From 85ff5323ff95106eb18c1c6bfd71d75f3980c370 Mon Sep 17 00:00:00 2001 From: Jamie Lennox Date: Wed, 28 Jan 2015 14:28:01 +1000 Subject: [PATCH] Isolate creating service users The code for creating service users is almost exactly the same. Abstract this into a function that can be reused and standardized. Change-Id: I3a4edbff0a928da7ef9b0097a5a8d508fdfab7ff --- extras.d/70-tuskar.sh | 6 +----- lib/ceilometer | 7 ++----- lib/cinder | 6 +----- lib/glance | 3 +-- lib/heat | 7 +------ lib/ironic | 6 +----- lib/keystone | 14 ++++++++++++++ lib/neutron | 7 +------ lib/nova | 6 +----- lib/sahara | 6 +----- lib/swift | 11 ++++------- lib/trove | 6 +----- lib/zaqar | 6 +----- 13 files changed, 30 insertions(+), 61 deletions(-) diff --git a/extras.d/70-tuskar.sh b/extras.d/70-tuskar.sh index 551916f35a..aa8f46af11 100644 --- a/extras.d/70-tuskar.sh +++ b/extras.d/70-tuskar.sh @@ -176,12 +176,8 @@ function stop_tuskar { # create_tuskar_accounts() - Set up common required tuskar accounts function create_tuskar_accounts { - # migrated from files/keystone_data.sh - local service_tenant=$(openstack project list | awk "/ $SERVICE_TENANT_NAME / { print \$2 }") - local admin_role=$(openstack role list | awk "/ admin / { print \$2 }") - local tuskar_user=$(get_or_create_user "tuskar" "$SERVICE_PASSWORD") - get_or_add_user_role $admin_role $tuskar_user $service_tenant + create_service_user "tuskar" "admin" if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then diff --git a/lib/ceilometer b/lib/ceilometer index f1617fb9e4..f03bab21fc 100644 --- a/lib/ceilometer +++ b/lib/ceilometer @@ -105,13 +105,10 @@ function is_ceilometer_enabled { # SERVICE_TENANT_NAME ceilometer ResellerAdmin (if Swift is enabled) function create_ceilometer_accounts { - local service_tenant=$(openstack project list | awk "/ $SERVICE_TENANT_NAME / { print \$2 }") - local admin_role=$(openstack role list | awk "/ admin / { print \$2 }") - # Ceilometer if [[ "$ENABLED_SERVICES" =~ "ceilometer-api" ]]; then - local ceilometer_user=$(get_or_create_user "ceilometer" "$SERVICE_PASSWORD") - get_or_add_user_role $admin_role $ceilometer_user $service_tenant + + create_service_user "ceilometer" "admin" if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then local ceilometer_service=$(get_or_create_service "ceilometer" \ diff --git a/lib/cinder b/lib/cinder index 937689a528..12ba51e49b 100644 --- a/lib/cinder +++ b/lib/cinder @@ -330,14 +330,10 @@ function configure_cinder { # Migrated from keystone_data.sh function create_cinder_accounts { - local service_tenant=$(openstack project list | awk "/ $SERVICE_TENANT_NAME / { print \$2 }") - local admin_role=$(openstack role list | awk "/ admin / { print \$2 }") - # Cinder if [[ "$ENABLED_SERVICES" =~ "c-api" ]]; then - local cinder_user=$(get_or_create_user "cinder" "$SERVICE_PASSWORD") - get_or_add_user_role $admin_role $cinder_user $service_tenant + create_service_user "cinder" "admin" if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then diff --git a/lib/glance b/lib/glance index bee57a3100..0340c21ee0 100644 --- a/lib/glance +++ b/lib/glance @@ -232,8 +232,7 @@ function configure_glance { function create_glance_accounts { if is_service_enabled g-api; then - local glance_user=$(get_or_create_user "glance" "$SERVICE_PASSWORD") - get_or_add_user_role service $glance_user $SERVICE_TENANT_NAME + create_service_user "glance" # required for swift access if is_service_enabled s-proxy; then diff --git a/lib/heat b/lib/heat index 58439d67f8..1a57474122 100644 --- a/lib/heat +++ b/lib/heat @@ -246,12 +246,7 @@ function stop_heat { # create_heat_accounts() - Set up common required heat accounts function create_heat_accounts { - # migrated from files/keystone_data.sh - local service_tenant=$(openstack project list | awk "/ $SERVICE_TENANT_NAME / { print \$2 }") - local admin_role=$(openstack role list | awk "/ admin / { print \$2 }") - - local heat_user=$(get_or_create_user "heat" "$SERVICE_PASSWORD") - get_or_add_user_role $admin_role $heat_user $service_tenant + create_service_user "heat" "admin" if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then diff --git a/lib/ironic b/lib/ironic index fced2949f4..921bcf1a26 100644 --- a/lib/ironic +++ b/lib/ironic @@ -358,15 +358,11 @@ function create_ironic_cache_dir { # service ironic admin # if enabled function create_ironic_accounts { - local service_tenant=$(openstack project list | awk "/ $SERVICE_TENANT_NAME / { print \$2 }") - local admin_role=$(openstack role list | awk "/ admin / { print \$2 }") - # Ironic if [[ "$ENABLED_SERVICES" =~ "ir-api" ]]; then # Get ironic user if exists - local ironic_user=$(get_or_create_user "ironic" "$SERVICE_PASSWORD") - get_or_add_user_role $admin_role $ironic_user $service_tenant + create_service_user "ironic" "admin" if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then diff --git a/lib/keystone b/lib/keystone index d5ccc2f075..8ec4d61862 100644 --- a/lib/keystone +++ b/lib/keystone @@ -414,6 +414,20 @@ function create_keystone_accounts { fi } +# Create a user that is capable of verifying keystone tokens for use with auth_token middleware. +# +# create_service_user [role] +# +# The role defaults to the service role. It is allowed to be provided as optional as historically +# a lot of projects have configured themselves with the admin or other role here if they are +# using this user for other purposes beyond simply auth_token middleware. +function create_service_user { + local role=${2:-service} + + local user=$(get_or_create_user "$1" "$SERVICE_PASSWORD") + get_or_add_user_role "$role" "$user" "$SERVICE_TENANT_NAME" +} + # Configure the service to use the auth token middleware. # # configure_auth_token_middleware conf_file admin_user signing_dir [section] diff --git a/lib/neutron b/lib/neutron index 2c7ec94ad0..0ff8813e3e 100755 --- a/lib/neutron +++ b/lib/neutron @@ -507,14 +507,9 @@ function create_neutron_cache_dir { # Migrated from keystone_data.sh function create_neutron_accounts { - - local service_tenant=$(openstack project list | awk "/ $SERVICE_TENANT_NAME / { print \$2 }") - local service_role=$(openstack role list | awk "/ service / { print \$2 }") - if [[ "$ENABLED_SERVICES" =~ "q-svc" ]]; then - local neutron_user=$(get_or_create_user "neutron" "$SERVICE_PASSWORD") - get_or_add_user_role $service_role $neutron_user $service_tenant + create_service_user "neutron" if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then diff --git a/lib/nova b/lib/nova index 0f4729fb63..c760066f15 100644 --- a/lib/nova +++ b/lib/nova @@ -353,14 +353,10 @@ function configure_nova { # SERVICE_TENANT_NAME nova ResellerAdmin (if Swift is enabled) function create_nova_accounts { - local service_tenant=$(openstack project list | awk "/ $SERVICE_TENANT_NAME / { print \$2 }") - local admin_role=$(openstack role list | awk "/ admin / { print \$2 }") - # Nova if [[ "$ENABLED_SERVICES" =~ "n-api" ]]; then - local nova_user=$(get_or_create_user "nova" "$SERVICE_PASSWORD") - get_or_add_user_role $admin_role $nova_user $service_tenant + create_service_user "nova" "admin" if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then diff --git a/lib/sahara b/lib/sahara index 44c06d3c46..cb6ecc3be3 100644 --- a/lib/sahara +++ b/lib/sahara @@ -61,11 +61,7 @@ TEMPEST_SERVICES+=,sahara # service sahara admin function create_sahara_accounts { - local service_tenant=$(openstack project list | awk "/ $SERVICE_TENANT_NAME / { print \$2 }") - local admin_role=$(openstack role list | awk "/ admin / { print \$2 }") - - local sahara_user=$(get_or_create_user "sahara" "$SERVICE_PASSWORD") - get_or_add_user_role $admin_role $sahara_user $service_tenant + create_service_user "sahara" "admin" if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then diff --git a/lib/swift b/lib/swift index 683bc17871..d9f750c27f 100644 --- a/lib/swift +++ b/lib/swift @@ -601,12 +601,9 @@ function create_swift_accounts { KEYSTONE_CATALOG_BACKEND=${KEYSTONE_CATALOG_BACKEND:-sql} - local service_tenant=$(openstack project list | awk "/ $SERVICE_TENANT_NAME / { print \$2 }") - local admin_role=$(openstack role list | awk "/ admin / { print \$2 }") local another_role=$(openstack role list | awk "/ anotherrole / { print \$2 }") - local swift_user=$(get_or_create_user "swift" "$SERVICE_PASSWORD") - get_or_add_user_role $admin_role $swift_user $service_tenant + create_service_user "swift" "admin" if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then @@ -623,7 +620,7 @@ function create_swift_accounts { die_if_not_set $LINENO swift_tenant_test1 "Failure creating swift_tenant_test1" SWIFT_USER_TEST1=$(get_or_create_user swiftusertest1 $swiftusertest1_password "test@example.com") die_if_not_set $LINENO SWIFT_USER_TEST1 "Failure creating SWIFT_USER_TEST1" - get_or_add_user_role $admin_role $SWIFT_USER_TEST1 $swift_tenant_test1 + get_or_add_user_role admin $SWIFT_USER_TEST1 $swift_tenant_test1 local swift_user_test3=$(get_or_create_user swiftusertest3 $swiftusertest3_password "test3@example.com") die_if_not_set $LINENO swift_user_test3 "Failure creating swift_user_test3" @@ -634,7 +631,7 @@ function create_swift_accounts { local swift_user_test2=$(get_or_create_user swiftusertest2 $swiftusertest2_password "test2@example.com") die_if_not_set $LINENO swift_user_test2 "Failure creating swift_user_test2" - get_or_add_user_role $admin_role $swift_user_test2 $swift_tenant_test2 + get_or_add_user_role admin $swift_user_test2 $swift_tenant_test2 local swift_domain=$(get_or_create_domain swift_test 'Used for swift functional testing') die_if_not_set $LINENO swift_domain "Failure creating swift_test domain" @@ -644,7 +641,7 @@ function create_swift_accounts { local swift_user_test4=$(get_or_create_user swiftusertest4 $swiftusertest4_password "test4@example.com" $swift_domain) die_if_not_set $LINENO swift_user_test4 "Failure creating swift_user_test4" - get_or_add_user_role $admin_role $swift_user_test4 $swift_tenant_test4 + get_or_add_user_role admin $swift_user_test4 $swift_tenant_test4 } # init_swift() - Initialize rings diff --git a/lib/trove b/lib/trove index 5e6b1b39c3..d32c7765e0 100644 --- a/lib/trove +++ b/lib/trove @@ -79,13 +79,9 @@ function setup_trove_logging { # service trove admin # if enabled function create_trove_accounts { - local service_tenant=$(openstack project list | awk "/ $SERVICE_TENANT_NAME / { print \$2 }") - local service_role=$(openstack role list | awk "/ admin / { print \$2 }") - if [[ "$ENABLED_SERVICES" =~ "trove" ]]; then - local trove_user=$(get_or_create_user "trove" "$SERVICE_PASSWORD") - get_or_add_user_role $service_role $trove_user $service_tenant + create_service_user "trove" "admin" if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then diff --git a/lib/zaqar b/lib/zaqar index 618ac30534..8b560bb4d5 100644 --- a/lib/zaqar +++ b/lib/zaqar @@ -215,11 +215,7 @@ function stop_zaqar { } function create_zaqar_accounts { - local service_tenant=$(openstack project list | awk "/ $SERVICE_TENANT_NAME / { print \$2 }") - ADMIN_ROLE=$(openstack role list | awk "/ admin / { print \$2 }") - - local zaqar_user=$(get_or_create_user "zaqar" "$SERVICE_PASSWORD") - get_or_add_user_role $ADMIN_ROLE $zaqar_user $service_tenant + create_service_user "zaqar" "admin" if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then