Merge "change tenant to project in keystone bootstrapping"
This commit is contained in:
commit
2e23e64151
56
lib/keystone
56
lib/keystone
@ -106,9 +106,9 @@ KEYSTONE_SERVICE_PROTOCOL=${KEYSTONE_SERVICE_PROTOCOL:-$SERVICE_PROTOCOL}
|
||||
|
||||
# Bind hosts
|
||||
KEYSTONE_ADMIN_BIND_HOST=${KEYSTONE_ADMIN_BIND_HOST:-$KEYSTONE_SERVICE_HOST}
|
||||
# Set the tenant for service accounts in Keystone
|
||||
SERVICE_TENANT_NAME=${SERVICE_TENANT_NAME:-service}
|
||||
SERVICE_PROJECT_NAME=${SERVICE_TENANT_NAME:-service}
|
||||
# Set the project for service accounts in Keystone
|
||||
SERVICE_PROJECT_NAME=${SERVICE_PROJECT_NAME:-service}
|
||||
SERVICE_TENANT_NAME=${SERVICE_PROJECT_NAME:-service}
|
||||
|
||||
# if we are running with SSL use https protocols
|
||||
if is_ssl_enabled_service "key" || is_service_enabled tls-proxy; then
|
||||
@ -335,7 +335,7 @@ function configure_keystone {
|
||||
|
||||
# create_keystone_accounts() - Sets up common required keystone accounts
|
||||
|
||||
# Tenant User Roles
|
||||
# Project User Roles
|
||||
# ------------------------------------------------------------------
|
||||
# admin admin admin
|
||||
# service -- --
|
||||
@ -348,7 +348,7 @@ function configure_keystone {
|
||||
# alt_demo alt_demo Member, anotherrole
|
||||
# invisible_to_admin demo Member
|
||||
|
||||
# Group Users Roles Tenant
|
||||
# Group Users Roles Project
|
||||
# ------------------------------------------------------------------
|
||||
# admins admin admin admin
|
||||
# nonadmins demo, alt_demo Member, anotherrole demo, alt_demo
|
||||
@ -360,8 +360,8 @@ function create_keystone_accounts {
|
||||
# The keystone bootstrapping process (performed via keystone-manage bootstrap)
|
||||
# creates an admin user, admin role and admin project. As a sanity check
|
||||
# we exercise the CLI to retrieve the IDs for these values.
|
||||
local admin_tenant
|
||||
admin_tenant=$(openstack project show "admin" -f value -c id)
|
||||
local admin_project
|
||||
admin_project=$(openstack project show "admin" -f value -c id)
|
||||
local admin_user
|
||||
admin_user=$(openstack user show "admin" -f value -c id)
|
||||
local admin_role
|
||||
@ -376,8 +376,8 @@ function create_keystone_accounts {
|
||||
get_or_create_role service
|
||||
|
||||
# The ResellerAdmin role is used by Nova and Ceilometer so we need to keep it.
|
||||
# The admin role in swift allows a user to act as an admin for their tenant,
|
||||
# but ResellerAdmin is needed for a user to act as any tenant. The name of this
|
||||
# The admin role in swift allows a user to act as an admin for their project,
|
||||
# but ResellerAdmin is needed for a user to act as any project. The name of this
|
||||
# role is also configurable in swift-proxy.conf
|
||||
get_or_create_role ResellerAdmin
|
||||
|
||||
@ -390,32 +390,32 @@ function create_keystone_accounts {
|
||||
local another_role
|
||||
another_role=$(get_or_create_role "anotherrole")
|
||||
|
||||
# invisible tenant - admin can't see this one
|
||||
local invis_tenant
|
||||
invis_tenant=$(get_or_create_project "invisible_to_admin" default)
|
||||
# invisible project - admin can't see this one
|
||||
local invis_project
|
||||
invis_project=$(get_or_create_project "invisible_to_admin" default)
|
||||
|
||||
# demo
|
||||
local demo_tenant
|
||||
demo_tenant=$(get_or_create_project "demo" default)
|
||||
local demo_project
|
||||
demo_project=$(get_or_create_project "demo" default)
|
||||
local demo_user
|
||||
demo_user=$(get_or_create_user "demo" \
|
||||
"$ADMIN_PASSWORD" "default" "demo@example.com")
|
||||
|
||||
get_or_add_user_project_role $member_role $demo_user $demo_tenant
|
||||
get_or_add_user_project_role $admin_role $admin_user $demo_tenant
|
||||
get_or_add_user_project_role $another_role $demo_user $demo_tenant
|
||||
get_or_add_user_project_role $member_role $demo_user $invis_tenant
|
||||
get_or_add_user_project_role $member_role $demo_user $demo_project
|
||||
get_or_add_user_project_role $admin_role $admin_user $demo_project
|
||||
get_or_add_user_project_role $another_role $demo_user $demo_project
|
||||
get_or_add_user_project_role $member_role $demo_user $invis_project
|
||||
|
||||
# alt_demo
|
||||
local alt_demo_tenant
|
||||
alt_demo_tenant=$(get_or_create_project "alt_demo" default)
|
||||
local alt_demo_project
|
||||
alt_demo_project=$(get_or_create_project "alt_demo" default)
|
||||
local alt_demo_user
|
||||
alt_demo_user=$(get_or_create_user "alt_demo" \
|
||||
"$ADMIN_PASSWORD" "default" "alt_demo@example.com")
|
||||
|
||||
get_or_add_user_project_role $member_role $alt_demo_user $alt_demo_tenant
|
||||
get_or_add_user_project_role $admin_role $admin_user $alt_demo_tenant
|
||||
get_or_add_user_project_role $another_role $alt_demo_user $alt_demo_tenant
|
||||
get_or_add_user_project_role $member_role $alt_demo_user $alt_demo_project
|
||||
get_or_add_user_project_role $admin_role $admin_user $alt_demo_project
|
||||
get_or_add_user_project_role $another_role $alt_demo_user $alt_demo_project
|
||||
|
||||
# groups
|
||||
local admin_group
|
||||
@ -425,11 +425,11 @@ function create_keystone_accounts {
|
||||
non_admin_group=$(get_or_create_group "nonadmins" \
|
||||
"default" "non-admin group")
|
||||
|
||||
get_or_add_group_project_role $member_role $non_admin_group $demo_tenant
|
||||
get_or_add_group_project_role $another_role $non_admin_group $demo_tenant
|
||||
get_or_add_group_project_role $member_role $non_admin_group $alt_demo_tenant
|
||||
get_or_add_group_project_role $another_role $non_admin_group $alt_demo_tenant
|
||||
get_or_add_group_project_role $admin_role $admin_group $admin_tenant
|
||||
get_or_add_group_project_role $member_role $non_admin_group $demo_project
|
||||
get_or_add_group_project_role $another_role $non_admin_group $demo_project
|
||||
get_or_add_group_project_role $member_role $non_admin_group $alt_demo_project
|
||||
get_or_add_group_project_role $another_role $non_admin_group $alt_demo_project
|
||||
get_or_add_group_project_role $admin_role $admin_group $admin_project
|
||||
}
|
||||
|
||||
# Create a user that is capable of verifying keystone tokens for use with auth_token middleware.
|
||||
|
Loading…
Reference in New Issue
Block a user