Remove the default project from all users
The default project means that a user gains token scoping information for a project if they don't specify another. This is something we want to discourage for user creation. User's should specify there own authentication scope when they authenticate. Change-Id: I42c3060d59edfcd44d04cd166bad500419dd99bc
This commit is contained in:
Jamie Lennox
parent
c2999d190a
commit
18f39bfb1f
@ -180,8 +180,7 @@ function create_tuskar_accounts {
|
|||||||
local service_tenant=$(openstack project list | awk "/ $SERVICE_TENANT_NAME / { print \$2 }")
|
local service_tenant=$(openstack project list | awk "/ $SERVICE_TENANT_NAME / { print \$2 }")
|
||||||
local admin_role=$(openstack role list | awk "/ admin / { print \$2 }")
|
local admin_role=$(openstack role list | awk "/ admin / { print \$2 }")
|
||||||
|
|
||||||
local tuskar_user=$(get_or_create_user "tuskar" \
|
local tuskar_user=$(get_or_create_user "tuskar" "$SERVICE_PASSWORD")
|
||||||
"$SERVICE_PASSWORD" $service_tenant)
|
|
||||||
get_or_add_user_role $admin_role $tuskar_user $service_tenant
|
get_or_add_user_role $admin_role $tuskar_user $service_tenant
|
||||||
|
|
||||||
if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
|
if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
|
||||||
|
|||||||
@ -860,17 +860,17 @@ function get_or_create_group {
|
|||||||
}
|
}
|
||||||
|
|
||||||
# Gets or creates user
|
# Gets or creates user
|
||||||
# Usage: get_or_create_user <username> <password> <project> [<email> [<domain>]]
|
# Usage: get_or_create_user <username> <password> [<email> [<domain>]]
|
||||||
function get_or_create_user {
|
function get_or_create_user {
|
||||||
if [[ ! -z "$4" ]]; then
|
if [[ ! -z "$3" ]]; then
|
||||||
local email="--email=$4"
|
local email="--email=$3"
|
||||||
else
|
else
|
||||||
local email=""
|
local email=""
|
||||||
fi
|
fi
|
||||||
local os_cmd="openstack"
|
local os_cmd="openstack"
|
||||||
local domain=""
|
local domain=""
|
||||||
if [[ ! -z "$5" ]]; then
|
if [[ ! -z "$4" ]]; then
|
||||||
domain="--domain=$5"
|
domain="--domain=$4"
|
||||||
os_cmd="$os_cmd --os-url=$KEYSTONE_SERVICE_URI_V3 --os-identity-api-version=3"
|
os_cmd="$os_cmd --os-url=$KEYSTONE_SERVICE_URI_V3 --os-identity-api-version=3"
|
||||||
fi
|
fi
|
||||||
# Gets user id
|
# Gets user id
|
||||||
@ -879,7 +879,6 @@ function get_or_create_user {
|
|||||||
$os_cmd user create \
|
$os_cmd user create \
|
||||||
$1 \
|
$1 \
|
||||||
--password "$2" \
|
--password "$2" \
|
||||||
--project $3 \
|
|
||||||
$email \
|
$email \
|
||||||
$domain \
|
$domain \
|
||||||
--or-show \
|
--or-show \
|
||||||
|
|||||||
@ -110,8 +110,7 @@ function create_ceilometer_accounts {
|
|||||||
|
|
||||||
# Ceilometer
|
# Ceilometer
|
||||||
if [[ "$ENABLED_SERVICES" =~ "ceilometer-api" ]]; then
|
if [[ "$ENABLED_SERVICES" =~ "ceilometer-api" ]]; then
|
||||||
local ceilometer_user=$(get_or_create_user "ceilometer" \
|
local ceilometer_user=$(get_or_create_user "ceilometer" "$SERVICE_PASSWORD")
|
||||||
"$SERVICE_PASSWORD" $service_tenant)
|
|
||||||
get_or_add_user_role $admin_role $ceilometer_user $service_tenant
|
get_or_add_user_role $admin_role $ceilometer_user $service_tenant
|
||||||
|
|
||||||
if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
|
if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
|
||||||
|
|||||||
@ -348,8 +348,7 @@ function create_cinder_accounts {
|
|||||||
# Cinder
|
# Cinder
|
||||||
if [[ "$ENABLED_SERVICES" =~ "c-api" ]]; then
|
if [[ "$ENABLED_SERVICES" =~ "c-api" ]]; then
|
||||||
|
|
||||||
local cinder_user=$(get_or_create_user "cinder" \
|
local cinder_user=$(get_or_create_user "cinder" "$SERVICE_PASSWORD")
|
||||||
"$SERVICE_PASSWORD" $service_tenant)
|
|
||||||
get_or_add_user_role $admin_role $cinder_user $service_tenant
|
get_or_add_user_role $admin_role $cinder_user $service_tenant
|
||||||
|
|
||||||
if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
|
if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
|
||||||
|
|||||||
@ -232,15 +232,14 @@ function configure_glance {
|
|||||||
function create_glance_accounts {
|
function create_glance_accounts {
|
||||||
if is_service_enabled g-api; then
|
if is_service_enabled g-api; then
|
||||||
|
|
||||||
local glance_user=$(get_or_create_user "glance" \
|
local glance_user=$(get_or_create_user "glance" "$SERVICE_PASSWORD")
|
||||||
"$SERVICE_PASSWORD" $SERVICE_TENANT_NAME)
|
|
||||||
get_or_add_user_role service $glance_user $SERVICE_TENANT_NAME
|
get_or_add_user_role service $glance_user $SERVICE_TENANT_NAME
|
||||||
|
|
||||||
# required for swift access
|
# required for swift access
|
||||||
if is_service_enabled s-proxy; then
|
if is_service_enabled s-proxy; then
|
||||||
|
|
||||||
local glance_swift_user=$(get_or_create_user "glance-swift" \
|
local glance_swift_user=$(get_or_create_user "glance-swift" \
|
||||||
"$SERVICE_PASSWORD" $SERVICE_TENANT_NAME "glance-swift@example.com")
|
"$SERVICE_PASSWORD" "glance-swift@example.com")
|
||||||
get_or_add_user_role "ResellerAdmin" $glance_swift_user $SERVICE_TENANT_NAME
|
get_or_add_user_role "ResellerAdmin" $glance_swift_user $SERVICE_TENANT_NAME
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
|||||||
3
lib/heat
3
lib/heat
@ -243,8 +243,7 @@ function create_heat_accounts {
|
|||||||
local service_tenant=$(openstack project list | awk "/ $SERVICE_TENANT_NAME / { print \$2 }")
|
local service_tenant=$(openstack project list | awk "/ $SERVICE_TENANT_NAME / { print \$2 }")
|
||||||
local admin_role=$(openstack role list | awk "/ admin / { print \$2 }")
|
local admin_role=$(openstack role list | awk "/ admin / { print \$2 }")
|
||||||
|
|
||||||
local heat_user=$(get_or_create_user "heat" \
|
local heat_user=$(get_or_create_user "heat" "$SERVICE_PASSWORD")
|
||||||
"$SERVICE_PASSWORD" $service_tenant)
|
|
||||||
get_or_add_user_role $admin_role $heat_user $service_tenant
|
get_or_add_user_role $admin_role $heat_user $service_tenant
|
||||||
|
|
||||||
if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
|
if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
|
||||||
|
|||||||
@ -365,8 +365,7 @@ function create_ironic_accounts {
|
|||||||
if [[ "$ENABLED_SERVICES" =~ "ir-api" ]]; then
|
if [[ "$ENABLED_SERVICES" =~ "ir-api" ]]; then
|
||||||
# Get ironic user if exists
|
# Get ironic user if exists
|
||||||
|
|
||||||
local ironic_user=$(get_or_create_user "ironic" \
|
local ironic_user=$(get_or_create_user "ironic" "$SERVICE_PASSWORD")
|
||||||
"$SERVICE_PASSWORD" $service_tenant)
|
|
||||||
get_or_add_user_role $admin_role $ironic_user $service_tenant
|
get_or_add_user_role $admin_role $ironic_user $service_tenant
|
||||||
|
|
||||||
if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
|
if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
|
||||||
|
|||||||
@ -362,8 +362,7 @@ function create_keystone_accounts {
|
|||||||
|
|
||||||
# admin
|
# admin
|
||||||
local admin_tenant=$(get_or_create_project "admin")
|
local admin_tenant=$(get_or_create_project "admin")
|
||||||
local admin_user=$(get_or_create_user "admin" \
|
local admin_user=$(get_or_create_user "admin" "$ADMIN_PASSWORD")
|
||||||
"$ADMIN_PASSWORD" "$admin_tenant")
|
|
||||||
local admin_role=$(get_or_create_role "admin")
|
local admin_role=$(get_or_create_role "admin")
|
||||||
get_or_add_user_role $admin_role $admin_user $admin_tenant
|
get_or_add_user_role $admin_role $admin_user $admin_tenant
|
||||||
|
|
||||||
@ -392,7 +391,7 @@ function create_keystone_accounts {
|
|||||||
# demo
|
# demo
|
||||||
local demo_tenant=$(get_or_create_project "demo")
|
local demo_tenant=$(get_or_create_project "demo")
|
||||||
local demo_user=$(get_or_create_user "demo" \
|
local demo_user=$(get_or_create_user "demo" \
|
||||||
"$ADMIN_PASSWORD" "$demo_tenant" "demo@example.com")
|
"$ADMIN_PASSWORD" "demo@example.com")
|
||||||
|
|
||||||
get_or_add_user_role $member_role $demo_user $demo_tenant
|
get_or_add_user_role $member_role $demo_user $demo_tenant
|
||||||
get_or_add_user_role $admin_role $admin_user $demo_tenant
|
get_or_add_user_role $admin_role $admin_user $demo_tenant
|
||||||
|
|||||||
@ -513,8 +513,7 @@ function create_neutron_accounts {
|
|||||||
|
|
||||||
if [[ "$ENABLED_SERVICES" =~ "q-svc" ]]; then
|
if [[ "$ENABLED_SERVICES" =~ "q-svc" ]]; then
|
||||||
|
|
||||||
local neutron_user=$(get_or_create_user "neutron" \
|
local neutron_user=$(get_or_create_user "neutron" "$SERVICE_PASSWORD")
|
||||||
"$SERVICE_PASSWORD" $service_tenant)
|
|
||||||
get_or_add_user_role $service_role $neutron_user $service_tenant
|
get_or_add_user_role $service_role $neutron_user $service_tenant
|
||||||
|
|
||||||
if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
|
if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
|
||||||
|
|||||||
3
lib/nova
3
lib/nova
@ -359,8 +359,7 @@ function create_nova_accounts {
|
|||||||
# Nova
|
# Nova
|
||||||
if [[ "$ENABLED_SERVICES" =~ "n-api" ]]; then
|
if [[ "$ENABLED_SERVICES" =~ "n-api" ]]; then
|
||||||
|
|
||||||
local nova_user=$(get_or_create_user "nova" \
|
local nova_user=$(get_or_create_user "nova" "$SERVICE_PASSWORD")
|
||||||
"$SERVICE_PASSWORD" $service_tenant)
|
|
||||||
get_or_add_user_role $admin_role $nova_user $service_tenant
|
get_or_add_user_role $admin_role $nova_user $service_tenant
|
||||||
|
|
||||||
if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
|
if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
|
||||||
|
|||||||
@ -64,8 +64,7 @@ function create_sahara_accounts {
|
|||||||
local service_tenant=$(openstack project list | awk "/ $SERVICE_TENANT_NAME / { print \$2 }")
|
local service_tenant=$(openstack project list | awk "/ $SERVICE_TENANT_NAME / { print \$2 }")
|
||||||
local admin_role=$(openstack role list | awk "/ admin / { print \$2 }")
|
local admin_role=$(openstack role list | awk "/ admin / { print \$2 }")
|
||||||
|
|
||||||
local sahara_user=$(get_or_create_user "sahara" \
|
local sahara_user=$(get_or_create_user "sahara" "$SERVICE_PASSWORD")
|
||||||
"$SERVICE_PASSWORD" $service_tenant)
|
|
||||||
get_or_add_user_role $admin_role $sahara_user $service_tenant
|
get_or_add_user_role $admin_role $sahara_user $service_tenant
|
||||||
|
|
||||||
if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
|
if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
|
||||||
|
|||||||
16
lib/swift
16
lib/swift
@ -594,8 +594,7 @@ function create_swift_accounts {
|
|||||||
local admin_role=$(openstack role list | awk "/ admin / { print \$2 }")
|
local admin_role=$(openstack role list | awk "/ admin / { print \$2 }")
|
||||||
local another_role=$(openstack role list | awk "/ anotherrole / { print \$2 }")
|
local another_role=$(openstack role list | awk "/ anotherrole / { print \$2 }")
|
||||||
|
|
||||||
local swift_user=$(get_or_create_user "swift" \
|
local swift_user=$(get_or_create_user "swift" "$SERVICE_PASSWORD")
|
||||||
"$SERVICE_PASSWORD" $service_tenant)
|
|
||||||
get_or_add_user_role $admin_role $swift_user $service_tenant
|
get_or_add_user_role $admin_role $swift_user $service_tenant
|
||||||
|
|
||||||
if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
|
if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
|
||||||
@ -611,21 +610,18 @@ function create_swift_accounts {
|
|||||||
|
|
||||||
local swift_tenant_test1=$(get_or_create_project swifttenanttest1)
|
local swift_tenant_test1=$(get_or_create_project swifttenanttest1)
|
||||||
die_if_not_set $LINENO swift_tenant_test1 "Failure creating swift_tenant_test1"
|
die_if_not_set $LINENO swift_tenant_test1 "Failure creating swift_tenant_test1"
|
||||||
SWIFT_USER_TEST1=$(get_or_create_user swiftusertest1 $swiftusertest1_password \
|
SWIFT_USER_TEST1=$(get_or_create_user swiftusertest1 $swiftusertest1_password "test@example.com")
|
||||||
"$swift_tenant_test1" "test@example.com")
|
|
||||||
die_if_not_set $LINENO SWIFT_USER_TEST1 "Failure creating SWIFT_USER_TEST1"
|
die_if_not_set $LINENO SWIFT_USER_TEST1 "Failure creating SWIFT_USER_TEST1"
|
||||||
get_or_add_user_role $admin_role $SWIFT_USER_TEST1 $swift_tenant_test1
|
get_or_add_user_role $admin_role $SWIFT_USER_TEST1 $swift_tenant_test1
|
||||||
|
|
||||||
local swift_user_test3=$(get_or_create_user swiftusertest3 $swiftusertest3_password \
|
local swift_user_test3=$(get_or_create_user swiftusertest3 $swiftusertest3_password "test3@example.com")
|
||||||
"$swift_tenant_test1" "test3@example.com")
|
|
||||||
die_if_not_set $LINENO swift_user_test3 "Failure creating swift_user_test3"
|
die_if_not_set $LINENO swift_user_test3 "Failure creating swift_user_test3"
|
||||||
get_or_add_user_role $another_role $swift_user_test3 $swift_tenant_test1
|
get_or_add_user_role $another_role $swift_user_test3 $swift_tenant_test1
|
||||||
|
|
||||||
local swift_tenant_test2=$(get_or_create_project swifttenanttest2)
|
local swift_tenant_test2=$(get_or_create_project swifttenanttest2)
|
||||||
die_if_not_set $LINENO swift_tenant_test2 "Failure creating swift_tenant_test2"
|
die_if_not_set $LINENO swift_tenant_test2 "Failure creating swift_tenant_test2"
|
||||||
|
|
||||||
local swift_user_test2=$(get_or_create_user swiftusertest2 $swiftusertest2_password \
|
local swift_user_test2=$(get_or_create_user swiftusertest2 $swiftusertest2_password "test2@example.com")
|
||||||
"$swift_tenant_test2" "test2@example.com")
|
|
||||||
die_if_not_set $LINENO swift_user_test2 "Failure creating swift_user_test2"
|
die_if_not_set $LINENO swift_user_test2 "Failure creating swift_user_test2"
|
||||||
get_or_add_user_role $admin_role $swift_user_test2 $swift_tenant_test2
|
get_or_add_user_role $admin_role $swift_user_test2 $swift_tenant_test2
|
||||||
|
|
||||||
@ -634,8 +630,8 @@ function create_swift_accounts {
|
|||||||
|
|
||||||
local swift_tenant_test4=$(get_or_create_project swifttenanttest4 $swift_domain)
|
local swift_tenant_test4=$(get_or_create_project swifttenanttest4 $swift_domain)
|
||||||
die_if_not_set $LINENO swift_tenant_test4 "Failure creating swift_tenant_test4"
|
die_if_not_set $LINENO swift_tenant_test4 "Failure creating swift_tenant_test4"
|
||||||
local swift_user_test4=$(get_or_create_user swiftusertest4 $swiftusertest4_password \
|
|
||||||
$swift_tenant_test4 "test4@example.com" $swift_domain)
|
local swift_user_test4=$(get_or_create_user swiftusertest4 $swiftusertest4_password "test4@example.com" $swift_domain)
|
||||||
die_if_not_set $LINENO swift_user_test4 "Failure creating swift_user_test4"
|
die_if_not_set $LINENO swift_user_test4 "Failure creating swift_user_test4"
|
||||||
get_or_add_user_role $admin_role $swift_user_test4 $swift_tenant_test4
|
get_or_add_user_role $admin_role $swift_user_test4 $swift_tenant_test4
|
||||||
}
|
}
|
||||||
|
|||||||
@ -502,7 +502,7 @@ function create_tempest_accounts {
|
|||||||
# Tempest has some tests that validate various authorization checks
|
# Tempest has some tests that validate various authorization checks
|
||||||
# between two regular users in separate tenants
|
# between two regular users in separate tenants
|
||||||
get_or_create_project alt_demo
|
get_or_create_project alt_demo
|
||||||
get_or_create_user alt_demo "$ADMIN_PASSWORD" alt_demo "alt_demo@example.com"
|
get_or_create_user alt_demo "$ADMIN_PASSWORD" "alt_demo@example.com"
|
||||||
get_or_add_user_role Member alt_demo alt_demo
|
get_or_add_user_role Member alt_demo alt_demo
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|||||||
@ -84,8 +84,7 @@ function create_trove_accounts {
|
|||||||
|
|
||||||
if [[ "$ENABLED_SERVICES" =~ "trove" ]]; then
|
if [[ "$ENABLED_SERVICES" =~ "trove" ]]; then
|
||||||
|
|
||||||
local trove_user=$(get_or_create_user "trove" \
|
local trove_user=$(get_or_create_user "trove" "$SERVICE_PASSWORD")
|
||||||
"$SERVICE_PASSWORD" $service_tenant)
|
|
||||||
get_or_add_user_role $service_role $trove_user $service_tenant
|
get_or_add_user_role $service_role $trove_user $service_tenant
|
||||||
|
|
||||||
if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
|
if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
|
||||||
|
|||||||
@ -218,8 +218,7 @@ function create_zaqar_accounts {
|
|||||||
local service_tenant=$(openstack project list | awk "/ $SERVICE_TENANT_NAME / { print \$2 }")
|
local service_tenant=$(openstack project list | awk "/ $SERVICE_TENANT_NAME / { print \$2 }")
|
||||||
ADMIN_ROLE=$(openstack role list | awk "/ admin / { print \$2 }")
|
ADMIN_ROLE=$(openstack role list | awk "/ admin / { print \$2 }")
|
||||||
|
|
||||||
local zaqar_user=$(get_or_create_user "zaqar" \
|
local zaqar_user=$(get_or_create_user "zaqar" "$SERVICE_PASSWORD")
|
||||||
"$SERVICE_PASSWORD" $service_tenant)
|
|
||||||
get_or_add_user_role $ADMIN_ROLE $zaqar_user $service_tenant
|
get_or_add_user_role $ADMIN_ROLE $zaqar_user $service_tenant
|
||||||
|
|
||||||
if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
|
if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user