Move keystone account creation out of keystone_data.sh

keystone_data.sh is getting unwieldly and increasingly needs
configuration information for services.  Also need the ability
to manipulate HOST/IP information for hosts to handle service
HA/proxy configurations.

Begin moving the creation of service account information into
the service lib files, starting with the common accounts and
keystone itself.

Change-Id: Ie259f7b71983c4f4a2e33ab9c8a8e2b00238ba38
This commit is contained in:
Dean Troyer 2012-11-29 17:11:35 -06:00
parent 22d6799d73
commit d835de892a
3 changed files with 112 additions and 68 deletions

View File

@ -4,7 +4,6 @@
#
# Tenant User Roles
# ------------------------------------------------------------------
# admin admin admin
# service glance admin
# service nova admin, [ResellerAdmin (swift only)]
# service quantum admin # if enabled
@ -12,9 +11,6 @@
# service cinder admin # if enabled
# service heat admin # if enabled
# service ceilometer admin # if enabled
# demo admin admin
# demo demo Member, anotherrole
# invisible_to_admin demo Member
# Tempest Only:
# alt_demo alt_demo Member
#
@ -40,53 +36,14 @@ function get_id () {
echo `"$@" | awk '/ id / { print $4 }'`
}
# Tenants
# -------
ADMIN_TENANT=$(get_id keystone tenant-create --name=admin)
SERVICE_TENANT=$(get_id keystone tenant-create --name=$SERVICE_TENANT_NAME)
DEMO_TENANT=$(get_id keystone tenant-create --name=demo)
INVIS_TENANT=$(get_id keystone tenant-create --name=invisible_to_admin)
# Users
# -----
ADMIN_USER=$(get_id keystone user-create --name=admin \
--pass="$ADMIN_PASSWORD" \
--email=admin@example.com)
DEMO_USER=$(get_id keystone user-create --name=demo \
--pass="$ADMIN_PASSWORD" \
--email=demo@example.com)
# Lookups
SERVICE_TENANT=$(keystone tenant-list | awk "/ $SERVICE_TENANT_NAME / { print \$2 }")
ADMIN_ROLE=$(keystone role-list | awk "/ admin / { print \$2 }")
# Roles
# -----
ADMIN_ROLE=$(get_id keystone role-create --name=admin)
KEYSTONEADMIN_ROLE=$(get_id keystone role-create --name=KeystoneAdmin)
KEYSTONESERVICE_ROLE=$(get_id keystone role-create --name=KeystoneServiceAdmin)
# ANOTHER_ROLE demonstrates that an arbitrary role may be created and used
# TODO(sleepsonthefloor): show how this can be used for rbac in the future!
ANOTHER_ROLE=$(get_id keystone role-create --name=anotherrole)
# Add Roles to Users in Tenants
keystone user-role-add --user_id $ADMIN_USER --role_id $ADMIN_ROLE --tenant_id $ADMIN_TENANT
keystone user-role-add --user_id $ADMIN_USER --role_id $ADMIN_ROLE --tenant_id $DEMO_TENANT
keystone user-role-add --user_id $DEMO_USER --role_id $ANOTHER_ROLE --tenant_id $DEMO_TENANT
# TODO(termie): these two might be dubious
keystone user-role-add --user_id $ADMIN_USER --role_id $KEYSTONEADMIN_ROLE --tenant_id $ADMIN_TENANT
keystone user-role-add --user_id $ADMIN_USER --role_id $KEYSTONESERVICE_ROLE --tenant_id $ADMIN_TENANT
# The Member role is used by Horizon and Swift so we need to keep it:
MEMBER_ROLE=$(get_id keystone role-create --name=Member)
keystone user-role-add --user_id $DEMO_USER --role_id $MEMBER_ROLE --tenant_id $DEMO_TENANT
keystone user-role-add --user_id $DEMO_USER --role_id $MEMBER_ROLE --tenant_id $INVIS_TENANT
# The ResellerAdmin role is used by Nova and Ceilometer so we need to keep it.
# The admin role in swift allows a user to act as an admin for their tenant,
# but ResellerAdmin is needed for a user to act as any tenant. The name of this
@ -96,20 +53,6 @@ RESELLER_ROLE=$(get_id keystone role-create --name=ResellerAdmin)
# Services
# --------
# Keystone
if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
KEYSTONE_SERVICE=$(get_id keystone service-create \
--name=keystone \
--type=identity \
--description="Keystone Identity Service")
keystone endpoint-create \
--region RegionOne \
--service_id $KEYSTONE_SERVICE \
--publicurl "http://$SERVICE_HOST:\$(public_port)s/v2.0" \
--adminurl "http://$SERVICE_HOST:\$(admin_port)s/v2.0" \
--internalurl "http://$SERVICE_HOST:\$(public_port)s/v2.0"
fi
# Nova
if [[ "$ENABLED_SERVICES" =~ "n-api" ]]; then
NOVA_USER=$(get_id keystone user-create \

View File

@ -15,6 +15,7 @@
# configure_keystone
# init_keystone
# start_keystone
# create_keystone_accounts
# stop_keystone
# cleanup_keystone
@ -45,7 +46,6 @@ KEYSTONE_CATALOG=$KEYSTONE_CONF_DIR/default_catalog.templates
KEYSTONE_TOKEN_FORMAT=${KEYSTONE_TOKEN_FORMAT:-PKI}
# Set Keystone interface configuration
KEYSTONE_API_PORT=${KEYSTONE_API_PORT:-5000}
KEYSTONE_AUTH_HOST=${KEYSTONE_AUTH_HOST:-$SERVICE_HOST}
KEYSTONE_AUTH_PORT=${KEYSTONE_AUTH_PORT:-35357}
KEYSTONE_AUTH_PROTOCOL=${KEYSTONE_AUTH_PROTOCOL:-http}
@ -144,6 +144,100 @@ function configure_keystone() {
}
# create_keystone_accounts() - Sets up common required keystone accounts
# Tenant User Roles
# ------------------------------------------------------------------
# service -- --
# -- -- Member
# admin admin admin
# demo admin admin
# demo demo Member, anotherrole
# invisible_to_admin demo Member
# Migrated from keystone_data.sh
create_keystone_accounts() {
# admin
ADMIN_TENANT=$(keystone tenant-create \
--name admin \
| grep " id " | get_field 2)
ADMIN_USER=$(keystone user-create \
--name admin \
--pass "$ADMIN_PASSWORD" \
--email admin@example.com \
| grep " id " | get_field 2)
ADMIN_ROLE=$(keystone role-create \
--name admin \
| grep " id " | get_field 2)
keystone user-role-add \
--user_id $ADMIN_USER \
--role_id $ADMIN_ROLE \
--tenant_id $ADMIN_TENANT
# service
SERVICE_TENANT=$(keystone tenant-create \
--name $SERVICE_TENANT_NAME \
| grep " id " | get_field 2)
# The Member role is used by Horizon and Swift so we need to keep it:
MEMBER_ROLE=$(keystone role-create --name=Member | grep " id " | get_field 2)
# ANOTHER_ROLE demonstrates that an arbitrary role may be created and used
# TODO(sleepsonthefloor): show how this can be used for rbac in the future!
ANOTHER_ROLE=$(keystone role-create --name=anotherrole | grep " id " | get_field 2)
# invisible tenant - admin can't see this one
INVIS_TENANT=$(keystone tenant-create --name=invisible_to_admin | grep " id " | get_field 2)
# demo
DEMO_TENANT=$(keystone tenant-create \
--name=demo \
| grep " id " | get_field 2)
DEMO_USER=$(keystone user-create \
--name demo \
--pass "$ADMIN_PASSWORD" \
--email demo@example.com \
| grep " id " | get_field 2)
keystone user-role-add --user_id $DEMO_USER --role_id $MEMBER_ROLE --tenant_id $DEMO_TENANT
keystone user-role-add --user_id $ADMIN_USER --role_id $ADMIN_ROLE --tenant_id $DEMO_TENANT
keystone user-role-add --user_id $DEMO_USER --role_id $ANOTHER_ROLE --tenant_id $DEMO_TENANT
keystone user-role-add --user_id $DEMO_USER --role_id $MEMBER_ROLE --tenant_id $INVIS_TENANT
# Keystone
if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
KEYSTONE_SERVICE=$(keystone service-create \
--name keystone \
--type identity \
--description "Keystone Identity Service" \
| grep " id " | get_field 2)
keystone endpoint-create \
--region RegionOne \
--service_id $KEYSTONE_SERVICE \
--publicurl "$KEYSTONE_SERVICE_PROTOCOL://$KEYSTONE_SERVICE_HOST:\$(public_port)s/v2.0" \
--adminurl "$KEYSTONE_AUTH_PROTOCOL://$KEYSTONE_AUTH_HOST:\$(admin_port)s/v2.0" \
--internalurl "$KEYSTONE_SERVICE_PROTOCOL://$KEYSTONE_SERVICE_HOST:\$(public_port)s/v2.0"
fi
# TODO(dtroyer): This is part of a series of changes...remove these when
# complete if they are really unused
# KEYSTONEADMIN_ROLE=$(keystone role-create \
# --name KeystoneAdmin \
# | grep " id " | get_field 2)
# KEYSTONESERVICE_ROLE=$(keystone role-create \
# --name KeystoneServiceAdmin \
# | grep " id " | get_field 2)
# TODO(termie): these two might be dubious
# keystone user-role-add \
# --user_id $ADMIN_USER \
# --role_id $KEYSTONEADMIN_ROLE \
# --tenant_id $ADMIN_TENANT
# keystone user-role-add \
# --user_id $ADMIN_USER \
# --role_id $KEYSTONESERVICE_ROLE \
# --tenant_id $ADMIN_TENANT
}
# init_keystone() - Initialize databases, etc.
function init_keystone() {
# (Re)create keystone database
@ -176,6 +270,11 @@ function install_keystone() {
function start_keystone() {
# Start Keystone in a screen window
screen_it key "cd $KEYSTONE_DIR && $KEYSTONE_DIR/bin/keystone-all --config-file $KEYSTONE_CONF $KEYSTONE_LOG_CONFIG -d --debug"
echo "Waiting for keystone to start..."
if ! timeout $SERVICE_TIMEOUT sh -c "while ! http_proxy= curl -s $KEYSTONE_AUTH_PROTOCOL://$SERVICE_HOST:$KEYSTONE_SERVICE_PORT/v2.0/ >/dev/null; do sleep 1; done"; then
echo "keystone did not start"
exit 1
fi
}
# stop_keystone() - Stop running processes

View File

@ -953,15 +953,16 @@ if is_service_enabled key; then
configure_keystone
init_keystone
start_keystone
echo "Waiting for keystone to start..."
if ! timeout $SERVICE_TIMEOUT sh -c "while ! http_proxy= curl -s $KEYSTONE_AUTH_PROTOCOL://$SERVICE_HOST:$KEYSTONE_API_PORT/v2.0/ >/dev/null; do sleep 1; done"; then
echo "keystone did not start"
exit 1
fi
# ``keystone_data.sh`` creates services, admin and demo users, and roles.
# Set up a temporary admin URI for Keystone
SERVICE_ENDPOINT=$KEYSTONE_AUTH_PROTOCOL://$KEYSTONE_AUTH_HOST:$KEYSTONE_AUTH_PORT/v2.0
# Do the keystone-specific bits from keystone_data.sh
export OS_SERVICE_TOKEN=$SERVICE_TOKEN
export OS_SERVICE_ENDPOINT=$SERVICE_ENDPOINT
create_keystone_accounts
# ``keystone_data.sh`` creates services, admin and demo users, and roles.
ADMIN_PASSWORD=$ADMIN_PASSWORD SERVICE_TENANT_NAME=$SERVICE_TENANT_NAME SERVICE_PASSWORD=$SERVICE_PASSWORD \
SERVICE_TOKEN=$SERVICE_TOKEN SERVICE_ENDPOINT=$SERVICE_ENDPOINT SERVICE_HOST=$SERVICE_HOST \
S3_SERVICE_PORT=$S3_SERVICE_PORT KEYSTONE_CATALOG_BACKEND=$KEYSTONE_CATALOG_BACKEND \
@ -974,6 +975,7 @@ if is_service_enabled key; then
export OS_TENANT_NAME=admin
export OS_USERNAME=admin
export OS_PASSWORD=$ADMIN_PASSWORD
unset OS_SERVICE_TOKEN OS_SERVICE_ENDPOINT
fi
@ -1750,7 +1752,7 @@ fi
# If Keystone is present you can point ``nova`` cli to this server
if is_service_enabled key; then
echo "Keystone is serving at $KEYSTONE_AUTH_PROTOCOL://$SERVICE_HOST:$KEYSTONE_API_PORT/v2.0/"
echo "Keystone is serving at $KEYSTONE_AUTH_PROTOCOL://$SERVICE_HOST:$KEYSTONE_SERVICE_PORT/v2.0/"
echo "Examples on using novaclient command line is in exercise.sh"
echo "The default users are: admin and demo"
echo "The password: $ADMIN_PASSWORD"