Use Keystone v3 API for user creation
This includes requiring a domain when creating a user. This will allow us to control where users are created in a later patch. Adding the token to the user creation call is required because of a bad interaction between OpenStackClient, os-client-config and keystoneclient when dealing with v2 authentication but v3 API calls. It will be cleaned up when we switch to v3 credentials. Change-Id: I6ef50fd384d423bc0f13ee1016a8bdbb0650ecd9 Implements: bp keystonev3
This commit is contained in:
parent
b632c9ef81
commit
9d7e776b70
@ -675,9 +675,8 @@ function get_or_create_domain {
|
|||||||
}
|
}
|
||||||
|
|
||||||
# Gets or creates group
|
# Gets or creates group
|
||||||
# Usage: get_or_create_group <groupname> [<domain> <description>]
|
# Usage: get_or_create_group <groupname> <domain> [<description>]
|
||||||
function get_or_create_group {
|
function get_or_create_group {
|
||||||
local domain=${2:+--domain ${2}}
|
|
||||||
local desc="${3:-}"
|
local desc="${3:-}"
|
||||||
local os_url="$KEYSTONE_SERVICE_URI_V3"
|
local os_url="$KEYSTONE_SERVICE_URI_V3"
|
||||||
# Gets group id
|
# Gets group id
|
||||||
@ -685,34 +684,30 @@ function get_or_create_group {
|
|||||||
# Creates new group with --or-show
|
# Creates new group with --or-show
|
||||||
openstack --os-token=$OS_TOKEN --os-url=$os_url \
|
openstack --os-token=$OS_TOKEN --os-url=$os_url \
|
||||||
--os-identity-api-version=3 group create $1 \
|
--os-identity-api-version=3 group create $1 \
|
||||||
$domain --description "$desc" --or-show \
|
--domain $2 --description "$desc" --or-show \
|
||||||
-f value -c id
|
-f value -c id
|
||||||
)
|
)
|
||||||
echo $group_id
|
echo $group_id
|
||||||
}
|
}
|
||||||
|
|
||||||
# Gets or creates user
|
# Gets or creates user
|
||||||
# Usage: get_or_create_user <username> <password> [<email> [<domain>]]
|
# Usage: get_or_create_user <username> <password> <domain> [<email>]
|
||||||
function get_or_create_user {
|
function get_or_create_user {
|
||||||
if [[ ! -z "$3" ]]; then
|
if [[ ! -z "$4" ]]; then
|
||||||
local email="--email=$3"
|
local email="--email=$4"
|
||||||
else
|
else
|
||||||
local email=""
|
local email=""
|
||||||
fi
|
fi
|
||||||
local os_cmd="openstack"
|
|
||||||
local domain=""
|
|
||||||
if [[ ! -z "$4" ]]; then
|
|
||||||
domain="--domain=$4"
|
|
||||||
os_cmd="$os_cmd --os-url=$KEYSTONE_SERVICE_URI_V3 --os-identity-api-version=3"
|
|
||||||
fi
|
|
||||||
# Gets user id
|
# Gets user id
|
||||||
local user_id=$(
|
local user_id=$(
|
||||||
# Creates new user with --or-show
|
# Creates new user with --or-show
|
||||||
$os_cmd user create \
|
openstack user create \
|
||||||
$1 \
|
$1 \
|
||||||
--password "$2" \
|
--password "$2" \
|
||||||
|
--os-url=$KEYSTONE_SERVICE_URI_V3 \
|
||||||
|
--os-identity-api-version=3 \
|
||||||
|
--domain=$3 \
|
||||||
$email \
|
$email \
|
||||||
$domain \
|
|
||||||
--or-show \
|
--or-show \
|
||||||
-f value -c id
|
-f value -c id
|
||||||
)
|
)
|
||||||
|
@ -254,7 +254,7 @@ function create_glance_accounts {
|
|||||||
if is_service_enabled s-proxy; then
|
if is_service_enabled s-proxy; then
|
||||||
|
|
||||||
local glance_swift_user=$(get_or_create_user "glance-swift" \
|
local glance_swift_user=$(get_or_create_user "glance-swift" \
|
||||||
"$SERVICE_PASSWORD" "glance-swift@example.com")
|
"$SERVICE_PASSWORD" "default" "glance-swift@example.com")
|
||||||
get_or_add_user_project_role "ResellerAdmin" $glance_swift_user $SERVICE_TENANT_NAME
|
get_or_add_user_project_role "ResellerAdmin" $glance_swift_user $SERVICE_TENANT_NAME
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
@ -358,7 +358,7 @@ function create_keystone_accounts {
|
|||||||
|
|
||||||
# admin
|
# admin
|
||||||
local admin_tenant=$(get_or_create_project "admin" default)
|
local admin_tenant=$(get_or_create_project "admin" default)
|
||||||
local admin_user=$(get_or_create_user "admin" "$ADMIN_PASSWORD")
|
local admin_user=$(get_or_create_user "admin" "$ADMIN_PASSWORD" default)
|
||||||
local admin_role=$(get_or_create_role "admin")
|
local admin_role=$(get_or_create_role "admin")
|
||||||
get_or_add_user_project_role $admin_role $admin_user $admin_tenant
|
get_or_add_user_project_role $admin_role $admin_user $admin_tenant
|
||||||
|
|
||||||
@ -387,7 +387,7 @@ function create_keystone_accounts {
|
|||||||
# demo
|
# demo
|
||||||
local demo_tenant=$(get_or_create_project "demo" default)
|
local demo_tenant=$(get_or_create_project "demo" default)
|
||||||
local demo_user=$(get_or_create_user "demo" \
|
local demo_user=$(get_or_create_user "demo" \
|
||||||
"$ADMIN_PASSWORD" "demo@example.com")
|
"$ADMIN_PASSWORD" "default" "demo@example.com")
|
||||||
|
|
||||||
get_or_add_user_project_role $member_role $demo_user $demo_tenant
|
get_or_add_user_project_role $member_role $demo_user $demo_tenant
|
||||||
get_or_add_user_project_role $admin_role $admin_user $demo_tenant
|
get_or_add_user_project_role $admin_role $admin_user $demo_tenant
|
||||||
@ -426,7 +426,7 @@ function create_keystone_accounts {
|
|||||||
function create_service_user {
|
function create_service_user {
|
||||||
local role=${2:-service}
|
local role=${2:-service}
|
||||||
|
|
||||||
local user=$(get_or_create_user "$1" "$SERVICE_PASSWORD")
|
local user=$(get_or_create_user "$1" "$SERVICE_PASSWORD" default)
|
||||||
get_or_add_user_project_role "$role" "$user" "$SERVICE_TENANT_NAME"
|
get_or_add_user_project_role "$role" "$user" "$SERVICE_TENANT_NAME"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
12
lib/swift
12
lib/swift
@ -618,18 +618,21 @@ function create_swift_accounts {
|
|||||||
|
|
||||||
local swift_tenant_test1=$(get_or_create_project swifttenanttest1 default)
|
local swift_tenant_test1=$(get_or_create_project swifttenanttest1 default)
|
||||||
die_if_not_set $LINENO swift_tenant_test1 "Failure creating swift_tenant_test1"
|
die_if_not_set $LINENO swift_tenant_test1 "Failure creating swift_tenant_test1"
|
||||||
SWIFT_USER_TEST1=$(get_or_create_user swiftusertest1 $swiftusertest1_password "test@example.com")
|
SWIFT_USER_TEST1=$(get_or_create_user swiftusertest1 $swiftusertest1_password \
|
||||||
|
"default" "test@example.com")
|
||||||
die_if_not_set $LINENO SWIFT_USER_TEST1 "Failure creating SWIFT_USER_TEST1"
|
die_if_not_set $LINENO SWIFT_USER_TEST1 "Failure creating SWIFT_USER_TEST1"
|
||||||
get_or_add_user_project_role admin $SWIFT_USER_TEST1 $swift_tenant_test1
|
get_or_add_user_project_role admin $SWIFT_USER_TEST1 $swift_tenant_test1
|
||||||
|
|
||||||
local swift_user_test3=$(get_or_create_user swiftusertest3 $swiftusertest3_password "test3@example.com")
|
local swift_user_test3=$(get_or_create_user swiftusertest3 $swiftusertest3_password \
|
||||||
|
"default" "test3@example.com")
|
||||||
die_if_not_set $LINENO swift_user_test3 "Failure creating swift_user_test3"
|
die_if_not_set $LINENO swift_user_test3 "Failure creating swift_user_test3"
|
||||||
get_or_add_user_project_role $another_role $swift_user_test3 $swift_tenant_test1
|
get_or_add_user_project_role $another_role $swift_user_test3 $swift_tenant_test1
|
||||||
|
|
||||||
local swift_tenant_test2=$(get_or_create_project swifttenanttest2 default)
|
local swift_tenant_test2=$(get_or_create_project swifttenanttest2 default)
|
||||||
die_if_not_set $LINENO swift_tenant_test2 "Failure creating swift_tenant_test2"
|
die_if_not_set $LINENO swift_tenant_test2 "Failure creating swift_tenant_test2"
|
||||||
|
|
||||||
local swift_user_test2=$(get_or_create_user swiftusertest2 $swiftusertest2_password "test2@example.com")
|
local swift_user_test2=$(get_or_create_user swiftusertest2 $swiftusertest2_password \
|
||||||
|
"default" "test2@example.com")
|
||||||
die_if_not_set $LINENO swift_user_test2 "Failure creating swift_user_test2"
|
die_if_not_set $LINENO swift_user_test2 "Failure creating swift_user_test2"
|
||||||
get_or_add_user_project_role admin $swift_user_test2 $swift_tenant_test2
|
get_or_add_user_project_role admin $swift_user_test2 $swift_tenant_test2
|
||||||
|
|
||||||
@ -639,7 +642,8 @@ function create_swift_accounts {
|
|||||||
local swift_tenant_test4=$(get_or_create_project swifttenanttest4 $swift_domain)
|
local swift_tenant_test4=$(get_or_create_project swifttenanttest4 $swift_domain)
|
||||||
die_if_not_set $LINENO swift_tenant_test4 "Failure creating swift_tenant_test4"
|
die_if_not_set $LINENO swift_tenant_test4 "Failure creating swift_tenant_test4"
|
||||||
|
|
||||||
local swift_user_test4=$(get_or_create_user swiftusertest4 $swiftusertest4_password "test4@example.com" $swift_domain)
|
local swift_user_test4=$(get_or_create_user swiftusertest4 $swiftusertest4_password \
|
||||||
|
$swift_domain "test4@example.com")
|
||||||
die_if_not_set $LINENO swift_user_test4 "Failure creating swift_user_test4"
|
die_if_not_set $LINENO swift_user_test4 "Failure creating swift_user_test4"
|
||||||
get_or_add_user_project_role admin $swift_user_test4 $swift_tenant_test4
|
get_or_add_user_project_role admin $swift_user_test4 $swift_tenant_test4
|
||||||
}
|
}
|
||||||
|
@ -547,7 +547,7 @@ function create_tempest_accounts {
|
|||||||
# Tempest has some tests that validate various authorization checks
|
# Tempest has some tests that validate various authorization checks
|
||||||
# between two regular users in separate tenants
|
# between two regular users in separate tenants
|
||||||
get_or_create_project alt_demo default
|
get_or_create_project alt_demo default
|
||||||
get_or_create_user alt_demo "$ADMIN_PASSWORD" "alt_demo@example.com"
|
get_or_create_user alt_demo "$ADMIN_PASSWORD" "default" "alt_demo@example.com"
|
||||||
get_or_add_user_project_role Member alt_demo alt_demo
|
get_or_add_user_project_role Member alt_demo alt_demo
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
3
stack.sh
3
stack.sh
@ -1006,6 +1006,9 @@ if is_service_enabled keystone; then
|
|||||||
# Begone token auth
|
# Begone token auth
|
||||||
unset OS_TOKEN OS_URL
|
unset OS_TOKEN OS_URL
|
||||||
|
|
||||||
|
# force set to use v2 identity authentication even with v3 commands
|
||||||
|
export OS_AUTH_TYPE=v2password
|
||||||
|
|
||||||
# Set up password auth credentials now that Keystone is bootstrapped
|
# Set up password auth credentials now that Keystone is bootstrapped
|
||||||
export OS_AUTH_URL=$SERVICE_ENDPOINT
|
export OS_AUTH_URL=$SERVICE_ENDPOINT
|
||||||
export OS_TENANT_NAME=admin
|
export OS_TENANT_NAME=admin
|
||||||
|
Loading…
x
Reference in New Issue
Block a user