Browse code
Remove references to deprecated ec2 authorizor.
* remove replace_pipeline
* removes references to sysadmin and netadmin roles
* removes references to admin ec2 api
* fixes bug 953744
* related fix in nova: https://review.openstack.org/#change,5024
Change-Id: I8792dae0157b8596a5f946670742411781fe47c0
Anthony Young authored on 2012/03/13 09:12:00Showing 2 changed files
| ... | ... |
@@ -10,7 +10,7 @@ |
| 10 | 10 |
# service quantum admin # if enabled |
| 11 | 11 |
# service swift admin # if enabled |
| 12 | 12 |
# demo admin admin |
| 13 |
-# demo demo Member,sysadmin,netadmin |
|
| 13 |
+# demo demo Member,anotherrole |
|
| 14 | 14 |
# invisible_to_admin demo Member |
| 15 | 15 |
# |
| 16 | 16 |
# Variables set before calling this script: |
| ... | ... |
@@ -50,15 +50,15 @@ DEMO_USER=$(get_id keystone user-create --name=demo \ |
| 50 | 50 |
ADMIN_ROLE=$(get_id keystone role-create --name=admin) |
| 51 | 51 |
KEYSTONEADMIN_ROLE=$(get_id keystone role-create --name=KeystoneAdmin) |
| 52 | 52 |
KEYSTONESERVICE_ROLE=$(get_id keystone role-create --name=KeystoneServiceAdmin) |
| 53 |
-SYSADMIN_ROLE=$(get_id keystone role-create --name=sysadmin) |
|
| 54 |
-NETADMIN_ROLE=$(get_id keystone role-create --name=netadmin) |
|
| 53 |
+# ANOTHER_ROLE demonstrates that an arbitrary role may be created and used |
|
| 54 |
+# TODO(sleepsonthefloor): show how this can be used for rbac in the future! |
|
| 55 |
+ANOTHER_ROLE=$(get_id keystone role-create --name=anotherrole) |
|
| 55 | 56 |
|
| 56 | 57 |
|
| 57 | 58 |
# Add Roles to Users in Tenants |
| 58 | 59 |
keystone user-role-add --user $ADMIN_USER --role $ADMIN_ROLE --tenant_id $ADMIN_TENANT |
| 59 | 60 |
keystone user-role-add --user $ADMIN_USER --role $ADMIN_ROLE --tenant_id $DEMO_TENANT |
| 60 |
-keystone user-role-add --user $DEMO_USER --role $SYSADMIN_ROLE --tenant_id $DEMO_TENANT |
|
| 61 |
-keystone user-role-add --user $DEMO_USER --role $NETADMIN_ROLE --tenant_id $DEMO_TENANT |
|
| 61 |
+keystone user-role-add --user $DEMO_USER --role $ANOTHER_ROLE --tenant_id $DEMO_TENANT |
|
| 62 | 62 |
|
| 63 | 63 |
# TODO(termie): these two might be dubious |
| 64 | 64 |
keystone user-role-add --user $ADMIN_USER --role $KEYSTONEADMIN_ROLE --tenant_id $ADMIN_TENANT |
| ... | ... |
@@ -906,15 +906,6 @@ if is_service_enabled n-api; then |
| 906 | 906 |
s,%SERVICE_TENANT_NAME%,$SERVICE_TENANT_NAME,g; |
| 907 | 907 |
s,%SERVICE_TOKEN%,$SERVICE_TOKEN,g; |
| 908 | 908 |
" -i $NOVA_CONF_DIR/api-paste.ini |
| 909 |
- |
|
| 910 |
- # Finally, change the Nova pipelines to use Keystone |
|
| 911 |
- function replace_pipeline() {
|
|
| 912 |
- sed "/\[pipeline:$1\]/,/\[/s/^pipeline = .*/pipeline = $2/" -i $NOVA_CONF_DIR/api-paste.ini |
|
| 913 |
- } |
|
| 914 |
- replace_pipeline "ec2cloud" "ec2faultwrap logrequest totoken authtoken keystonecontext cloudrequest authorizer validator ec2executor" |
|
| 915 |
- replace_pipeline "ec2admin" "ec2faultwrap logrequest totoken authtoken keystonecontext adminrequest authorizer ec2executor" |
|
| 916 |
- replace_pipeline "openstack_compute_api_v2" "faultwrap authtoken keystonecontext $OSAPI_RATE_LIMIT osapi_compute_app_v2" |
|
| 917 |
- replace_pipeline "openstack_volume_api_v1" "faultwrap authtoken keystonecontext $OSAPI_RATE_LIMIT osapi_volume_app_v1" |
|
| 918 | 909 |
fi |
| 919 | 910 |
|
| 920 | 911 |
# Helper to clean iptables rules |