From 85a85f87f814446dd2364eea1b6d976d50500203 Mon Sep 17 00:00:00 2001
From: Attila Fazekas <afazekas@redhat.com>
Date: Tue, 21 Jan 2014 11:13:55 +0100
Subject: [PATCH] Use service role with glance service

glance just used to admin role for token validation,
the service role is sufficient for this.

glance also needs an user with enough permission to use swift,
so creating a dedictated service user for swift usage when s-proxy is
enabled.

Change-Id: I6df3905e5db35ea3421468ca1ee6d8de3271f8d1
---
 files/keystone_data.sh | 24 +++++++++++++++++++-----
 lib/glance             |  2 +-
 2 files changed, 20 insertions(+), 6 deletions(-)

diff --git a/files/keystone_data.sh b/files/keystone_data.sh
index d477c42906..9a34c7616f 100755
--- a/files/keystone_data.sh
+++ b/files/keystone_data.sh
@@ -2,12 +2,14 @@
 #
 # Initial data for Keystone using python-keystoneclient
 #
-# Tenant               User       Roles
+# Tenant               User         Roles
 # ------------------------------------------------------------------
-# service              glance     admin
-# service              heat       service        # if enabled
+# service              glance       service
+# service              glance-swift ResellerAdmin
+# service              heat         service        # if enabled
+# service              ceilometer   admin          # if enabled
 # Tempest Only:
-# alt_demo             alt_demo  Member
+# alt_demo             alt_demo     Member
 #
 # Variables set before calling this script:
 # SERVICE_TOKEN - aka admin_token in keystone.conf
@@ -96,7 +98,19 @@ if [[ "$ENABLED_SERVICES" =~ "g-api" ]]; then
     keystone user-role-add \
         --tenant $SERVICE_TENANT_NAME \
         --user glance \
-        --role admin
+        --role service
+    # required for swift access
+    if [[ "$ENABLED_SERVICES" =~ "s-proxy" ]]; then
+        keystone user-create \
+            --name=glance-swift \
+            --pass="$SERVICE_PASSWORD" \
+            --tenant $SERVICE_TENANT_NAME \
+            --email=glance-swift@example.com
+        keystone user-role-add \
+            --tenant $SERVICE_TENANT_NAME \
+            --user glance-swift \
+            --role ResellerAdmin
+    fi
     if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
         keystone service-create \
             --name=glance \
diff --git a/lib/glance b/lib/glance
index 2d41ea4653..00f499a0b9 100644
--- a/lib/glance
+++ b/lib/glance
@@ -124,7 +124,7 @@ function configure_glance() {
     if is_service_enabled s-proxy; then
         iniset $GLANCE_API_CONF DEFAULT default_store swift
         iniset $GLANCE_API_CONF DEFAULT swift_store_auth_address $KEYSTONE_SERVICE_PROTOCOL://$KEYSTONE_SERVICE_HOST:$KEYSTONE_SERVICE_PORT/v2.0/
-        iniset $GLANCE_API_CONF DEFAULT swift_store_user $SERVICE_TENANT_NAME:glance
+        iniset $GLANCE_API_CONF DEFAULT swift_store_user $SERVICE_TENANT_NAME:glance-swift
         iniset $GLANCE_API_CONF DEFAULT swift_store_key $SERVICE_PASSWORD
         iniset $GLANCE_API_CONF DEFAULT swift_store_create_container_on_put True