Isolate creating service users

The code for creating service users is almost exactly the same. Abstract
this into a function that can be reused and standardized.

Change-Id: I3a4edbff0a928da7ef9b0097a5a8d508fdfab7ff

extras.d/70-tuskar.sh

@@ -176,12 +176,8 @@ function stop_tuskar {
 
 # create_tuskar_accounts() - Set up common required tuskar accounts
 function create_tuskar_accounts {
-    # migrated from files/keystone_data.sh
-    local service_tenant=$(openstack project list | awk "/ $SERVICE_TENANT_NAME / { print \$2 }")
-    local admin_role=$(openstack role list | awk "/ admin / { print \$2 }")
 
-    local tuskar_user=$(get_or_create_user "tuskar" "$SERVICE_PASSWORD")
-    get_or_add_user_role $admin_role $tuskar_user $service_tenant
+    create_service_user "tuskar" "admin"
 
     if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
 

lib/ceilometer

@@ -105,13 +105,10 @@ function is_ceilometer_enabled {
 # SERVICE_TENANT_NAME  ceilometer   ResellerAdmin (if Swift is enabled)
 function create_ceilometer_accounts {
 
-    local service_tenant=$(openstack project list | awk "/ $SERVICE_TENANT_NAME / { print \$2 }")
-    local admin_role=$(openstack role list | awk "/ admin / { print \$2 }")
-
     # Ceilometer
     if [[ "$ENABLED_SERVICES" =~ "ceilometer-api" ]]; then
-        local ceilometer_user=$(get_or_create_user "ceilometer" "$SERVICE_PASSWORD")
-        get_or_add_user_role $admin_role $ceilometer_user $service_tenant
+
+        create_service_user "ceilometer" "admin"
 
         if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
             local ceilometer_service=$(get_or_create_service "ceilometer" \

lib/cinder

@@ -330,14 +330,10 @@ function configure_cinder {
 # Migrated from keystone_data.sh
 function create_cinder_accounts {
 
-    local service_tenant=$(openstack project list | awk "/ $SERVICE_TENANT_NAME / { print \$2 }")
-    local admin_role=$(openstack role list | awk "/ admin / { print \$2 }")
-
     # Cinder
     if [[ "$ENABLED_SERVICES" =~ "c-api" ]]; then
 
-        local cinder_user=$(get_or_create_user "cinder" "$SERVICE_PASSWORD")
-        get_or_add_user_role $admin_role $cinder_user $service_tenant
+        create_service_user "cinder" "admin"
 
         if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
 

lib/glance

@@ -232,8 +232,7 @@ function configure_glance {
 function create_glance_accounts {
     if is_service_enabled g-api; then
 
-        local glance_user=$(get_or_create_user "glance" "$SERVICE_PASSWORD")
-        get_or_add_user_role service $glance_user $SERVICE_TENANT_NAME
+        create_service_user "glance"
 
         # required for swift access
         if is_service_enabled s-proxy; then

lib/heat

@@ -246,12 +246,7 @@ function stop_heat {
 
 # create_heat_accounts() - Set up common required heat accounts
 function create_heat_accounts {
-    # migrated from files/keystone_data.sh
-    local service_tenant=$(openstack project list | awk "/ $SERVICE_TENANT_NAME / { print \$2 }")
-    local admin_role=$(openstack role list | awk "/ admin / { print \$2 }")
-
-    local heat_user=$(get_or_create_user "heat" "$SERVICE_PASSWORD")
-    get_or_add_user_role $admin_role $heat_user $service_tenant
+    create_service_user "heat" "admin"
 
     if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
 

lib/ironic

@@ -358,15 +358,11 @@ function create_ironic_cache_dir {
 # service              ironic     admin        # if enabled
 function create_ironic_accounts {
 
-    local service_tenant=$(openstack project list | awk "/ $SERVICE_TENANT_NAME / { print \$2 }")
-    local admin_role=$(openstack role list | awk "/ admin / { print \$2 }")
-
     # Ironic
     if [[ "$ENABLED_SERVICES" =~ "ir-api" ]]; then
         # Get ironic user if exists
 
-        local ironic_user=$(get_or_create_user "ironic" "$SERVICE_PASSWORD")
-        get_or_add_user_role $admin_role $ironic_user $service_tenant
+        create_service_user "ironic" "admin"
 
         if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
 

lib/keystone

@@ -414,6 +414,20 @@ function create_keystone_accounts {
     fi
 }
 
+# Create a user that is capable of verifying keystone tokens for use with auth_token middleware.
+#
+# create_service_user <name> [role]
+#
+# The role defaults to the service role. It is allowed to be provided as optional as historically
+# a lot of projects have configured themselves with the admin or other role here if they are
+# using this user for other purposes beyond simply auth_token middleware.
+function create_service_user {
+    local role=${2:-service}
+
+    local user=$(get_or_create_user "$1" "$SERVICE_PASSWORD")
+    get_or_add_user_role "$role" "$user" "$SERVICE_TENANT_NAME"
+}
+
 # Configure the service to use the auth token middleware.
 #
 # configure_auth_token_middleware conf_file admin_user signing_dir [section]

lib/neutron

@@ -507,14 +507,9 @@ function create_neutron_cache_dir {
 
 # Migrated from keystone_data.sh
 function create_neutron_accounts {
-
-    local service_tenant=$(openstack project list | awk "/ $SERVICE_TENANT_NAME / { print \$2 }")
-    local service_role=$(openstack role list | awk "/ service / { print \$2 }")
-
     if [[ "$ENABLED_SERVICES" =~ "q-svc" ]]; then
 
-        local neutron_user=$(get_or_create_user "neutron" "$SERVICE_PASSWORD")
-        get_or_add_user_role $service_role $neutron_user $service_tenant
+        create_service_user "neutron"
 
         if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
 

lib/nova

@@ -353,14 +353,10 @@ function configure_nova {
 # SERVICE_TENANT_NAME  nova         ResellerAdmin (if Swift is enabled)
 function create_nova_accounts {
 
-    local service_tenant=$(openstack project list | awk "/ $SERVICE_TENANT_NAME / { print \$2 }")
-    local admin_role=$(openstack role list | awk "/ admin / { print \$2 }")
-
     # Nova
     if [[ "$ENABLED_SERVICES" =~ "n-api" ]]; then
 
-        local nova_user=$(get_or_create_user "nova" "$SERVICE_PASSWORD")
-        get_or_add_user_role $admin_role $nova_user $service_tenant
+        create_service_user "nova" "admin"
 
         if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
 

lib/sahara

@@ -61,11 +61,7 @@ TEMPEST_SERVICES+=,sahara
 # service     sahara    admin
 function create_sahara_accounts {
 
-    local service_tenant=$(openstack project list | awk "/ $SERVICE_TENANT_NAME / { print \$2 }")
-    local admin_role=$(openstack role list | awk "/ admin / { print \$2 }")
-
-    local sahara_user=$(get_or_create_user "sahara" "$SERVICE_PASSWORD")
-    get_or_add_user_role $admin_role $sahara_user $service_tenant
+    create_service_user "sahara" "admin"
 
     if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
 

lib/swift

@@ -601,12 +601,9 @@ function create_swift_accounts {
 
     KEYSTONE_CATALOG_BACKEND=${KEYSTONE_CATALOG_BACKEND:-sql}
 
-    local service_tenant=$(openstack project list | awk "/ $SERVICE_TENANT_NAME / { print \$2 }")
-    local admin_role=$(openstack role list | awk "/ admin / { print \$2 }")
     local another_role=$(openstack role list | awk "/ anotherrole / { print \$2 }")
 
-    local swift_user=$(get_or_create_user "swift" "$SERVICE_PASSWORD")
-    get_or_add_user_role $admin_role $swift_user $service_tenant
+    create_service_user "swift" "admin"
 
     if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
 
@@ -623,7 +620,7 @@ function create_swift_accounts {
     die_if_not_set $LINENO swift_tenant_test1 "Failure creating swift_tenant_test1"
     SWIFT_USER_TEST1=$(get_or_create_user swiftusertest1 $swiftusertest1_password "test@example.com")
     die_if_not_set $LINENO SWIFT_USER_TEST1 "Failure creating SWIFT_USER_TEST1"
-    get_or_add_user_role $admin_role $SWIFT_USER_TEST1 $swift_tenant_test1
+    get_or_add_user_role admin $SWIFT_USER_TEST1 $swift_tenant_test1
 
     local swift_user_test3=$(get_or_create_user swiftusertest3 $swiftusertest3_password "test3@example.com")
     die_if_not_set $LINENO swift_user_test3 "Failure creating swift_user_test3"
@@ -634,7 +631,7 @@ function create_swift_accounts {
 
     local swift_user_test2=$(get_or_create_user swiftusertest2 $swiftusertest2_password "test2@example.com")
     die_if_not_set $LINENO swift_user_test2 "Failure creating swift_user_test2"
-    get_or_add_user_role $admin_role $swift_user_test2 $swift_tenant_test2
+    get_or_add_user_role admin $swift_user_test2 $swift_tenant_test2
 
     local swift_domain=$(get_or_create_domain swift_test 'Used for swift functional testing')
     die_if_not_set $LINENO swift_domain "Failure creating swift_test domain"
@@ -644,7 +641,7 @@ function create_swift_accounts {
 
     local swift_user_test4=$(get_or_create_user swiftusertest4 $swiftusertest4_password "test4@example.com" $swift_domain)
     die_if_not_set $LINENO swift_user_test4 "Failure creating swift_user_test4"
-    get_or_add_user_role $admin_role $swift_user_test4 $swift_tenant_test4
+    get_or_add_user_role admin $swift_user_test4 $swift_tenant_test4
 }
 
 # init_swift() - Initialize rings

lib/trove

@@ -79,13 +79,9 @@ function setup_trove_logging {
 # service              trove     admin        # if enabled
 
 function create_trove_accounts {
-    local service_tenant=$(openstack project list | awk "/ $SERVICE_TENANT_NAME / { print \$2 }")
-    local service_role=$(openstack role list | awk "/ admin / { print \$2 }")
-
     if [[ "$ENABLED_SERVICES" =~ "trove" ]]; then
 
-        local trove_user=$(get_or_create_user "trove" "$SERVICE_PASSWORD")
-        get_or_add_user_role $service_role $trove_user $service_tenant
+        create_service_user "trove" "admin"
 
         if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
 

lib/zaqar

@@ -215,11 +215,7 @@ function stop_zaqar {
 }
 
 function create_zaqar_accounts {
-    local service_tenant=$(openstack project list | awk "/ $SERVICE_TENANT_NAME / { print \$2 }")
-    ADMIN_ROLE=$(openstack role list | awk "/ admin / { print \$2 }")
-
-    local zaqar_user=$(get_or_create_user "zaqar" "$SERVICE_PASSWORD")
-    get_or_add_user_role $ADMIN_ROLE $zaqar_user $service_tenant
+    create_service_user "zaqar" "admin"
 
     if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then