Browse code
Allow putting service users in a seperate domain
Make it possible to construct the service users in their own seperate
domain. Changing this away from Default will not work for everyone yet,
though it does work for basic service interaction however enabling it
will allow us to start testing and hopefully gating that services aren't
relying on v2 only concepts.
Change-Id: I7e73df5dd1caabf355783da2bc0f3007ade92fba
Jamie Lennox authored on 2016/01/22 07:08:14Showing 6 changed files
| ... | ... |
@@ -840,27 +840,49 @@ function get_or_create_role {
|
| 840 | 840 |
echo $role_id |
| 841 | 841 |
} |
| 842 | 842 |
|
| 843 |
+# Returns the domain parts of a function call if present |
|
| 844 |
+# Usage: _get_domain_args [<user_domain> <project_domain>] |
|
| 845 |
+function _get_domain_args {
|
|
| 846 |
+ local domain |
|
| 847 |
+ domain="" |
|
| 848 |
+ |
|
| 849 |
+ if [[ -n "$1" ]]; then |
|
| 850 |
+ domain="$domain --user-domain $1" |
|
| 851 |
+ fi |
|
| 852 |
+ if [[ -n "$2" ]]; then |
|
| 853 |
+ domain="$domain --project-domain $2" |
|
| 854 |
+ fi |
|
| 855 |
+ |
|
| 856 |
+ echo $domain |
|
| 857 |
+} |
|
| 858 |
+ |
|
| 843 | 859 |
# Gets or adds user role to project |
| 844 |
-# Usage: get_or_add_user_project_role <role> <user> <project> |
|
| 860 |
+# Usage: get_or_add_user_project_role <role> <user> <project> [<user_domain> <project_domain>] |
|
| 845 | 861 |
function get_or_add_user_project_role {
|
| 846 | 862 |
local user_role_id |
| 863 |
+ |
|
| 864 |
+ domain_args=$(_get_domain_args $4 $5) |
|
| 865 |
+ |
|
| 847 | 866 |
# Gets user role id |
| 848 | 867 |
user_role_id=$(openstack role list \ |
| 849 | 868 |
--user $2 \ |
| 850 | 869 |
--column "ID" \ |
| 851 | 870 |
--project $3 \ |
| 852 | 871 |
--column "Name" \ |
| 872 |
+ $domain_args \ |
|
| 853 | 873 |
| grep " $1 " | get_field 1) |
| 854 | 874 |
if [[ -z "$user_role_id" ]]; then |
| 855 | 875 |
# Adds role to user and get it |
| 856 | 876 |
openstack role add $1 \ |
| 857 | 877 |
--user $2 \ |
| 858 |
- --project $3 |
|
| 878 |
+ --project $3 \ |
|
| 879 |
+ $domain_args |
|
| 859 | 880 |
user_role_id=$(openstack role list \ |
| 860 | 881 |
--user $2 \ |
| 861 | 882 |
--column "ID" \ |
| 862 | 883 |
--project $3 \ |
| 863 | 884 |
--column "Name" \ |
| 885 |
+ $domain_args \ |
|
| 864 | 886 |
| grep " $1 " | get_field 1) |
| 865 | 887 |
fi |
| 866 | 888 |
echo $user_role_id |
| ... | ... |
@@ -173,8 +173,8 @@ function configure_glance {
|
| 173 | 173 |
|
| 174 | 174 |
iniset $GLANCE_SWIFT_STORE_CONF ref1 key $SERVICE_PASSWORD |
| 175 | 175 |
iniset $GLANCE_SWIFT_STORE_CONF ref1 auth_address $KEYSTONE_SERVICE_URI/v3 |
| 176 |
- iniset $GLANCE_SWIFT_STORE_CONF ref1 user_domain_id default |
|
| 177 |
- iniset $GLANCE_SWIFT_STORE_CONF ref1 project_domain_id default |
|
| 176 |
+ iniset $GLANCE_SWIFT_STORE_CONF ref1 user_domain_name $SERVICE_DOMAIN_NAME |
|
| 177 |
+ iniset $GLANCE_SWIFT_STORE_CONF ref1 project_domain_name $SERVICE_DOMAIN_NAME |
|
| 178 | 178 |
iniset $GLANCE_SWIFT_STORE_CONF ref1 auth_version 3 |
| 179 | 179 |
|
| 180 | 180 |
# commenting is not strictly necessary but it's confusing to have bad values in conf |
| ... | ... |
@@ -288,11 +288,7 @@ function create_glance_accounts {
|
| 288 | 288 |
|
| 289 | 289 |
# required for swift access |
| 290 | 290 |
if is_service_enabled s-proxy; then |
| 291 |
- |
|
| 292 |
- local glance_swift_user |
|
| 293 |
- glance_swift_user=$(get_or_create_user "glance-swift" \ |
|
| 294 |
- "$SERVICE_PASSWORD" "default" "glance-swift@example.com") |
|
| 295 |
- get_or_add_user_project_role "ResellerAdmin" $glance_swift_user $SERVICE_PROJECT_NAME |
|
| 291 |
+ create_service_user "glance-swift" "ResellerAdmin" |
|
| 296 | 292 |
fi |
| 297 | 293 |
|
| 298 | 294 |
get_or_create_service "glance" "image" "Glance Image Service" |
| ... | ... |
@@ -106,7 +106,9 @@ KEYSTONE_SERVICE_PROTOCOL=${KEYSTONE_SERVICE_PROTOCOL:-$SERVICE_PROTOCOL}
|
| 106 | 106 |
|
| 107 | 107 |
# Bind hosts |
| 108 | 108 |
KEYSTONE_ADMIN_BIND_HOST=${KEYSTONE_ADMIN_BIND_HOST:-$KEYSTONE_SERVICE_HOST}
|
| 109 |
+ |
|
| 109 | 110 |
# Set the project for service accounts in Keystone |
| 111 |
+SERVICE_DOMAIN_NAME=${SERVICE_DOMAIN_NAME:-Default}
|
|
| 110 | 112 |
SERVICE_PROJECT_NAME=${SERVICE_PROJECT_NAME:-service}
|
| 111 | 113 |
SERVICE_TENANT_NAME=${SERVICE_PROJECT_NAME:-service}
|
| 112 | 114 |
|
| ... | ... |
@@ -370,6 +372,7 @@ function create_keystone_accounts {
|
| 370 | 370 |
get_or_add_user_domain_role $admin_role $admin_user default |
| 371 | 371 |
|
| 372 | 372 |
# Create service project/role |
| 373 |
+ get_or_create_domain "$SERVICE_DOMAIN_NAME" |
|
| 373 | 374 |
get_or_create_project "$SERVICE_PROJECT_NAME" default |
| 374 | 375 |
|
| 375 | 376 |
# Service role, so service users do not have to be admins |
| ... | ... |
@@ -442,9 +445,8 @@ function create_keystone_accounts {
|
| 442 | 442 |
function create_service_user {
|
| 443 | 443 |
local role=${2:-service}
|
| 444 | 444 |
|
| 445 |
- local user |
|
| 446 |
- user=$(get_or_create_user "$1" "$SERVICE_PASSWORD" default) |
|
| 447 |
- get_or_add_user_project_role "$role" "$user" "$SERVICE_PROJECT_NAME" |
|
| 445 |
+ get_or_create_user "$1" "$SERVICE_PASSWORD" "$SERVICE_DOMAIN_NAME" |
|
| 446 |
+ get_or_add_user_project_role "$role" "$1" "$SERVICE_PROJECT_NAME" "$SERVICE_DOMAIN_NAME" "$SERVICE_DOMAIN_NAME" |
|
| 448 | 447 |
} |
| 449 | 448 |
|
| 450 | 449 |
# Configure the service to use the auth token middleware. |
| ... | ... |
@@ -464,9 +466,9 @@ function configure_auth_token_middleware {
|
| 464 | 464 |
iniset $conf_file $section auth_url $KEYSTONE_AUTH_URI |
| 465 | 465 |
iniset $conf_file $section username $admin_user |
| 466 | 466 |
iniset $conf_file $section password $SERVICE_PASSWORD |
| 467 |
- iniset $conf_file $section user_domain_id default |
|
| 467 |
+ iniset $conf_file $section user_domain_name "$SERVICE_DOMAIN_NAME" |
|
| 468 | 468 |
iniset $conf_file $section project_name $SERVICE_PROJECT_NAME |
| 469 |
- iniset $conf_file $section project_domain_id default |
|
| 469 |
+ iniset $conf_file $section project_domain_name "$SERVICE_DOMAIN_NAME" |
|
| 470 | 470 |
|
| 471 | 471 |
iniset $conf_file $section auth_uri $KEYSTONE_SERVICE_URI |
| 472 | 472 |
iniset $conf_file $section cafile $SSL_BUNDLE_FILE |
| ... | ... |
@@ -491,9 +491,9 @@ function create_nova_conf_neutron {
|
| 491 | 491 |
iniset $NOVA_CONF neutron auth_url "$KEYSTONE_SERVICE_PROTOCOL://$KEYSTONE_SERVICE_HOST:$KEYSTONE_AUTH_PORT/v3" |
| 492 | 492 |
iniset $NOVA_CONF neutron username "$Q_ADMIN_USERNAME" |
| 493 | 493 |
iniset $NOVA_CONF neutron password "$SERVICE_PASSWORD" |
| 494 |
- iniset $NOVA_CONF neutron user_domain_name "Default" |
|
| 494 |
+ iniset $NOVA_CONF neutron user_domain_name "$SERVICE_DOMAIN_NAME" |
|
| 495 | 495 |
iniset $NOVA_CONF neutron project_name "$SERVICE_PROJECT_NAME" |
| 496 |
- iniset $NOVA_CONF neutron project_domain_name "Default" |
|
| 496 |
+ iniset $NOVA_CONF neutron project_domain_name "$SERVICE_DOMAIN_NAME" |
|
| 497 | 497 |
iniset $NOVA_CONF neutron auth_strategy "$Q_AUTH_STRATEGY" |
| 498 | 498 |
iniset $NOVA_CONF neutron region_name "$REGION_NAME" |
| 499 | 499 |
iniset $NOVA_CONF neutron url "${Q_PROTOCOL}://$Q_HOST:$Q_PORT"
|
| ... | ... |
@@ -439,7 +439,7 @@ function create_nova_accounts {
|
| 439 | 439 |
if is_service_enabled swift; then |
| 440 | 440 |
# Nova needs ResellerAdmin role to download images when accessing |
| 441 | 441 |
# swift through the s3 api. |
| 442 |
- get_or_add_user_project_role ResellerAdmin nova $SERVICE_PROJECT_NAME |
|
| 442 |
+ get_or_add_user_project_role ResellerAdmin nova $SERVICE_PROJECT_NAME $SERVICE_DOMAIN_NAME $SERVICE_DOMAIN_NAME |
|
| 443 | 443 |
fi |
| 444 | 444 |
fi |
| 445 | 445 |
|
| ... | ... |
@@ -846,7 +846,9 @@ function swift_configure_tempurls {
|
| 846 | 846 |
# note we are using swift credentials! |
| 847 | 847 |
OS_USERNAME=swift \ |
| 848 | 848 |
OS_PASSWORD=$SERVICE_PASSWORD \ |
| 849 |
+ OS_USER_DOMAIN_NAME=$SERVICE_DOMAIN_NAME \ |
|
| 849 | 850 |
OS_PROJECT_NAME=$SERVICE_PROJECT_NAME \ |
| 851 |
+ OS_PROJECT_DOMAIN_NAME=$SERVICE_DOMAIN_NAME \ |
|
| 850 | 852 |
openstack object store account \ |
| 851 | 853 |
set --property "Temp-URL-Key=$SWIFT_TEMPURL_KEY" |
| 852 | 854 |
} |