <domain> [<email>] |
|
696 | 696 |
function get_or_create_user { |
697 |
- if [[ ! -z "$3" ]]; then |
|
698 |
- local email="--email=$3" |
|
697 |
+ if [[ ! -z "$4" ]]; then |
|
698 |
+ local email="--email=$4" |
|
699 | 699 |
else |
700 | 700 |
local email="" |
701 | 701 |
fi |
702 |
- local os_cmd="openstack" |
|
703 |
- local domain="" |
|
704 |
- if [[ ! -z "$4" ]]; then |
|
705 |
- domain="--domain=$4" |
|
706 |
- os_cmd="$os_cmd --os-url=$KEYSTONE_SERVICE_URI_V3 --os-identity-api-version=3" |
|
707 |
- fi |
|
708 | 702 |
# Gets user id |
709 | 703 |
local user_id=$( |
710 | 704 |
# Creates new user with --or-show |
711 |
- $os_cmd user create \ |
|
705 |
+ openstack user create \ |
|
712 | 706 |
$1 \ |
713 | 707 |
--password "$2" \ |
708 |
+ --os-url=$KEYSTONE_SERVICE_URI_V3 \ |
|
709 |
+ --os-identity-api-version=3 \ |
|
710 |
+ --domain=$3 \ |
|
714 | 711 |
$email \ |
715 |
- $domain \ |
|
716 | 712 |
--or-show \ |
717 | 713 |
-f value -c id |
718 | 714 |
) |
... | ... |
@@ -254,7 +254,7 @@ function create_glance_accounts { |
254 | 254 |
if is_service_enabled s-proxy; then |
255 | 255 |
|
256 | 256 |
local glance_swift_user=$(get_or_create_user "glance-swift" \ |
257 |
- "$SERVICE_PASSWORD" "glance-swift@example.com") |
|
257 |
+ "$SERVICE_PASSWORD" "default" "glance-swift@example.com") |
|
258 | 258 |
get_or_add_user_project_role "ResellerAdmin" $glance_swift_user $SERVICE_TENANT_NAME |
259 | 259 |
fi |
260 | 260 |
|
... | ... |
@@ -358,7 +358,7 @@ function create_keystone_accounts { |
358 | 358 |
|
359 | 359 |
# admin |
360 | 360 |
local admin_tenant=$(get_or_create_project "admin" default) |
361 |
- local admin_user=$(get_or_create_user "admin" "$ADMIN_PASSWORD") |
|
361 |
+ local admin_user=$(get_or_create_user "admin" "$ADMIN_PASSWORD" default) |
|
362 | 362 |
local admin_role=$(get_or_create_role "admin") |
363 | 363 |
get_or_add_user_project_role $admin_role $admin_user $admin_tenant |
364 | 364 |
|
... | ... |
@@ -387,7 +387,7 @@ function create_keystone_accounts { |
387 | 387 |
# demo |
388 | 388 |
local demo_tenant=$(get_or_create_project "demo" default) |
389 | 389 |
local demo_user=$(get_or_create_user "demo" \ |
390 |
- "$ADMIN_PASSWORD" "demo@example.com") |
|
390 |
+ "$ADMIN_PASSWORD" "default" "demo@example.com") |
|
391 | 391 |
|
392 | 392 |
get_or_add_user_project_role $member_role $demo_user $demo_tenant |
393 | 393 |
get_or_add_user_project_role $admin_role $admin_user $demo_tenant |
... | ... |
@@ -426,7 +426,7 @@ function create_keystone_accounts { |
426 | 426 |
function create_service_user { |
427 | 427 |
local role=${2:-service} |
428 | 428 |
|
429 |
- local user=$(get_or_create_user "$1" "$SERVICE_PASSWORD") |
|
429 |
+ local user=$(get_or_create_user "$1" "$SERVICE_PASSWORD" default) |
|
430 | 430 |
get_or_add_user_project_role "$role" "$user" "$SERVICE_TENANT_NAME" |
431 | 431 |
} |
432 | 432 |
|
... | ... |
@@ -618,18 +618,21 @@ function create_swift_accounts { |
618 | 618 |
|
619 | 619 |
local swift_tenant_test1=$(get_or_create_project swifttenanttest1 default) |
620 | 620 |
die_if_not_set $LINENO swift_tenant_test1 "Failure creating swift_tenant_test1" |
621 |
- SWIFT_USER_TEST1=$(get_or_create_user swiftusertest1 $swiftusertest1_password "test@example.com") |
|
621 |
+ SWIFT_USER_TEST1=$(get_or_create_user swiftusertest1 $swiftusertest1_password \ |
|
622 |
+ "default" "test@example.com") |
|
622 | 623 |
die_if_not_set $LINENO SWIFT_USER_TEST1 "Failure creating SWIFT_USER_TEST1" |
623 | 624 |
get_or_add_user_project_role admin $SWIFT_USER_TEST1 $swift_tenant_test1 |
624 | 625 |
|
625 |
- local swift_user_test3=$(get_or_create_user swiftusertest3 $swiftusertest3_password "test3@example.com") |
|
626 |
+ local swift_user_test3=$(get_or_create_user swiftusertest3 $swiftusertest3_password \ |
|
627 |
+ "default" "test3@example.com") |
|
626 | 628 |
die_if_not_set $LINENO swift_user_test3 "Failure creating swift_user_test3" |
627 | 629 |
get_or_add_user_project_role $another_role $swift_user_test3 $swift_tenant_test1 |
628 | 630 |
|
629 | 631 |
local swift_tenant_test2=$(get_or_create_project swifttenanttest2 default) |
630 | 632 |
die_if_not_set $LINENO swift_tenant_test2 "Failure creating swift_tenant_test2" |
631 | 633 |
|
632 |
- local swift_user_test2=$(get_or_create_user swiftusertest2 $swiftusertest2_password "test2@example.com") |
|
634 |
+ local swift_user_test2=$(get_or_create_user swiftusertest2 $swiftusertest2_password \ |
|
635 |
+ "default" "test2@example.com") |
|
633 | 636 |
die_if_not_set $LINENO swift_user_test2 "Failure creating swift_user_test2" |
634 | 637 |
get_or_add_user_project_role admin $swift_user_test2 $swift_tenant_test2 |
635 | 638 |
|
... | ... |
@@ -639,7 +642,8 @@ function create_swift_accounts { |
639 | 639 |
local swift_tenant_test4=$(get_or_create_project swifttenanttest4 $swift_domain) |
640 | 640 |
die_if_not_set $LINENO swift_tenant_test4 "Failure creating swift_tenant_test4" |
641 | 641 |
|
642 |
- local swift_user_test4=$(get_or_create_user swiftusertest4 $swiftusertest4_password "test4@example.com" $swift_domain) |
|
642 |
+ local swift_user_test4=$(get_or_create_user swiftusertest4 $swiftusertest4_password \ |
|
643 |
+ $swift_domain "test4@example.com") |
|
643 | 644 |
die_if_not_set $LINENO swift_user_test4 "Failure creating swift_user_test4" |
644 | 645 |
get_or_add_user_project_role admin $swift_user_test4 $swift_tenant_test4 |
645 | 646 |
} |
... | ... |
@@ -547,7 +547,7 @@ function create_tempest_accounts { |
547 | 547 |
# Tempest has some tests that validate various authorization checks |
548 | 548 |
# between two regular users in separate tenants |
549 | 549 |
get_or_create_project alt_demo default |
550 |
- get_or_create_user alt_demo "$ADMIN_PASSWORD" "alt_demo@example.com" |
|
550 |
+ get_or_create_user alt_demo "$ADMIN_PASSWORD" "default" "alt_demo@example.com" |
|
551 | 551 |
get_or_add_user_project_role Member alt_demo alt_demo |
552 | 552 |
fi |
553 | 553 |
} |
... | ... |
@@ -1006,6 +1006,9 @@ if is_service_enabled keystone; then |
1006 | 1006 |
# Begone token auth |
1007 | 1007 |
unset OS_TOKEN OS_URL |
1008 | 1008 |
|
1009 |
+ # force set to use v2 identity authentication even with v3 commands |
|
1010 |
+ export OS_AUTH_TYPE=v2password |
|
1011 |
+ |
|
1009 | 1012 |
# Set up password auth credentials now that Keystone is bootstrapped |
1010 | 1013 |
export OS_AUTH_URL=$SERVICE_ENDPOINT |
1011 | 1014 |
export OS_TENANT_NAME=admin |