For testing reasons it's typically very useful to have a second non
admin user to cross check that it can't do a thing to the first
user. It was useful enough we always created it with tempest (though
we didn't always use it).
This makes devstack always create an alt_demo user, which is available
in occ as devstack-alt. This will help us unwind some of the keystone
v3 breaks with functional tests using keystone cli to build this
second user.
Change-Id: Iaaf02469180563e2d8c413fee0ee66ada2296cfa
... | ... |
@@ -9,7 +9,7 @@ if is_service_enabled tempest; then |
9 | 9 |
install_tempest |
10 | 10 |
elif [[ "$1" == "stack" && "$2" == "post-config" ]]; then |
11 | 11 |
# Tempest config must come after layer 2 services are running |
12 |
- create_tempest_accounts |
|
12 |
+ : |
|
13 | 13 |
elif [[ "$1" == "stack" && "$2" == "extra" ]]; then |
14 | 14 |
echo_summary "Initializing Tempest" |
15 | 15 |
configure_tempest |
... | ... |
@@ -28,4 +28,3 @@ if is_service_enabled tempest; then |
28 | 28 |
: |
29 | 29 |
fi |
30 | 30 |
fi |
31 |
- |
... | ... |
@@ -86,6 +86,7 @@ function write_clouds_yaml { |
86 | 86 |
if [ -f "$SSL_BUNDLE_FILE" ]; then |
87 | 87 |
CA_CERT_ARG="--os-cacert $SSL_BUNDLE_FILE" |
88 | 88 |
fi |
89 |
+ # demo -> devstack |
|
89 | 90 |
$TOP_DIR/tools/update_clouds_yaml.py \ |
90 | 91 |
--file $CLOUDS_YAML \ |
91 | 92 |
--os-cloud devstack \ |
... | ... |
@@ -96,6 +97,20 @@ function write_clouds_yaml { |
96 | 96 |
--os-username demo \ |
97 | 97 |
--os-password $ADMIN_PASSWORD \ |
98 | 98 |
--os-project-name demo |
99 |
+ |
|
100 |
+ # alt_demo -> devstack-alt |
|
101 |
+ $TOP_DIR/tools/update_clouds_yaml.py \ |
|
102 |
+ --file $CLOUDS_YAML \ |
|
103 |
+ --os-cloud devstack \ |
|
104 |
+ --os-region-name $REGION_NAME \ |
|
105 |
+ --os-identity-api-version 3 \ |
|
106 |
+ $CA_CERT_ARG \ |
|
107 |
+ --os-auth-url $KEYSTONE_AUTH_URI \ |
|
108 |
+ --os-username alt_demo \ |
|
109 |
+ --os-password $ADMIN_PASSWORD \ |
|
110 |
+ --os-project-name alt_demo |
|
111 |
+ |
|
112 |
+ # admin -> devstack-admin |
|
99 | 113 |
$TOP_DIR/tools/update_clouds_yaml.py \ |
100 | 114 |
--file $CLOUDS_YAML \ |
101 | 115 |
--os-cloud devstack-admin \ |
... | ... |
@@ -327,6 +327,8 @@ function configure_keystone { |
327 | 327 |
# -- -- Member |
328 | 328 |
# demo admin admin |
329 | 329 |
# demo demo Member, anotherrole |
330 |
+# alt_demo admin admin |
|
331 |
+# alt_demo alt_demo Member, anotherrole |
|
330 | 332 |
# invisible_to_admin demo Member |
331 | 333 |
|
332 | 334 |
# Group Users Roles Tenant |
... | ... |
@@ -387,6 +389,18 @@ function create_keystone_accounts { |
387 | 387 |
get_or_add_user_project_role $another_role $demo_user $demo_tenant |
388 | 388 |
get_or_add_user_project_role $member_role $demo_user $invis_tenant |
389 | 389 |
|
390 |
+ # alt_demo |
|
391 |
+ local alt_demo_tenant |
|
392 |
+ alt_demo_tenant=$(get_or_create_project "alt_demo" default) |
|
393 |
+ local alt_demo_user |
|
394 |
+ alt_demo_user=$(get_or_create_user "alt_demo" \ |
|
395 |
+ "$ADMIN_PASSWORD" "default" "alt_demo@example.com") |
|
396 |
+ |
|
397 |
+ get_or_add_user_project_role $member_role $alt_demo_user $alt_demo_tenant |
|
398 |
+ get_or_add_user_project_role $admin_role $admin_user $alt_demo_tenant |
|
399 |
+ get_or_add_user_project_role $another_role $alt_demo_user $alt_demo_tenant |
|
400 |
+ |
|
401 |
+ # groups |
|
390 | 402 |
local admin_group |
391 | 403 |
admin_group=$(get_or_create_group "admins" \ |
392 | 404 |
"default" "openstack admin group") |
... | ... |
@@ -396,6 +410,8 @@ function create_keystone_accounts { |
396 | 396 |
|
397 | 397 |
get_or_add_group_project_role $member_role $non_admin_group $demo_tenant |
398 | 398 |
get_or_add_group_project_role $another_role $non_admin_group $demo_tenant |
399 |
+ get_or_add_group_project_role $member_role $non_admin_group $alt_demo_tenant |
|
400 |
+ get_or_add_group_project_role $another_role $non_admin_group $alt_demo_tenant |
|
399 | 401 |
get_or_add_group_project_role $admin_role $admin_group $admin_tenant |
400 | 402 |
} |
401 | 403 |
|
... | ... |
@@ -568,21 +568,6 @@ function configure_tempest { |
568 | 568 |
IFS=$ifs |
569 | 569 |
} |
570 | 570 |
|
571 |
-# create_tempest_accounts() - Set up common required tempest accounts |
|
572 |
- |
|
573 |
-# Project User Roles |
|
574 |
-# ------------------------------------------------------------------ |
|
575 |
-# alt_demo alt_demo Member |
|
576 |
- |
|
577 |
-function create_tempest_accounts { |
|
578 |
- if is_service_enabled tempest; then |
|
579 |
- # Tempest has some tests that validate various authorization checks |
|
580 |
- # between two regular users in separate tenants |
|
581 |
- get_or_create_project alt_demo default |
|
582 |
- get_or_create_user alt_demo "$ADMIN_PASSWORD" "default" "alt_demo@example.com" |
|
583 |
- get_or_add_user_project_role Member alt_demo alt_demo |
|
584 |
- fi |
|
585 |
-} |
|
586 | 571 |
|
587 | 572 |
# install_tempest_lib() - Collect source, prepare, and install ``tempest-lib`` |
588 | 573 |
function install_tempest_lib { |