Use service role with glance service
glance just used to admin role for token validation, the service role is sufficient for this. glance also needs an user with enough permission to use swift, so creating a dedictated service user for swift usage when s-proxy is enabled. Change-Id: I6df3905e5db35ea3421468ca1ee6d8de3271f8d1
This commit is contained in:
parent
78ab80e558
commit
85a85f87f8
@ -2,12 +2,14 @@
|
|||||||
#
|
#
|
||||||
# Initial data for Keystone using python-keystoneclient
|
# Initial data for Keystone using python-keystoneclient
|
||||||
#
|
#
|
||||||
# Tenant User Roles
|
# Tenant User Roles
|
||||||
# ------------------------------------------------------------------
|
# ------------------------------------------------------------------
|
||||||
# service glance admin
|
# service glance service
|
||||||
# service heat service # if enabled
|
# service glance-swift ResellerAdmin
|
||||||
|
# service heat service # if enabled
|
||||||
|
# service ceilometer admin # if enabled
|
||||||
# Tempest Only:
|
# Tempest Only:
|
||||||
# alt_demo alt_demo Member
|
# alt_demo alt_demo Member
|
||||||
#
|
#
|
||||||
# Variables set before calling this script:
|
# Variables set before calling this script:
|
||||||
# SERVICE_TOKEN - aka admin_token in keystone.conf
|
# SERVICE_TOKEN - aka admin_token in keystone.conf
|
||||||
@ -96,7 +98,19 @@ if [[ "$ENABLED_SERVICES" =~ "g-api" ]]; then
|
|||||||
keystone user-role-add \
|
keystone user-role-add \
|
||||||
--tenant $SERVICE_TENANT_NAME \
|
--tenant $SERVICE_TENANT_NAME \
|
||||||
--user glance \
|
--user glance \
|
||||||
--role admin
|
--role service
|
||||||
|
# required for swift access
|
||||||
|
if [[ "$ENABLED_SERVICES" =~ "s-proxy" ]]; then
|
||||||
|
keystone user-create \
|
||||||
|
--name=glance-swift \
|
||||||
|
--pass="$SERVICE_PASSWORD" \
|
||||||
|
--tenant $SERVICE_TENANT_NAME \
|
||||||
|
--email=glance-swift@example.com
|
||||||
|
keystone user-role-add \
|
||||||
|
--tenant $SERVICE_TENANT_NAME \
|
||||||
|
--user glance-swift \
|
||||||
|
--role ResellerAdmin
|
||||||
|
fi
|
||||||
if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
|
if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
|
||||||
keystone service-create \
|
keystone service-create \
|
||||||
--name=glance \
|
--name=glance \
|
||||||
|
@ -124,7 +124,7 @@ function configure_glance() {
|
|||||||
if is_service_enabled s-proxy; then
|
if is_service_enabled s-proxy; then
|
||||||
iniset $GLANCE_API_CONF DEFAULT default_store swift
|
iniset $GLANCE_API_CONF DEFAULT default_store swift
|
||||||
iniset $GLANCE_API_CONF DEFAULT swift_store_auth_address $KEYSTONE_SERVICE_PROTOCOL://$KEYSTONE_SERVICE_HOST:$KEYSTONE_SERVICE_PORT/v2.0/
|
iniset $GLANCE_API_CONF DEFAULT swift_store_auth_address $KEYSTONE_SERVICE_PROTOCOL://$KEYSTONE_SERVICE_HOST:$KEYSTONE_SERVICE_PORT/v2.0/
|
||||||
iniset $GLANCE_API_CONF DEFAULT swift_store_user $SERVICE_TENANT_NAME:glance
|
iniset $GLANCE_API_CONF DEFAULT swift_store_user $SERVICE_TENANT_NAME:glance-swift
|
||||||
iniset $GLANCE_API_CONF DEFAULT swift_store_key $SERVICE_PASSWORD
|
iniset $GLANCE_API_CONF DEFAULT swift_store_key $SERVICE_PASSWORD
|
||||||
iniset $GLANCE_API_CONF DEFAULT swift_store_create_container_on_put True
|
iniset $GLANCE_API_CONF DEFAULT swift_store_create_container_on_put True
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user