Use service role with glance service

glance just used to admin role for token validation,
the service role is sufficient for this.

glance also needs an user with enough permission to use swift,
so creating a dedictated service user for swift usage when s-proxy is
enabled.

Change-Id: I6df3905e5db35ea3421468ca1ee6d8de3271f8d1
This commit is contained in:
Attila Fazekas 2014-01-21 11:13:55 +01:00
parent 78ab80e558
commit 85a85f87f8
2 changed files with 20 additions and 6 deletions

View File

@ -2,12 +2,14 @@
# #
# Initial data for Keystone using python-keystoneclient # Initial data for Keystone using python-keystoneclient
# #
# Tenant User Roles # Tenant User Roles
# ------------------------------------------------------------------ # ------------------------------------------------------------------
# service glance admin # service glance service
# service heat service # if enabled # service glance-swift ResellerAdmin
# service heat service # if enabled
# service ceilometer admin # if enabled
# Tempest Only: # Tempest Only:
# alt_demo alt_demo Member # alt_demo alt_demo Member
# #
# Variables set before calling this script: # Variables set before calling this script:
# SERVICE_TOKEN - aka admin_token in keystone.conf # SERVICE_TOKEN - aka admin_token in keystone.conf
@ -96,7 +98,19 @@ if [[ "$ENABLED_SERVICES" =~ "g-api" ]]; then
keystone user-role-add \ keystone user-role-add \
--tenant $SERVICE_TENANT_NAME \ --tenant $SERVICE_TENANT_NAME \
--user glance \ --user glance \
--role admin --role service
# required for swift access
if [[ "$ENABLED_SERVICES" =~ "s-proxy" ]]; then
keystone user-create \
--name=glance-swift \
--pass="$SERVICE_PASSWORD" \
--tenant $SERVICE_TENANT_NAME \
--email=glance-swift@example.com
keystone user-role-add \
--tenant $SERVICE_TENANT_NAME \
--user glance-swift \
--role ResellerAdmin
fi
if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
keystone service-create \ keystone service-create \
--name=glance \ --name=glance \

View File

@ -124,7 +124,7 @@ function configure_glance() {
if is_service_enabled s-proxy; then if is_service_enabled s-proxy; then
iniset $GLANCE_API_CONF DEFAULT default_store swift iniset $GLANCE_API_CONF DEFAULT default_store swift
iniset $GLANCE_API_CONF DEFAULT swift_store_auth_address $KEYSTONE_SERVICE_PROTOCOL://$KEYSTONE_SERVICE_HOST:$KEYSTONE_SERVICE_PORT/v2.0/ iniset $GLANCE_API_CONF DEFAULT swift_store_auth_address $KEYSTONE_SERVICE_PROTOCOL://$KEYSTONE_SERVICE_HOST:$KEYSTONE_SERVICE_PORT/v2.0/
iniset $GLANCE_API_CONF DEFAULT swift_store_user $SERVICE_TENANT_NAME:glance iniset $GLANCE_API_CONF DEFAULT swift_store_user $SERVICE_TENANT_NAME:glance-swift
iniset $GLANCE_API_CONF DEFAULT swift_store_key $SERVICE_PASSWORD iniset $GLANCE_API_CONF DEFAULT swift_store_key $SERVICE_PASSWORD
iniset $GLANCE_API_CONF DEFAULT swift_store_create_container_on_put True iniset $GLANCE_API_CONF DEFAULT swift_store_create_container_on_put True