From 18f39bfb1f6af23a7fc5f5a5b822e7216ce9ec62 Mon Sep 17 00:00:00 2001 From: Jamie Lennox Date: Wed, 28 Jan 2015 13:38:32 +1000 Subject: [PATCH] Remove the default project from all users The default project means that a user gains token scoping information for a project if they don't specify another. This is something we want to discourage for user creation. User's should specify there own authentication scope when they authenticate. Change-Id: I42c3060d59edfcd44d04cd166bad500419dd99bc --- extras.d/70-tuskar.sh | 3 +-- functions-common | 11 +++++------ lib/ceilometer | 3 +-- lib/cinder | 3 +-- lib/glance | 5 ++--- lib/heat | 3 +-- lib/ironic | 3 +-- lib/keystone | 5 ++--- lib/neutron | 3 +-- lib/nova | 3 +-- lib/sahara | 3 +-- lib/swift | 16 ++++++---------- lib/tempest | 2 +- lib/trove | 3 +-- lib/zaqar | 3 +-- 15 files changed, 26 insertions(+), 43 deletions(-) diff --git a/extras.d/70-tuskar.sh b/extras.d/70-tuskar.sh index 6e26db2804..551916f35a 100644 --- a/extras.d/70-tuskar.sh +++ b/extras.d/70-tuskar.sh @@ -180,8 +180,7 @@ function create_tuskar_accounts { local service_tenant=$(openstack project list | awk "/ $SERVICE_TENANT_NAME / { print \$2 }") local admin_role=$(openstack role list | awk "/ admin / { print \$2 }") - local tuskar_user=$(get_or_create_user "tuskar" \ - "$SERVICE_PASSWORD" $service_tenant) + local tuskar_user=$(get_or_create_user "tuskar" "$SERVICE_PASSWORD") get_or_add_user_role $admin_role $tuskar_user $service_tenant if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then diff --git a/functions-common b/functions-common index f8b8eaf567..29c28f4581 100644 --- a/functions-common +++ b/functions-common @@ -860,17 +860,17 @@ function get_or_create_group { } # Gets or creates user -# Usage: get_or_create_user [ []] +# Usage: get_or_create_user [ []] function get_or_create_user { - if [[ ! -z "$4" ]]; then - local email="--email=$4" + if [[ ! -z "$3" ]]; then + local email="--email=$3" else local email="" fi local os_cmd="openstack" local domain="" - if [[ ! -z "$5" ]]; then - domain="--domain=$5" + if [[ ! -z "$4" ]]; then + domain="--domain=$4" os_cmd="$os_cmd --os-url=$KEYSTONE_SERVICE_URI_V3 --os-identity-api-version=3" fi # Gets user id @@ -879,7 +879,6 @@ function get_or_create_user { $os_cmd user create \ $1 \ --password "$2" \ - --project $3 \ $email \ $domain \ --or-show \ diff --git a/lib/ceilometer b/lib/ceilometer index d48751e5a3..a83d0931a1 100644 --- a/lib/ceilometer +++ b/lib/ceilometer @@ -110,8 +110,7 @@ function create_ceilometer_accounts { # Ceilometer if [[ "$ENABLED_SERVICES" =~ "ceilometer-api" ]]; then - local ceilometer_user=$(get_or_create_user "ceilometer" \ - "$SERVICE_PASSWORD" $service_tenant) + local ceilometer_user=$(get_or_create_user "ceilometer" "$SERVICE_PASSWORD") get_or_add_user_role $admin_role $ceilometer_user $service_tenant if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then diff --git a/lib/cinder b/lib/cinder index 6043891164..dbccf44600 100644 --- a/lib/cinder +++ b/lib/cinder @@ -348,8 +348,7 @@ function create_cinder_accounts { # Cinder if [[ "$ENABLED_SERVICES" =~ "c-api" ]]; then - local cinder_user=$(get_or_create_user "cinder" \ - "$SERVICE_PASSWORD" $service_tenant) + local cinder_user=$(get_or_create_user "cinder" "$SERVICE_PASSWORD") get_or_add_user_role $admin_role $cinder_user $service_tenant if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then diff --git a/lib/glance b/lib/glance index 87687613cd..bee57a3100 100644 --- a/lib/glance +++ b/lib/glance @@ -232,15 +232,14 @@ function configure_glance { function create_glance_accounts { if is_service_enabled g-api; then - local glance_user=$(get_or_create_user "glance" \ - "$SERVICE_PASSWORD" $SERVICE_TENANT_NAME) + local glance_user=$(get_or_create_user "glance" "$SERVICE_PASSWORD") get_or_add_user_role service $glance_user $SERVICE_TENANT_NAME # required for swift access if is_service_enabled s-proxy; then local glance_swift_user=$(get_or_create_user "glance-swift" \ - "$SERVICE_PASSWORD" $SERVICE_TENANT_NAME "glance-swift@example.com") + "$SERVICE_PASSWORD" "glance-swift@example.com") get_or_add_user_role "ResellerAdmin" $glance_swift_user $SERVICE_TENANT_NAME fi diff --git a/lib/heat b/lib/heat index 813c2fe65a..5bc7283361 100644 --- a/lib/heat +++ b/lib/heat @@ -243,8 +243,7 @@ function create_heat_accounts { local service_tenant=$(openstack project list | awk "/ $SERVICE_TENANT_NAME / { print \$2 }") local admin_role=$(openstack role list | awk "/ admin / { print \$2 }") - local heat_user=$(get_or_create_user "heat" \ - "$SERVICE_PASSWORD" $service_tenant) + local heat_user=$(get_or_create_user "heat" "$SERVICE_PASSWORD") get_or_add_user_role $admin_role $heat_user $service_tenant if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then diff --git a/lib/ironic b/lib/ironic index 2075a9cda6..fced2949f4 100644 --- a/lib/ironic +++ b/lib/ironic @@ -365,8 +365,7 @@ function create_ironic_accounts { if [[ "$ENABLED_SERVICES" =~ "ir-api" ]]; then # Get ironic user if exists - local ironic_user=$(get_or_create_user "ironic" \ - "$SERVICE_PASSWORD" $service_tenant) + local ironic_user=$(get_or_create_user "ironic" "$SERVICE_PASSWORD") get_or_add_user_role $admin_role $ironic_user $service_tenant if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then diff --git a/lib/keystone b/lib/keystone index afa7f009e7..d5ccc2f075 100644 --- a/lib/keystone +++ b/lib/keystone @@ -362,8 +362,7 @@ function create_keystone_accounts { # admin local admin_tenant=$(get_or_create_project "admin") - local admin_user=$(get_or_create_user "admin" \ - "$ADMIN_PASSWORD" "$admin_tenant") + local admin_user=$(get_or_create_user "admin" "$ADMIN_PASSWORD") local admin_role=$(get_or_create_role "admin") get_or_add_user_role $admin_role $admin_user $admin_tenant @@ -392,7 +391,7 @@ function create_keystone_accounts { # demo local demo_tenant=$(get_or_create_project "demo") local demo_user=$(get_or_create_user "demo" \ - "$ADMIN_PASSWORD" "$demo_tenant" "demo@example.com") + "$ADMIN_PASSWORD" "demo@example.com") get_or_add_user_role $member_role $demo_user $demo_tenant get_or_add_user_role $admin_role $admin_user $demo_tenant diff --git a/lib/neutron b/lib/neutron index b22c00b097..d16cd3810b 100755 --- a/lib/neutron +++ b/lib/neutron @@ -513,8 +513,7 @@ function create_neutron_accounts { if [[ "$ENABLED_SERVICES" =~ "q-svc" ]]; then - local neutron_user=$(get_or_create_user "neutron" \ - "$SERVICE_PASSWORD" $service_tenant) + local neutron_user=$(get_or_create_user "neutron" "$SERVICE_PASSWORD") get_or_add_user_role $service_role $neutron_user $service_tenant if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then diff --git a/lib/nova b/lib/nova index 76212edc96..c8d0d94c27 100644 --- a/lib/nova +++ b/lib/nova @@ -359,8 +359,7 @@ function create_nova_accounts { # Nova if [[ "$ENABLED_SERVICES" =~ "n-api" ]]; then - local nova_user=$(get_or_create_user "nova" \ - "$SERVICE_PASSWORD" $service_tenant) + local nova_user=$(get_or_create_user "nova" "$SERVICE_PASSWORD") get_or_add_user_role $admin_role $nova_user $service_tenant if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then diff --git a/lib/sahara b/lib/sahara index 995935aebf..44c06d3c46 100644 --- a/lib/sahara +++ b/lib/sahara @@ -64,8 +64,7 @@ function create_sahara_accounts { local service_tenant=$(openstack project list | awk "/ $SERVICE_TENANT_NAME / { print \$2 }") local admin_role=$(openstack role list | awk "/ admin / { print \$2 }") - local sahara_user=$(get_or_create_user "sahara" \ - "$SERVICE_PASSWORD" $service_tenant) + local sahara_user=$(get_or_create_user "sahara" "$SERVICE_PASSWORD") get_or_add_user_role $admin_role $sahara_user $service_tenant if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then diff --git a/lib/swift b/lib/swift index ee4543cb5b..1ddfa450ab 100644 --- a/lib/swift +++ b/lib/swift @@ -594,8 +594,7 @@ function create_swift_accounts { local admin_role=$(openstack role list | awk "/ admin / { print \$2 }") local another_role=$(openstack role list | awk "/ anotherrole / { print \$2 }") - local swift_user=$(get_or_create_user "swift" \ - "$SERVICE_PASSWORD" $service_tenant) + local swift_user=$(get_or_create_user "swift" "$SERVICE_PASSWORD") get_or_add_user_role $admin_role $swift_user $service_tenant if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then @@ -611,21 +610,18 @@ function create_swift_accounts { local swift_tenant_test1=$(get_or_create_project swifttenanttest1) die_if_not_set $LINENO swift_tenant_test1 "Failure creating swift_tenant_test1" - SWIFT_USER_TEST1=$(get_or_create_user swiftusertest1 $swiftusertest1_password \ - "$swift_tenant_test1" "test@example.com") + SWIFT_USER_TEST1=$(get_or_create_user swiftusertest1 $swiftusertest1_password "test@example.com") die_if_not_set $LINENO SWIFT_USER_TEST1 "Failure creating SWIFT_USER_TEST1" get_or_add_user_role $admin_role $SWIFT_USER_TEST1 $swift_tenant_test1 - local swift_user_test3=$(get_or_create_user swiftusertest3 $swiftusertest3_password \ - "$swift_tenant_test1" "test3@example.com") + local swift_user_test3=$(get_or_create_user swiftusertest3 $swiftusertest3_password "test3@example.com") die_if_not_set $LINENO swift_user_test3 "Failure creating swift_user_test3" get_or_add_user_role $another_role $swift_user_test3 $swift_tenant_test1 local swift_tenant_test2=$(get_or_create_project swifttenanttest2) die_if_not_set $LINENO swift_tenant_test2 "Failure creating swift_tenant_test2" - local swift_user_test2=$(get_or_create_user swiftusertest2 $swiftusertest2_password \ - "$swift_tenant_test2" "test2@example.com") + local swift_user_test2=$(get_or_create_user swiftusertest2 $swiftusertest2_password "test2@example.com") die_if_not_set $LINENO swift_user_test2 "Failure creating swift_user_test2" get_or_add_user_role $admin_role $swift_user_test2 $swift_tenant_test2 @@ -634,8 +630,8 @@ function create_swift_accounts { local swift_tenant_test4=$(get_or_create_project swifttenanttest4 $swift_domain) die_if_not_set $LINENO swift_tenant_test4 "Failure creating swift_tenant_test4" - local swift_user_test4=$(get_or_create_user swiftusertest4 $swiftusertest4_password \ - $swift_tenant_test4 "test4@example.com" $swift_domain) + + local swift_user_test4=$(get_or_create_user swiftusertest4 $swiftusertest4_password "test4@example.com" $swift_domain) die_if_not_set $LINENO swift_user_test4 "Failure creating swift_user_test4" get_or_add_user_role $admin_role $swift_user_test4 $swift_tenant_test4 } diff --git a/lib/tempest b/lib/tempest index 1ae945779d..86f30b4a40 100644 --- a/lib/tempest +++ b/lib/tempest @@ -502,7 +502,7 @@ function create_tempest_accounts { # Tempest has some tests that validate various authorization checks # between two regular users in separate tenants get_or_create_project alt_demo - get_or_create_user alt_demo "$ADMIN_PASSWORD" alt_demo "alt_demo@example.com" + get_or_create_user alt_demo "$ADMIN_PASSWORD" "alt_demo@example.com" get_or_add_user_role Member alt_demo alt_demo fi } diff --git a/lib/trove b/lib/trove index 3249ce0746..5e6b1b39c3 100644 --- a/lib/trove +++ b/lib/trove @@ -84,8 +84,7 @@ function create_trove_accounts { if [[ "$ENABLED_SERVICES" =~ "trove" ]]; then - local trove_user=$(get_or_create_user "trove" \ - "$SERVICE_PASSWORD" $service_tenant) + local trove_user=$(get_or_create_user "trove" "$SERVICE_PASSWORD") get_or_add_user_role $service_role $trove_user $service_tenant if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then diff --git a/lib/zaqar b/lib/zaqar index dfa3452f0d..618ac30534 100644 --- a/lib/zaqar +++ b/lib/zaqar @@ -218,8 +218,7 @@ function create_zaqar_accounts { local service_tenant=$(openstack project list | awk "/ $SERVICE_TENANT_NAME / { print \$2 }") ADMIN_ROLE=$(openstack role list | awk "/ admin / { print \$2 }") - local zaqar_user=$(get_or_create_user "zaqar" \ - "$SERVICE_PASSWORD" $service_tenant) + local zaqar_user=$(get_or_create_user "zaqar" "$SERVICE_PASSWORD") get_or_add_user_role $ADMIN_ROLE $zaqar_user $service_tenant if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then