Merge "Use service role instead of admin role for service users"

This commit is contained in:
Jenkins 2013-06-17 02:48:29 +00:00 committed by Gerrit Code Review
commit 9539e79bd7

View File

@ -5,9 +5,9 @@
# Tenant User Roles # Tenant User Roles
# ------------------------------------------------------------------ # ------------------------------------------------------------------
# service glance admin # service glance admin
# service swift admin # if enabled # service swift service # if enabled
# service heat admin # if enabled # service heat service # if enabled
# service ceilometer admin # if enabled # service ceilometer service # if enabled
# Tempest Only: # Tempest Only:
# alt_demo alt_demo Member # alt_demo alt_demo Member
# #
@ -47,6 +47,8 @@ MEMBER_ROLE=$(keystone role-list | awk "/ Member / { print \$2 }")
# but ResellerAdmin is needed for a user to act as any tenant. The name of this # but ResellerAdmin is needed for a user to act as any tenant. The name of this
# role is also configurable in swift-proxy.conf # role is also configurable in swift-proxy.conf
RESELLER_ROLE=$(get_id keystone role-create --name=ResellerAdmin) RESELLER_ROLE=$(get_id keystone role-create --name=ResellerAdmin)
# Service role, so service users do not have to be admins
SERVICE_ROLE=$(get_id keystone role-create --name=service)
# Services # Services
@ -70,7 +72,7 @@ if [[ "$ENABLED_SERVICES" =~ "heat" ]]; then
--email=heat@example.com) --email=heat@example.com)
keystone user-role-add --tenant_id $SERVICE_TENANT \ keystone user-role-add --tenant_id $SERVICE_TENANT \
--user_id $HEAT_USER \ --user_id $HEAT_USER \
--role_id $ADMIN_ROLE --role_id $SERVICE_ROLE
# heat_stack_user role is for users created by Heat # heat_stack_user role is for users created by Heat
keystone role-create --name heat_stack_user keystone role-create --name heat_stack_user
if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
@ -133,7 +135,7 @@ if [[ "$ENABLED_SERVICES" =~ "swift" || "$ENABLED_SERVICES" =~ "s-proxy" ]]; the
keystone user-role-add \ keystone user-role-add \
--tenant_id $SERVICE_TENANT \ --tenant_id $SERVICE_TENANT \
--user_id $SWIFT_USER \ --user_id $SWIFT_USER \
--role_id $ADMIN_ROLE --role_id $SERVICE_ROLE
if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
SWIFT_SERVICE=$(get_id keystone service-create \ SWIFT_SERVICE=$(get_id keystone service-create \
--name=swift \ --name=swift \
@ -155,7 +157,7 @@ if [[ "$ENABLED_SERVICES" =~ "ceilometer" ]]; then
--email=ceilometer@example.com) --email=ceilometer@example.com)
keystone user-role-add --tenant_id $SERVICE_TENANT \ keystone user-role-add --tenant_id $SERVICE_TENANT \
--user_id $CEILOMETER_USER \ --user_id $CEILOMETER_USER \
--role_id $ADMIN_ROLE --role_id $SERVICE_ROLE
# Ceilometer needs ResellerAdmin role to access swift account stats. # Ceilometer needs ResellerAdmin role to access swift account stats.
keystone user-role-add --tenant_id $SERVICE_TENANT \ keystone user-role-add --tenant_id $SERVICE_TENANT \
--user_id $CEILOMETER_USER \ --user_id $CEILOMETER_USER \