Remove the default project from all users
The default project means that a user gains token scoping information for a project if they don't specify another. This is something we want to discourage for user creation. User's should specify there own authentication scope when they authenticate. Change-Id: I42c3060d59edfcd44d04cd166bad500419dd99bc
This commit is contained in:
Jamie Lennox
parent
c2999d190a
commit
18f39bfb1f
@ -180,8 +180,7 @@ function create_tuskar_accounts {
|
||||
local service_tenant=$(openstack project list | awk "/ $SERVICE_TENANT_NAME / { print \$2 }")
|
||||
local admin_role=$(openstack role list | awk "/ admin / { print \$2 }")
|
||||
|
||||
local tuskar_user=$(get_or_create_user "tuskar" \
|
||||
"$SERVICE_PASSWORD" $service_tenant)
|
||||
local tuskar_user=$(get_or_create_user "tuskar" "$SERVICE_PASSWORD")
|
||||
get_or_add_user_role $admin_role $tuskar_user $service_tenant
|
||||
|
||||
if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
|
||||
|
||||
@ -860,17 +860,17 @@ function get_or_create_group {
|
||||
}
|
||||
|
||||
# Gets or creates user
|
||||
# Usage: get_or_create_user <username> <password> <project> [<email> [<domain>]]
|
||||
# Usage: get_or_create_user <username> <password> [<email> [<domain>]]
|
||||
function get_or_create_user {
|
||||
if [[ ! -z "$4" ]]; then
|
||||
local email="--email=$4"
|
||||
if [[ ! -z "$3" ]]; then
|
||||
local email="--email=$3"
|
||||
else
|
||||
local email=""
|
||||
fi
|
||||
local os_cmd="openstack"
|
||||
local domain=""
|
||||
if [[ ! -z "$5" ]]; then
|
||||
domain="--domain=$5"
|
||||
if [[ ! -z "$4" ]]; then
|
||||
domain="--domain=$4"
|
||||
os_cmd="$os_cmd --os-url=$KEYSTONE_SERVICE_URI_V3 --os-identity-api-version=3"
|
||||
fi
|
||||
# Gets user id
|
||||
@ -879,7 +879,6 @@ function get_or_create_user {
|
||||
$os_cmd user create \
|
||||
$1 \
|
||||
--password "$2" \
|
||||
--project $3 \
|
||||
$email \
|
||||
$domain \
|
||||
--or-show \
|
||||
|
||||
@ -110,8 +110,7 @@ function create_ceilometer_accounts {
|
||||
|
||||
# Ceilometer
|
||||
if [[ "$ENABLED_SERVICES" =~ "ceilometer-api" ]]; then
|
||||
local ceilometer_user=$(get_or_create_user "ceilometer" \
|
||||
"$SERVICE_PASSWORD" $service_tenant)
|
||||
local ceilometer_user=$(get_or_create_user "ceilometer" "$SERVICE_PASSWORD")
|
||||
get_or_add_user_role $admin_role $ceilometer_user $service_tenant
|
||||
|
||||
if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
|
||||
|
||||
@ -348,8 +348,7 @@ function create_cinder_accounts {
|
||||
# Cinder
|
||||
if [[ "$ENABLED_SERVICES" =~ "c-api" ]]; then
|
||||
|
||||
local cinder_user=$(get_or_create_user "cinder" \
|
||||
"$SERVICE_PASSWORD" $service_tenant)
|
||||
local cinder_user=$(get_or_create_user "cinder" "$SERVICE_PASSWORD")
|
||||
get_or_add_user_role $admin_role $cinder_user $service_tenant
|
||||
|
||||
if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
|
||||
|
||||
@ -232,15 +232,14 @@ function configure_glance {
|
||||
function create_glance_accounts {
|
||||
if is_service_enabled g-api; then
|
||||
|
||||
local glance_user=$(get_or_create_user "glance" \
|
||||
"$SERVICE_PASSWORD" $SERVICE_TENANT_NAME)
|
||||
local glance_user=$(get_or_create_user "glance" "$SERVICE_PASSWORD")
|
||||
get_or_add_user_role service $glance_user $SERVICE_TENANT_NAME
|
||||
|
||||
# required for swift access
|
||||
if is_service_enabled s-proxy; then
|
||||
|
||||
local glance_swift_user=$(get_or_create_user "glance-swift" \
|
||||
"$SERVICE_PASSWORD" $SERVICE_TENANT_NAME "glance-swift@example.com")
|
||||
"$SERVICE_PASSWORD" "glance-swift@example.com")
|
||||
get_or_add_user_role "ResellerAdmin" $glance_swift_user $SERVICE_TENANT_NAME
|
||||
fi
|
||||
|
||||
|
||||
3
lib/heat
3
lib/heat
@ -243,8 +243,7 @@ function create_heat_accounts {
|
||||
local service_tenant=$(openstack project list | awk "/ $SERVICE_TENANT_NAME / { print \$2 }")
|
||||
local admin_role=$(openstack role list | awk "/ admin / { print \$2 }")
|
||||
|
||||
local heat_user=$(get_or_create_user "heat" \
|
||||
"$SERVICE_PASSWORD" $service_tenant)
|
||||
local heat_user=$(get_or_create_user "heat" "$SERVICE_PASSWORD")
|
||||
get_or_add_user_role $admin_role $heat_user $service_tenant
|
||||
|
||||
if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
|
||||
|
||||
@ -365,8 +365,7 @@ function create_ironic_accounts {
|
||||
if [[ "$ENABLED_SERVICES" =~ "ir-api" ]]; then
|
||||
# Get ironic user if exists
|
||||
|
||||
local ironic_user=$(get_or_create_user "ironic" \
|
||||
"$SERVICE_PASSWORD" $service_tenant)
|
||||
local ironic_user=$(get_or_create_user "ironic" "$SERVICE_PASSWORD")
|
||||
get_or_add_user_role $admin_role $ironic_user $service_tenant
|
||||
|
||||
if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
|
||||
|
||||
@ -362,8 +362,7 @@ function create_keystone_accounts {
|
||||
|
||||
# admin
|
||||
local admin_tenant=$(get_or_create_project "admin")
|
||||
local admin_user=$(get_or_create_user "admin" \
|
||||
"$ADMIN_PASSWORD" "$admin_tenant")
|
||||
local admin_user=$(get_or_create_user "admin" "$ADMIN_PASSWORD")
|
||||
local admin_role=$(get_or_create_role "admin")
|
||||
get_or_add_user_role $admin_role $admin_user $admin_tenant
|
||||
|
||||
@ -392,7 +391,7 @@ function create_keystone_accounts {
|
||||
# demo
|
||||
local demo_tenant=$(get_or_create_project "demo")
|
||||
local demo_user=$(get_or_create_user "demo" \
|
||||
"$ADMIN_PASSWORD" "$demo_tenant" "demo@example.com")
|
||||
"$ADMIN_PASSWORD" "demo@example.com")
|
||||
|
||||
get_or_add_user_role $member_role $demo_user $demo_tenant
|
||||
get_or_add_user_role $admin_role $admin_user $demo_tenant
|
||||
|
||||
@ -513,8 +513,7 @@ function create_neutron_accounts {
|
||||
|
||||
if [[ "$ENABLED_SERVICES" =~ "q-svc" ]]; then
|
||||
|
||||
local neutron_user=$(get_or_create_user "neutron" \
|
||||
"$SERVICE_PASSWORD" $service_tenant)
|
||||
local neutron_user=$(get_or_create_user "neutron" "$SERVICE_PASSWORD")
|
||||
get_or_add_user_role $service_role $neutron_user $service_tenant
|
||||
|
||||
if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
|
||||
|
||||
3
lib/nova
3
lib/nova
@ -359,8 +359,7 @@ function create_nova_accounts {
|
||||
# Nova
|
||||
if [[ "$ENABLED_SERVICES" =~ "n-api" ]]; then
|
||||
|
||||
local nova_user=$(get_or_create_user "nova" \
|
||||
"$SERVICE_PASSWORD" $service_tenant)
|
||||
local nova_user=$(get_or_create_user "nova" "$SERVICE_PASSWORD")
|
||||
get_or_add_user_role $admin_role $nova_user $service_tenant
|
||||
|
||||
if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
|
||||
|
||||
@ -64,8 +64,7 @@ function create_sahara_accounts {
|
||||
local service_tenant=$(openstack project list | awk "/ $SERVICE_TENANT_NAME / { print \$2 }")
|
||||
local admin_role=$(openstack role list | awk "/ admin / { print \$2 }")
|
||||
|
||||
local sahara_user=$(get_or_create_user "sahara" \
|
||||
"$SERVICE_PASSWORD" $service_tenant)
|
||||
local sahara_user=$(get_or_create_user "sahara" "$SERVICE_PASSWORD")
|
||||
get_or_add_user_role $admin_role $sahara_user $service_tenant
|
||||
|
||||
if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
|
||||
|
||||
16
lib/swift
16
lib/swift
@ -594,8 +594,7 @@ function create_swift_accounts {
|
||||
local admin_role=$(openstack role list | awk "/ admin / { print \$2 }")
|
||||
local another_role=$(openstack role list | awk "/ anotherrole / { print \$2 }")
|
||||
|
||||
local swift_user=$(get_or_create_user "swift" \
|
||||
"$SERVICE_PASSWORD" $service_tenant)
|
||||
local swift_user=$(get_or_create_user "swift" "$SERVICE_PASSWORD")
|
||||
get_or_add_user_role $admin_role $swift_user $service_tenant
|
||||
|
||||
if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
|
||||
@ -611,21 +610,18 @@ function create_swift_accounts {
|
||||
|
||||
local swift_tenant_test1=$(get_or_create_project swifttenanttest1)
|
||||
die_if_not_set $LINENO swift_tenant_test1 "Failure creating swift_tenant_test1"
|
||||
SWIFT_USER_TEST1=$(get_or_create_user swiftusertest1 $swiftusertest1_password \
|
||||
"$swift_tenant_test1" "test@example.com")
|
||||
SWIFT_USER_TEST1=$(get_or_create_user swiftusertest1 $swiftusertest1_password "test@example.com")
|
||||
die_if_not_set $LINENO SWIFT_USER_TEST1 "Failure creating SWIFT_USER_TEST1"
|
||||
get_or_add_user_role $admin_role $SWIFT_USER_TEST1 $swift_tenant_test1
|
||||
|
||||
local swift_user_test3=$(get_or_create_user swiftusertest3 $swiftusertest3_password \
|
||||
"$swift_tenant_test1" "test3@example.com")
|
||||
local swift_user_test3=$(get_or_create_user swiftusertest3 $swiftusertest3_password "test3@example.com")
|
||||
die_if_not_set $LINENO swift_user_test3 "Failure creating swift_user_test3"
|
||||
get_or_add_user_role $another_role $swift_user_test3 $swift_tenant_test1
|
||||
|
||||
local swift_tenant_test2=$(get_or_create_project swifttenanttest2)
|
||||
die_if_not_set $LINENO swift_tenant_test2 "Failure creating swift_tenant_test2"
|
||||
|
||||
local swift_user_test2=$(get_or_create_user swiftusertest2 $swiftusertest2_password \
|
||||
"$swift_tenant_test2" "test2@example.com")
|
||||
local swift_user_test2=$(get_or_create_user swiftusertest2 $swiftusertest2_password "test2@example.com")
|
||||
die_if_not_set $LINENO swift_user_test2 "Failure creating swift_user_test2"
|
||||
get_or_add_user_role $admin_role $swift_user_test2 $swift_tenant_test2
|
||||
|
||||
@ -634,8 +630,8 @@ function create_swift_accounts {
|
||||
|
||||
local swift_tenant_test4=$(get_or_create_project swifttenanttest4 $swift_domain)
|
||||
die_if_not_set $LINENO swift_tenant_test4 "Failure creating swift_tenant_test4"
|
||||
local swift_user_test4=$(get_or_create_user swiftusertest4 $swiftusertest4_password \
|
||||
$swift_tenant_test4 "test4@example.com" $swift_domain)
|
||||
|
||||
local swift_user_test4=$(get_or_create_user swiftusertest4 $swiftusertest4_password "test4@example.com" $swift_domain)
|
||||
die_if_not_set $LINENO swift_user_test4 "Failure creating swift_user_test4"
|
||||
get_or_add_user_role $admin_role $swift_user_test4 $swift_tenant_test4
|
||||
}
|
||||
|
||||
@ -502,7 +502,7 @@ function create_tempest_accounts {
|
||||
# Tempest has some tests that validate various authorization checks
|
||||
# between two regular users in separate tenants
|
||||
get_or_create_project alt_demo
|
||||
get_or_create_user alt_demo "$ADMIN_PASSWORD" alt_demo "alt_demo@example.com"
|
||||
get_or_create_user alt_demo "$ADMIN_PASSWORD" "alt_demo@example.com"
|
||||
get_or_add_user_role Member alt_demo alt_demo
|
||||
fi
|
||||
}
|
||||
|
||||
@ -84,8 +84,7 @@ function create_trove_accounts {
|
||||
|
||||
if [[ "$ENABLED_SERVICES" =~ "trove" ]]; then
|
||||
|
||||
local trove_user=$(get_or_create_user "trove" \
|
||||
"$SERVICE_PASSWORD" $service_tenant)
|
||||
local trove_user=$(get_or_create_user "trove" "$SERVICE_PASSWORD")
|
||||
get_or_add_user_role $service_role $trove_user $service_tenant
|
||||
|
||||
if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
|
||||
|
||||
@ -218,8 +218,7 @@ function create_zaqar_accounts {
|
||||
local service_tenant=$(openstack project list | awk "/ $SERVICE_TENANT_NAME / { print \$2 }")
|
||||
ADMIN_ROLE=$(openstack role list | awk "/ admin / { print \$2 }")
|
||||
|
||||
local zaqar_user=$(get_or_create_user "zaqar" \
|
||||
"$SERVICE_PASSWORD" $service_tenant)
|
||||
local zaqar_user=$(get_or_create_user "zaqar" "$SERVICE_PASSWORD")
|
||||
get_or_add_user_role $ADMIN_ROLE $zaqar_user $service_tenant
|
||||
|
||||
if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
|
||||
|
||||
Loading…
Reference in New Issue
Block a user