Move keystone account creation out of keystone_data.sh
keystone_data.sh is getting unwieldly and increasingly needs configuration information for services. Also need the ability to manipulate HOST/IP information for hosts to handle service HA/proxy configurations. Begin moving the creation of service account information into the service lib files, starting with the common accounts and keystone itself. Change-Id: Ie259f7b71983c4f4a2e33ab9c8a8e2b00238ba38
This commit is contained in:
parent
22d6799d73
commit
d835de892a
@ -4,7 +4,6 @@
|
||||
#
|
||||
# Tenant User Roles
|
||||
# ------------------------------------------------------------------
|
||||
# admin admin admin
|
||||
# service glance admin
|
||||
# service nova admin, [ResellerAdmin (swift only)]
|
||||
# service quantum admin # if enabled
|
||||
@ -12,9 +11,6 @@
|
||||
# service cinder admin # if enabled
|
||||
# service heat admin # if enabled
|
||||
# service ceilometer admin # if enabled
|
||||
# demo admin admin
|
||||
# demo demo Member, anotherrole
|
||||
# invisible_to_admin demo Member
|
||||
# Tempest Only:
|
||||
# alt_demo alt_demo Member
|
||||
#
|
||||
@ -40,53 +36,14 @@ function get_id () {
|
||||
echo `"$@" | awk '/ id / { print $4 }'`
|
||||
}
|
||||
|
||||
|
||||
# Tenants
|
||||
# -------
|
||||
|
||||
ADMIN_TENANT=$(get_id keystone tenant-create --name=admin)
|
||||
SERVICE_TENANT=$(get_id keystone tenant-create --name=$SERVICE_TENANT_NAME)
|
||||
DEMO_TENANT=$(get_id keystone tenant-create --name=demo)
|
||||
INVIS_TENANT=$(get_id keystone tenant-create --name=invisible_to_admin)
|
||||
|
||||
|
||||
# Users
|
||||
# -----
|
||||
|
||||
ADMIN_USER=$(get_id keystone user-create --name=admin \
|
||||
--pass="$ADMIN_PASSWORD" \
|
||||
--email=admin@example.com)
|
||||
DEMO_USER=$(get_id keystone user-create --name=demo \
|
||||
--pass="$ADMIN_PASSWORD" \
|
||||
--email=demo@example.com)
|
||||
# Lookups
|
||||
SERVICE_TENANT=$(keystone tenant-list | awk "/ $SERVICE_TENANT_NAME / { print \$2 }")
|
||||
ADMIN_ROLE=$(keystone role-list | awk "/ admin / { print \$2 }")
|
||||
|
||||
|
||||
# Roles
|
||||
# -----
|
||||
|
||||
ADMIN_ROLE=$(get_id keystone role-create --name=admin)
|
||||
KEYSTONEADMIN_ROLE=$(get_id keystone role-create --name=KeystoneAdmin)
|
||||
KEYSTONESERVICE_ROLE=$(get_id keystone role-create --name=KeystoneServiceAdmin)
|
||||
# ANOTHER_ROLE demonstrates that an arbitrary role may be created and used
|
||||
# TODO(sleepsonthefloor): show how this can be used for rbac in the future!
|
||||
ANOTHER_ROLE=$(get_id keystone role-create --name=anotherrole)
|
||||
|
||||
|
||||
# Add Roles to Users in Tenants
|
||||
keystone user-role-add --user_id $ADMIN_USER --role_id $ADMIN_ROLE --tenant_id $ADMIN_TENANT
|
||||
keystone user-role-add --user_id $ADMIN_USER --role_id $ADMIN_ROLE --tenant_id $DEMO_TENANT
|
||||
keystone user-role-add --user_id $DEMO_USER --role_id $ANOTHER_ROLE --tenant_id $DEMO_TENANT
|
||||
|
||||
# TODO(termie): these two might be dubious
|
||||
keystone user-role-add --user_id $ADMIN_USER --role_id $KEYSTONEADMIN_ROLE --tenant_id $ADMIN_TENANT
|
||||
keystone user-role-add --user_id $ADMIN_USER --role_id $KEYSTONESERVICE_ROLE --tenant_id $ADMIN_TENANT
|
||||
|
||||
|
||||
# The Member role is used by Horizon and Swift so we need to keep it:
|
||||
MEMBER_ROLE=$(get_id keystone role-create --name=Member)
|
||||
keystone user-role-add --user_id $DEMO_USER --role_id $MEMBER_ROLE --tenant_id $DEMO_TENANT
|
||||
keystone user-role-add --user_id $DEMO_USER --role_id $MEMBER_ROLE --tenant_id $INVIS_TENANT
|
||||
|
||||
# The ResellerAdmin role is used by Nova and Ceilometer so we need to keep it.
|
||||
# The admin role in swift allows a user to act as an admin for their tenant,
|
||||
# but ResellerAdmin is needed for a user to act as any tenant. The name of this
|
||||
@ -96,20 +53,6 @@ RESELLER_ROLE=$(get_id keystone role-create --name=ResellerAdmin)
|
||||
# Services
|
||||
# --------
|
||||
|
||||
# Keystone
|
||||
if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
|
||||
KEYSTONE_SERVICE=$(get_id keystone service-create \
|
||||
--name=keystone \
|
||||
--type=identity \
|
||||
--description="Keystone Identity Service")
|
||||
keystone endpoint-create \
|
||||
--region RegionOne \
|
||||
--service_id $KEYSTONE_SERVICE \
|
||||
--publicurl "http://$SERVICE_HOST:\$(public_port)s/v2.0" \
|
||||
--adminurl "http://$SERVICE_HOST:\$(admin_port)s/v2.0" \
|
||||
--internalurl "http://$SERVICE_HOST:\$(public_port)s/v2.0"
|
||||
fi
|
||||
|
||||
# Nova
|
||||
if [[ "$ENABLED_SERVICES" =~ "n-api" ]]; then
|
||||
NOVA_USER=$(get_id keystone user-create \
|
||||
|
101
lib/keystone
101
lib/keystone
@ -15,6 +15,7 @@
|
||||
# configure_keystone
|
||||
# init_keystone
|
||||
# start_keystone
|
||||
# create_keystone_accounts
|
||||
# stop_keystone
|
||||
# cleanup_keystone
|
||||
|
||||
@ -45,7 +46,6 @@ KEYSTONE_CATALOG=$KEYSTONE_CONF_DIR/default_catalog.templates
|
||||
KEYSTONE_TOKEN_FORMAT=${KEYSTONE_TOKEN_FORMAT:-PKI}
|
||||
|
||||
# Set Keystone interface configuration
|
||||
KEYSTONE_API_PORT=${KEYSTONE_API_PORT:-5000}
|
||||
KEYSTONE_AUTH_HOST=${KEYSTONE_AUTH_HOST:-$SERVICE_HOST}
|
||||
KEYSTONE_AUTH_PORT=${KEYSTONE_AUTH_PORT:-35357}
|
||||
KEYSTONE_AUTH_PROTOCOL=${KEYSTONE_AUTH_PROTOCOL:-http}
|
||||
@ -144,6 +144,100 @@ function configure_keystone() {
|
||||
|
||||
}
|
||||
|
||||
# create_keystone_accounts() - Sets up common required keystone accounts
|
||||
|
||||
# Tenant User Roles
|
||||
# ------------------------------------------------------------------
|
||||
# service -- --
|
||||
# -- -- Member
|
||||
# admin admin admin
|
||||
# demo admin admin
|
||||
# demo demo Member, anotherrole
|
||||
# invisible_to_admin demo Member
|
||||
|
||||
# Migrated from keystone_data.sh
|
||||
create_keystone_accounts() {
|
||||
|
||||
# admin
|
||||
ADMIN_TENANT=$(keystone tenant-create \
|
||||
--name admin \
|
||||
| grep " id " | get_field 2)
|
||||
ADMIN_USER=$(keystone user-create \
|
||||
--name admin \
|
||||
--pass "$ADMIN_PASSWORD" \
|
||||
--email admin@example.com \
|
||||
| grep " id " | get_field 2)
|
||||
ADMIN_ROLE=$(keystone role-create \
|
||||
--name admin \
|
||||
| grep " id " | get_field 2)
|
||||
keystone user-role-add \
|
||||
--user_id $ADMIN_USER \
|
||||
--role_id $ADMIN_ROLE \
|
||||
--tenant_id $ADMIN_TENANT
|
||||
|
||||
# service
|
||||
SERVICE_TENANT=$(keystone tenant-create \
|
||||
--name $SERVICE_TENANT_NAME \
|
||||
| grep " id " | get_field 2)
|
||||
|
||||
# The Member role is used by Horizon and Swift so we need to keep it:
|
||||
MEMBER_ROLE=$(keystone role-create --name=Member | grep " id " | get_field 2)
|
||||
# ANOTHER_ROLE demonstrates that an arbitrary role may be created and used
|
||||
# TODO(sleepsonthefloor): show how this can be used for rbac in the future!
|
||||
ANOTHER_ROLE=$(keystone role-create --name=anotherrole | grep " id " | get_field 2)
|
||||
|
||||
# invisible tenant - admin can't see this one
|
||||
INVIS_TENANT=$(keystone tenant-create --name=invisible_to_admin | grep " id " | get_field 2)
|
||||
|
||||
# demo
|
||||
DEMO_TENANT=$(keystone tenant-create \
|
||||
--name=demo \
|
||||
| grep " id " | get_field 2)
|
||||
DEMO_USER=$(keystone user-create \
|
||||
--name demo \
|
||||
--pass "$ADMIN_PASSWORD" \
|
||||
--email demo@example.com \
|
||||
| grep " id " | get_field 2)
|
||||
keystone user-role-add --user_id $DEMO_USER --role_id $MEMBER_ROLE --tenant_id $DEMO_TENANT
|
||||
keystone user-role-add --user_id $ADMIN_USER --role_id $ADMIN_ROLE --tenant_id $DEMO_TENANT
|
||||
keystone user-role-add --user_id $DEMO_USER --role_id $ANOTHER_ROLE --tenant_id $DEMO_TENANT
|
||||
keystone user-role-add --user_id $DEMO_USER --role_id $MEMBER_ROLE --tenant_id $INVIS_TENANT
|
||||
|
||||
# Keystone
|
||||
if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
|
||||
KEYSTONE_SERVICE=$(keystone service-create \
|
||||
--name keystone \
|
||||
--type identity \
|
||||
--description "Keystone Identity Service" \
|
||||
| grep " id " | get_field 2)
|
||||
keystone endpoint-create \
|
||||
--region RegionOne \
|
||||
--service_id $KEYSTONE_SERVICE \
|
||||
--publicurl "$KEYSTONE_SERVICE_PROTOCOL://$KEYSTONE_SERVICE_HOST:\$(public_port)s/v2.0" \
|
||||
--adminurl "$KEYSTONE_AUTH_PROTOCOL://$KEYSTONE_AUTH_HOST:\$(admin_port)s/v2.0" \
|
||||
--internalurl "$KEYSTONE_SERVICE_PROTOCOL://$KEYSTONE_SERVICE_HOST:\$(public_port)s/v2.0"
|
||||
fi
|
||||
|
||||
# TODO(dtroyer): This is part of a series of changes...remove these when
|
||||
# complete if they are really unused
|
||||
# KEYSTONEADMIN_ROLE=$(keystone role-create \
|
||||
# --name KeystoneAdmin \
|
||||
# | grep " id " | get_field 2)
|
||||
# KEYSTONESERVICE_ROLE=$(keystone role-create \
|
||||
# --name KeystoneServiceAdmin \
|
||||
# | grep " id " | get_field 2)
|
||||
|
||||
# TODO(termie): these two might be dubious
|
||||
# keystone user-role-add \
|
||||
# --user_id $ADMIN_USER \
|
||||
# --role_id $KEYSTONEADMIN_ROLE \
|
||||
# --tenant_id $ADMIN_TENANT
|
||||
# keystone user-role-add \
|
||||
# --user_id $ADMIN_USER \
|
||||
# --role_id $KEYSTONESERVICE_ROLE \
|
||||
# --tenant_id $ADMIN_TENANT
|
||||
}
|
||||
|
||||
# init_keystone() - Initialize databases, etc.
|
||||
function init_keystone() {
|
||||
# (Re)create keystone database
|
||||
@ -176,6 +270,11 @@ function install_keystone() {
|
||||
function start_keystone() {
|
||||
# Start Keystone in a screen window
|
||||
screen_it key "cd $KEYSTONE_DIR && $KEYSTONE_DIR/bin/keystone-all --config-file $KEYSTONE_CONF $KEYSTONE_LOG_CONFIG -d --debug"
|
||||
echo "Waiting for keystone to start..."
|
||||
if ! timeout $SERVICE_TIMEOUT sh -c "while ! http_proxy= curl -s $KEYSTONE_AUTH_PROTOCOL://$SERVICE_HOST:$KEYSTONE_SERVICE_PORT/v2.0/ >/dev/null; do sleep 1; done"; then
|
||||
echo "keystone did not start"
|
||||
exit 1
|
||||
fi
|
||||
}
|
||||
|
||||
# stop_keystone() - Stop running processes
|
||||
|
16
stack.sh
16
stack.sh
@ -953,15 +953,16 @@ if is_service_enabled key; then
|
||||
configure_keystone
|
||||
init_keystone
|
||||
start_keystone
|
||||
echo "Waiting for keystone to start..."
|
||||
if ! timeout $SERVICE_TIMEOUT sh -c "while ! http_proxy= curl -s $KEYSTONE_AUTH_PROTOCOL://$SERVICE_HOST:$KEYSTONE_API_PORT/v2.0/ >/dev/null; do sleep 1; done"; then
|
||||
echo "keystone did not start"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# ``keystone_data.sh`` creates services, admin and demo users, and roles.
|
||||
# Set up a temporary admin URI for Keystone
|
||||
SERVICE_ENDPOINT=$KEYSTONE_AUTH_PROTOCOL://$KEYSTONE_AUTH_HOST:$KEYSTONE_AUTH_PORT/v2.0
|
||||
|
||||
# Do the keystone-specific bits from keystone_data.sh
|
||||
export OS_SERVICE_TOKEN=$SERVICE_TOKEN
|
||||
export OS_SERVICE_ENDPOINT=$SERVICE_ENDPOINT
|
||||
create_keystone_accounts
|
||||
|
||||
# ``keystone_data.sh`` creates services, admin and demo users, and roles.
|
||||
ADMIN_PASSWORD=$ADMIN_PASSWORD SERVICE_TENANT_NAME=$SERVICE_TENANT_NAME SERVICE_PASSWORD=$SERVICE_PASSWORD \
|
||||
SERVICE_TOKEN=$SERVICE_TOKEN SERVICE_ENDPOINT=$SERVICE_ENDPOINT SERVICE_HOST=$SERVICE_HOST \
|
||||
S3_SERVICE_PORT=$S3_SERVICE_PORT KEYSTONE_CATALOG_BACKEND=$KEYSTONE_CATALOG_BACKEND \
|
||||
@ -974,6 +975,7 @@ if is_service_enabled key; then
|
||||
export OS_TENANT_NAME=admin
|
||||
export OS_USERNAME=admin
|
||||
export OS_PASSWORD=$ADMIN_PASSWORD
|
||||
unset OS_SERVICE_TOKEN OS_SERVICE_ENDPOINT
|
||||
fi
|
||||
|
||||
|
||||
@ -1750,7 +1752,7 @@ fi
|
||||
|
||||
# If Keystone is present you can point ``nova`` cli to this server
|
||||
if is_service_enabled key; then
|
||||
echo "Keystone is serving at $KEYSTONE_AUTH_PROTOCOL://$SERVICE_HOST:$KEYSTONE_API_PORT/v2.0/"
|
||||
echo "Keystone is serving at $KEYSTONE_AUTH_PROTOCOL://$SERVICE_HOST:$KEYSTONE_SERVICE_PORT/v2.0/"
|
||||
echo "Examples on using novaclient command line is in exercise.sh"
|
||||
echo "The default users are: admin and demo"
|
||||
echo "The password: $ADMIN_PASSWORD"
|
||||
|
Loading…
x
Reference in New Issue
Block a user