Browse code
Move keystone account creation out of keystone_data.sh
keystone_data.sh is getting unwieldly and increasingly needs
configuration information for services. Also need the ability
to manipulate HOST/IP information for hosts to handle service
HA/proxy configurations.
Begin moving the creation of service account information into
the service lib files, starting with the common accounts and
keystone itself.
Change-Id: Ie259f7b71983c4f4a2e33ab9c8a8e2b00238ba38
Dean Troyer authored on 2012/11/30 08:11:35Showing 3 changed files
| ... | ... |
@@ -4,7 +4,6 @@ |
| 4 | 4 |
# |
| 5 | 5 |
# Tenant User Roles |
| 6 | 6 |
# ------------------------------------------------------------------ |
| 7 |
-# admin admin admin |
|
| 8 | 7 |
# service glance admin |
| 9 | 8 |
# service nova admin, [ResellerAdmin (swift only)] |
| 10 | 9 |
# service quantum admin # if enabled |
| ... | ... |
@@ -12,9 +11,6 @@ |
| 12 | 12 |
# service cinder admin # if enabled |
| 13 | 13 |
# service heat admin # if enabled |
| 14 | 14 |
# service ceilometer admin # if enabled |
| 15 |
-# demo admin admin |
|
| 16 |
-# demo demo Member, anotherrole |
|
| 17 |
-# invisible_to_admin demo Member |
|
| 18 | 15 |
# Tempest Only: |
| 19 | 16 |
# alt_demo alt_demo Member |
| 20 | 17 |
# |
| ... | ... |
@@ -40,53 +36,14 @@ function get_id () {
|
| 40 | 40 |
echo `"$@" | awk '/ id / { print $4 }'`
|
| 41 | 41 |
} |
| 42 | 42 |
|
| 43 |
- |
|
| 44 |
-# Tenants |
|
| 45 |
-# ------- |
|
| 46 |
- |
|
| 47 |
-ADMIN_TENANT=$(get_id keystone tenant-create --name=admin) |
|
| 48 |
-SERVICE_TENANT=$(get_id keystone tenant-create --name=$SERVICE_TENANT_NAME) |
|
| 49 |
-DEMO_TENANT=$(get_id keystone tenant-create --name=demo) |
|
| 50 |
-INVIS_TENANT=$(get_id keystone tenant-create --name=invisible_to_admin) |
|
| 51 |
- |
|
| 52 |
- |
|
| 53 |
-# Users |
|
| 54 |
-# ----- |
|
| 55 |
- |
|
| 56 |
-ADMIN_USER=$(get_id keystone user-create --name=admin \ |
|
| 57 |
- --pass="$ADMIN_PASSWORD" \ |
|
| 58 |
- --email=admin@example.com) |
|
| 59 |
-DEMO_USER=$(get_id keystone user-create --name=demo \ |
|
| 60 |
- --pass="$ADMIN_PASSWORD" \ |
|
| 61 |
- --email=demo@example.com) |
|
| 43 |
+# Lookups |
|
| 44 |
+SERVICE_TENANT=$(keystone tenant-list | awk "/ $SERVICE_TENANT_NAME / { print \$2 }")
|
|
| 45 |
+ADMIN_ROLE=$(keystone role-list | awk "/ admin / { print \$2 }")
|
|
| 62 | 46 |
|
| 63 | 47 |
|
| 64 | 48 |
# Roles |
| 65 | 49 |
# ----- |
| 66 | 50 |
|
| 67 |
-ADMIN_ROLE=$(get_id keystone role-create --name=admin) |
|
| 68 |
-KEYSTONEADMIN_ROLE=$(get_id keystone role-create --name=KeystoneAdmin) |
|
| 69 |
-KEYSTONESERVICE_ROLE=$(get_id keystone role-create --name=KeystoneServiceAdmin) |
|
| 70 |
-# ANOTHER_ROLE demonstrates that an arbitrary role may be created and used |
|
| 71 |
-# TODO(sleepsonthefloor): show how this can be used for rbac in the future! |
|
| 72 |
-ANOTHER_ROLE=$(get_id keystone role-create --name=anotherrole) |
|
| 73 |
- |
|
| 74 |
- |
|
| 75 |
-# Add Roles to Users in Tenants |
|
| 76 |
-keystone user-role-add --user_id $ADMIN_USER --role_id $ADMIN_ROLE --tenant_id $ADMIN_TENANT |
|
| 77 |
-keystone user-role-add --user_id $ADMIN_USER --role_id $ADMIN_ROLE --tenant_id $DEMO_TENANT |
|
| 78 |
-keystone user-role-add --user_id $DEMO_USER --role_id $ANOTHER_ROLE --tenant_id $DEMO_TENANT |
|
| 79 |
- |
|
| 80 |
-# TODO(termie): these two might be dubious |
|
| 81 |
-keystone user-role-add --user_id $ADMIN_USER --role_id $KEYSTONEADMIN_ROLE --tenant_id $ADMIN_TENANT |
|
| 82 |
-keystone user-role-add --user_id $ADMIN_USER --role_id $KEYSTONESERVICE_ROLE --tenant_id $ADMIN_TENANT |
|
| 83 |
- |
|
| 84 |
- |
|
| 85 |
-# The Member role is used by Horizon and Swift so we need to keep it: |
|
| 86 |
-MEMBER_ROLE=$(get_id keystone role-create --name=Member) |
|
| 87 |
-keystone user-role-add --user_id $DEMO_USER --role_id $MEMBER_ROLE --tenant_id $DEMO_TENANT |
|
| 88 |
-keystone user-role-add --user_id $DEMO_USER --role_id $MEMBER_ROLE --tenant_id $INVIS_TENANT |
|
| 89 |
- |
|
| 90 | 51 |
# The ResellerAdmin role is used by Nova and Ceilometer so we need to keep it. |
| 91 | 52 |
# The admin role in swift allows a user to act as an admin for their tenant, |
| 92 | 53 |
# but ResellerAdmin is needed for a user to act as any tenant. The name of this |
| ... | ... |
@@ -96,20 +53,6 @@ RESELLER_ROLE=$(get_id keystone role-create --name=ResellerAdmin) |
| 96 | 96 |
# Services |
| 97 | 97 |
# -------- |
| 98 | 98 |
|
| 99 |
-# Keystone |
|
| 100 |
-if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then |
|
| 101 |
- KEYSTONE_SERVICE=$(get_id keystone service-create \ |
|
| 102 |
- --name=keystone \ |
|
| 103 |
- --type=identity \ |
|
| 104 |
- --description="Keystone Identity Service") |
|
| 105 |
- keystone endpoint-create \ |
|
| 106 |
- --region RegionOne \ |
|
| 107 |
- --service_id $KEYSTONE_SERVICE \ |
|
| 108 |
- --publicurl "http://$SERVICE_HOST:\$(public_port)s/v2.0" \ |
|
| 109 |
- --adminurl "http://$SERVICE_HOST:\$(admin_port)s/v2.0" \ |
|
| 110 |
- --internalurl "http://$SERVICE_HOST:\$(public_port)s/v2.0" |
|
| 111 |
-fi |
|
| 112 |
- |
|
| 113 | 99 |
# Nova |
| 114 | 100 |
if [[ "$ENABLED_SERVICES" =~ "n-api" ]]; then |
| 115 | 101 |
NOVA_USER=$(get_id keystone user-create \ |
| ... | ... |
@@ -15,6 +15,7 @@ |
| 15 | 15 |
# configure_keystone |
| 16 | 16 |
# init_keystone |
| 17 | 17 |
# start_keystone |
| 18 |
+# create_keystone_accounts |
|
| 18 | 19 |
# stop_keystone |
| 19 | 20 |
# cleanup_keystone |
| 20 | 21 |
|
| ... | ... |
@@ -45,7 +46,6 @@ KEYSTONE_CATALOG=$KEYSTONE_CONF_DIR/default_catalog.templates |
| 45 | 45 |
KEYSTONE_TOKEN_FORMAT=${KEYSTONE_TOKEN_FORMAT:-PKI}
|
| 46 | 46 |
|
| 47 | 47 |
# Set Keystone interface configuration |
| 48 |
-KEYSTONE_API_PORT=${KEYSTONE_API_PORT:-5000}
|
|
| 49 | 48 |
KEYSTONE_AUTH_HOST=${KEYSTONE_AUTH_HOST:-$SERVICE_HOST}
|
| 50 | 49 |
KEYSTONE_AUTH_PORT=${KEYSTONE_AUTH_PORT:-35357}
|
| 51 | 50 |
KEYSTONE_AUTH_PROTOCOL=${KEYSTONE_AUTH_PROTOCOL:-http}
|
| ... | ... |
@@ -144,6 +144,100 @@ function configure_keystone() {
|
| 144 | 144 |
|
| 145 | 145 |
} |
| 146 | 146 |
|
| 147 |
+# create_keystone_accounts() - Sets up common required keystone accounts |
|
| 148 |
+ |
|
| 149 |
+# Tenant User Roles |
|
| 150 |
+# ------------------------------------------------------------------ |
|
| 151 |
+# service -- -- |
|
| 152 |
+# -- -- Member |
|
| 153 |
+# admin admin admin |
|
| 154 |
+# demo admin admin |
|
| 155 |
+# demo demo Member, anotherrole |
|
| 156 |
+# invisible_to_admin demo Member |
|
| 157 |
+ |
|
| 158 |
+# Migrated from keystone_data.sh |
|
| 159 |
+create_keystone_accounts() {
|
|
| 160 |
+ |
|
| 161 |
+ # admin |
|
| 162 |
+ ADMIN_TENANT=$(keystone tenant-create \ |
|
| 163 |
+ --name admin \ |
|
| 164 |
+ | grep " id " | get_field 2) |
|
| 165 |
+ ADMIN_USER=$(keystone user-create \ |
|
| 166 |
+ --name admin \ |
|
| 167 |
+ --pass "$ADMIN_PASSWORD" \ |
|
| 168 |
+ --email admin@example.com \ |
|
| 169 |
+ | grep " id " | get_field 2) |
|
| 170 |
+ ADMIN_ROLE=$(keystone role-create \ |
|
| 171 |
+ --name admin \ |
|
| 172 |
+ | grep " id " | get_field 2) |
|
| 173 |
+ keystone user-role-add \ |
|
| 174 |
+ --user_id $ADMIN_USER \ |
|
| 175 |
+ --role_id $ADMIN_ROLE \ |
|
| 176 |
+ --tenant_id $ADMIN_TENANT |
|
| 177 |
+ |
|
| 178 |
+ # service |
|
| 179 |
+ SERVICE_TENANT=$(keystone tenant-create \ |
|
| 180 |
+ --name $SERVICE_TENANT_NAME \ |
|
| 181 |
+ | grep " id " | get_field 2) |
|
| 182 |
+ |
|
| 183 |
+ # The Member role is used by Horizon and Swift so we need to keep it: |
|
| 184 |
+ MEMBER_ROLE=$(keystone role-create --name=Member | grep " id " | get_field 2) |
|
| 185 |
+ # ANOTHER_ROLE demonstrates that an arbitrary role may be created and used |
|
| 186 |
+ # TODO(sleepsonthefloor): show how this can be used for rbac in the future! |
|
| 187 |
+ ANOTHER_ROLE=$(keystone role-create --name=anotherrole | grep " id " | get_field 2) |
|
| 188 |
+ |
|
| 189 |
+ # invisible tenant - admin can't see this one |
|
| 190 |
+ INVIS_TENANT=$(keystone tenant-create --name=invisible_to_admin | grep " id " | get_field 2) |
|
| 191 |
+ |
|
| 192 |
+ # demo |
|
| 193 |
+ DEMO_TENANT=$(keystone tenant-create \ |
|
| 194 |
+ --name=demo \ |
|
| 195 |
+ | grep " id " | get_field 2) |
|
| 196 |
+ DEMO_USER=$(keystone user-create \ |
|
| 197 |
+ --name demo \ |
|
| 198 |
+ --pass "$ADMIN_PASSWORD" \ |
|
| 199 |
+ --email demo@example.com \ |
|
| 200 |
+ | grep " id " | get_field 2) |
|
| 201 |
+ keystone user-role-add --user_id $DEMO_USER --role_id $MEMBER_ROLE --tenant_id $DEMO_TENANT |
|
| 202 |
+ keystone user-role-add --user_id $ADMIN_USER --role_id $ADMIN_ROLE --tenant_id $DEMO_TENANT |
|
| 203 |
+ keystone user-role-add --user_id $DEMO_USER --role_id $ANOTHER_ROLE --tenant_id $DEMO_TENANT |
|
| 204 |
+ keystone user-role-add --user_id $DEMO_USER --role_id $MEMBER_ROLE --tenant_id $INVIS_TENANT |
|
| 205 |
+ |
|
| 206 |
+ # Keystone |
|
| 207 |
+ if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then |
|
| 208 |
+ KEYSTONE_SERVICE=$(keystone service-create \ |
|
| 209 |
+ --name keystone \ |
|
| 210 |
+ --type identity \ |
|
| 211 |
+ --description "Keystone Identity Service" \ |
|
| 212 |
+ | grep " id " | get_field 2) |
|
| 213 |
+ keystone endpoint-create \ |
|
| 214 |
+ --region RegionOne \ |
|
| 215 |
+ --service_id $KEYSTONE_SERVICE \ |
|
| 216 |
+ --publicurl "$KEYSTONE_SERVICE_PROTOCOL://$KEYSTONE_SERVICE_HOST:\$(public_port)s/v2.0" \ |
|
| 217 |
+ --adminurl "$KEYSTONE_AUTH_PROTOCOL://$KEYSTONE_AUTH_HOST:\$(admin_port)s/v2.0" \ |
|
| 218 |
+ --internalurl "$KEYSTONE_SERVICE_PROTOCOL://$KEYSTONE_SERVICE_HOST:\$(public_port)s/v2.0" |
|
| 219 |
+ fi |
|
| 220 |
+ |
|
| 221 |
+ # TODO(dtroyer): This is part of a series of changes...remove these when |
|
| 222 |
+ # complete if they are really unused |
|
| 223 |
+# KEYSTONEADMIN_ROLE=$(keystone role-create \ |
|
| 224 |
+# --name KeystoneAdmin \ |
|
| 225 |
+# | grep " id " | get_field 2) |
|
| 226 |
+# KEYSTONESERVICE_ROLE=$(keystone role-create \ |
|
| 227 |
+# --name KeystoneServiceAdmin \ |
|
| 228 |
+# | grep " id " | get_field 2) |
|
| 229 |
+ |
|
| 230 |
+ # TODO(termie): these two might be dubious |
|
| 231 |
+# keystone user-role-add \ |
|
| 232 |
+# --user_id $ADMIN_USER \ |
|
| 233 |
+# --role_id $KEYSTONEADMIN_ROLE \ |
|
| 234 |
+# --tenant_id $ADMIN_TENANT |
|
| 235 |
+# keystone user-role-add \ |
|
| 236 |
+# --user_id $ADMIN_USER \ |
|
| 237 |
+# --role_id $KEYSTONESERVICE_ROLE \ |
|
| 238 |
+# --tenant_id $ADMIN_TENANT |
|
| 239 |
+} |
|
| 240 |
+ |
|
| 147 | 241 |
# init_keystone() - Initialize databases, etc. |
| 148 | 242 |
function init_keystone() {
|
| 149 | 243 |
# (Re)create keystone database |
| ... | ... |
@@ -176,6 +270,11 @@ function install_keystone() {
|
| 176 | 176 |
function start_keystone() {
|
| 177 | 177 |
# Start Keystone in a screen window |
| 178 | 178 |
screen_it key "cd $KEYSTONE_DIR && $KEYSTONE_DIR/bin/keystone-all --config-file $KEYSTONE_CONF $KEYSTONE_LOG_CONFIG -d --debug" |
| 179 |
+ echo "Waiting for keystone to start..." |
|
| 180 |
+ if ! timeout $SERVICE_TIMEOUT sh -c "while ! http_proxy= curl -s $KEYSTONE_AUTH_PROTOCOL://$SERVICE_HOST:$KEYSTONE_SERVICE_PORT/v2.0/ >/dev/null; do sleep 1; done"; then |
|
| 181 |
+ echo "keystone did not start" |
|
| 182 |
+ exit 1 |
|
| 183 |
+ fi |
|
| 179 | 184 |
} |
| 180 | 185 |
|
| 181 | 186 |
# stop_keystone() - Stop running processes |
| ... | ... |
@@ -953,15 +953,16 @@ if is_service_enabled key; then |
| 953 | 953 |
configure_keystone |
| 954 | 954 |
init_keystone |
| 955 | 955 |
start_keystone |
| 956 |
- echo "Waiting for keystone to start..." |
|
| 957 |
- if ! timeout $SERVICE_TIMEOUT sh -c "while ! http_proxy= curl -s $KEYSTONE_AUTH_PROTOCOL://$SERVICE_HOST:$KEYSTONE_API_PORT/v2.0/ >/dev/null; do sleep 1; done"; then |
|
| 958 |
- echo "keystone did not start" |
|
| 959 |
- exit 1 |
|
| 960 |
- fi |
|
| 961 | 956 |
|
| 962 |
- # ``keystone_data.sh`` creates services, admin and demo users, and roles. |
|
| 957 |
+ # Set up a temporary admin URI for Keystone |
|
| 963 | 958 |
SERVICE_ENDPOINT=$KEYSTONE_AUTH_PROTOCOL://$KEYSTONE_AUTH_HOST:$KEYSTONE_AUTH_PORT/v2.0 |
| 964 | 959 |
|
| 960 |
+ # Do the keystone-specific bits from keystone_data.sh |
|
| 961 |
+ export OS_SERVICE_TOKEN=$SERVICE_TOKEN |
|
| 962 |
+ export OS_SERVICE_ENDPOINT=$SERVICE_ENDPOINT |
|
| 963 |
+ create_keystone_accounts |
|
| 964 |
+ |
|
| 965 |
+ # ``keystone_data.sh`` creates services, admin and demo users, and roles. |
|
| 965 | 966 |
ADMIN_PASSWORD=$ADMIN_PASSWORD SERVICE_TENANT_NAME=$SERVICE_TENANT_NAME SERVICE_PASSWORD=$SERVICE_PASSWORD \ |
| 966 | 967 |
SERVICE_TOKEN=$SERVICE_TOKEN SERVICE_ENDPOINT=$SERVICE_ENDPOINT SERVICE_HOST=$SERVICE_HOST \ |
| 967 | 968 |
S3_SERVICE_PORT=$S3_SERVICE_PORT KEYSTONE_CATALOG_BACKEND=$KEYSTONE_CATALOG_BACKEND \ |
| ... | ... |
@@ -974,6 +975,7 @@ if is_service_enabled key; then |
| 974 | 974 |
export OS_TENANT_NAME=admin |
| 975 | 975 |
export OS_USERNAME=admin |
| 976 | 976 |
export OS_PASSWORD=$ADMIN_PASSWORD |
| 977 |
+ unset OS_SERVICE_TOKEN OS_SERVICE_ENDPOINT |
|
| 977 | 978 |
fi |
| 978 | 979 |
|
| 979 | 980 |
|
| ... | ... |
@@ -1750,7 +1752,7 @@ fi |
| 1750 | 1750 |
|
| 1751 | 1751 |
# If Keystone is present you can point ``nova`` cli to this server |
| 1752 | 1752 |
if is_service_enabled key; then |
| 1753 |
- echo "Keystone is serving at $KEYSTONE_AUTH_PROTOCOL://$SERVICE_HOST:$KEYSTONE_API_PORT/v2.0/" |
|
| 1753 |
+ echo "Keystone is serving at $KEYSTONE_AUTH_PROTOCOL://$SERVICE_HOST:$KEYSTONE_SERVICE_PORT/v2.0/" |
|
| 1754 | 1754 |
echo "Examples on using novaclient command line is in exercise.sh" |
| 1755 | 1755 |
echo "The default users are: admin and demo" |
| 1756 | 1756 |
echo "The password: $ADMIN_PASSWORD" |