Remove the default project from all users

Jamie Lennox · Jamie Lennox · commit 18f39bfb1f6a · 2015-01-28T13:38:32.000+10:00
The default project means that a user gains token scoping information
for a project if they don't specify another. This is something we want
to discourage for user creation. User's should specify there own
authentication scope when they authenticate.

Change-Id: I42c3060d59edfcd44d04cd166bad500419dd99bc
diff --git a/extras.d/70-tuskar.sh b/extras.d/70-tuskar.sh
@@ -180,8 +180,7 @@ function create_tuskar_accounts {
     local service_tenant=$(openstack project list | awk "/ $SERVICE_TENANT_NAME / { print \$2 }")
     local admin_role=$(openstack role list | awk "/ admin / { print \$2 }")
 
-    local tuskar_user=$(get_or_create_user "tuskar" \
-        "$SERVICE_PASSWORD" $service_tenant)
+    local tuskar_user=$(get_or_create_user "tuskar" "$SERVICE_PASSWORD")
     get_or_add_user_role $admin_role $tuskar_user $service_tenant
 
     if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
diff --git a/functions-common b/functions-common
@@ -860,17 +860,17 @@ function get_or_create_group {
 }
 
 # Gets or creates user
-# Usage: get_or_create_user <username> <password> <project> [<email> [<domain>]]
+# Usage: get_or_create_user <username> <password> [<email> [<domain>]]
 function get_or_create_user {
-    if [[ ! -z "$4" ]]; then
-        local email="--email=$4"
+    if [[ ! -z "$3" ]]; then
+        local email="--email=$3"
     else
         local email=""
     fi
     local os_cmd="openstack"
     local domain=""
-    if [[ ! -z "$5" ]]; then
-        domain="--domain=$5"
+    if [[ ! -z "$4" ]]; then
+        domain="--domain=$4"
         os_cmd="$os_cmd --os-url=$KEYSTONE_SERVICE_URI_V3 --os-identity-api-version=3"
     fi
     # Gets user id
@@ -879,7 +879,6 @@ function get_or_create_user {
         $os_cmd user create \
             $1 \
             --password "$2" \
-            --project $3 \
             $email \
             $domain \
             --or-show \
diff --git a/lib/ceilometer b/lib/ceilometer
@@ -110,8 +110,7 @@ function create_ceilometer_accounts {
 
     # Ceilometer
     if [[ "$ENABLED_SERVICES" =~ "ceilometer-api" ]]; then
-        local ceilometer_user=$(get_or_create_user "ceilometer" \
-            "$SERVICE_PASSWORD" $service_tenant)
+        local ceilometer_user=$(get_or_create_user "ceilometer" "$SERVICE_PASSWORD")
         get_or_add_user_role $admin_role $ceilometer_user $service_tenant
 
         if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
diff --git a/lib/cinder b/lib/cinder
@@ -348,8 +348,7 @@ function create_cinder_accounts {
     # Cinder
     if [[ "$ENABLED_SERVICES" =~ "c-api" ]]; then
 
-        local cinder_user=$(get_or_create_user "cinder" \
-            "$SERVICE_PASSWORD" $service_tenant)
+        local cinder_user=$(get_or_create_user "cinder" "$SERVICE_PASSWORD")
         get_or_add_user_role $admin_role $cinder_user $service_tenant
 
         if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
diff --git a/lib/glance b/lib/glance
@@ -232,15 +232,14 @@ function configure_glance {
 function create_glance_accounts {
     if is_service_enabled g-api; then
 
-        local glance_user=$(get_or_create_user "glance" \
-            "$SERVICE_PASSWORD" $SERVICE_TENANT_NAME)
+        local glance_user=$(get_or_create_user "glance" "$SERVICE_PASSWORD")
         get_or_add_user_role service $glance_user $SERVICE_TENANT_NAME
 
         # required for swift access
         if is_service_enabled s-proxy; then
 
             local glance_swift_user=$(get_or_create_user "glance-swift" \
-                "$SERVICE_PASSWORD" $SERVICE_TENANT_NAME "glance-swift@example.com")
+                "$SERVICE_PASSWORD" "glance-swift@example.com")
             get_or_add_user_role "ResellerAdmin" $glance_swift_user $SERVICE_TENANT_NAME
         fi
 
diff --git a/lib/heat b/lib/heat
@@ -243,8 +243,7 @@ function create_heat_accounts {
     local service_tenant=$(openstack project list | awk "/ $SERVICE_TENANT_NAME / { print \$2 }")
     local admin_role=$(openstack role list | awk "/ admin / { print \$2 }")
 
-    local heat_user=$(get_or_create_user "heat" \
-        "$SERVICE_PASSWORD" $service_tenant)
+    local heat_user=$(get_or_create_user "heat" "$SERVICE_PASSWORD")
     get_or_add_user_role $admin_role $heat_user $service_tenant
 
     if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
diff --git a/lib/ironic b/lib/ironic
@@ -365,8 +365,7 @@ function create_ironic_accounts {
     if [[ "$ENABLED_SERVICES" =~ "ir-api" ]]; then
         # Get ironic user if exists
 
-        local ironic_user=$(get_or_create_user "ironic" \
-            "$SERVICE_PASSWORD" $service_tenant)
+        local ironic_user=$(get_or_create_user "ironic" "$SERVICE_PASSWORD")
         get_or_add_user_role $admin_role $ironic_user $service_tenant
 
         if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
diff --git a/lib/keystone b/lib/keystone
@@ -362,8 +362,7 @@ function create_keystone_accounts {
 
     # admin
     local admin_tenant=$(get_or_create_project "admin")
-    local admin_user=$(get_or_create_user "admin" \
-        "$ADMIN_PASSWORD" "$admin_tenant")
+    local admin_user=$(get_or_create_user "admin" "$ADMIN_PASSWORD")
     local admin_role=$(get_or_create_role "admin")
     get_or_add_user_role $admin_role $admin_user $admin_tenant
 
@@ -392,7 +391,7 @@ function create_keystone_accounts {
     # demo
     local demo_tenant=$(get_or_create_project "demo")
     local demo_user=$(get_or_create_user "demo" \
-        "$ADMIN_PASSWORD" "$demo_tenant" "demo@example.com")
+        "$ADMIN_PASSWORD" "demo@example.com")
 
     get_or_add_user_role $member_role $demo_user $demo_tenant
     get_or_add_user_role $admin_role $admin_user $demo_tenant
diff --git a/lib/neutron b/lib/neutron
@@ -513,8 +513,7 @@ function create_neutron_accounts {
 
     if [[ "$ENABLED_SERVICES" =~ "q-svc" ]]; then
 
-        local neutron_user=$(get_or_create_user "neutron" \
-            "$SERVICE_PASSWORD" $service_tenant)
+        local neutron_user=$(get_or_create_user "neutron" "$SERVICE_PASSWORD")
         get_or_add_user_role $service_role $neutron_user $service_tenant
 
         if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
diff --git a/lib/nova b/lib/nova
@@ -359,8 +359,7 @@ function create_nova_accounts {
     # Nova
     if [[ "$ENABLED_SERVICES" =~ "n-api" ]]; then
 
-        local nova_user=$(get_or_create_user "nova" \
-            "$SERVICE_PASSWORD" $service_tenant)
+        local nova_user=$(get_or_create_user "nova" "$SERVICE_PASSWORD")
         get_or_add_user_role $admin_role $nova_user $service_tenant
 
         if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
diff --git a/lib/sahara b/lib/sahara
@@ -64,8 +64,7 @@ function create_sahara_accounts {
     local service_tenant=$(openstack project list | awk "/ $SERVICE_TENANT_NAME / { print \$2 }")
     local admin_role=$(openstack role list | awk "/ admin / { print \$2 }")
 
-    local sahara_user=$(get_or_create_user "sahara" \
-        "$SERVICE_PASSWORD" $service_tenant)
+    local sahara_user=$(get_or_create_user "sahara" "$SERVICE_PASSWORD")
     get_or_add_user_role $admin_role $sahara_user $service_tenant
 
     if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
diff --git a/lib/swift b/lib/swift
@@ -594,8 +594,7 @@ function create_swift_accounts {
     local admin_role=$(openstack role list | awk "/ admin / { print \$2 }")
     local another_role=$(openstack role list | awk "/ anotherrole / { print \$2 }")
 
-    local swift_user=$(get_or_create_user "swift" \
-        "$SERVICE_PASSWORD" $service_tenant)
+    local swift_user=$(get_or_create_user "swift" "$SERVICE_PASSWORD")
     get_or_add_user_role $admin_role $swift_user $service_tenant
 
     if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
@@ -611,21 +610,18 @@ function create_swift_accounts {
 
     local swift_tenant_test1=$(get_or_create_project swifttenanttest1)
     die_if_not_set $LINENO swift_tenant_test1 "Failure creating swift_tenant_test1"
-    SWIFT_USER_TEST1=$(get_or_create_user swiftusertest1 $swiftusertest1_password \
-        "$swift_tenant_test1" "test@example.com")
+    SWIFT_USER_TEST1=$(get_or_create_user swiftusertest1 $swiftusertest1_password "test@example.com")
     die_if_not_set $LINENO SWIFT_USER_TEST1 "Failure creating SWIFT_USER_TEST1"
     get_or_add_user_role $admin_role $SWIFT_USER_TEST1 $swift_tenant_test1
 
-    local swift_user_test3=$(get_or_create_user swiftusertest3 $swiftusertest3_password \
-        "$swift_tenant_test1" "test3@example.com")
+    local swift_user_test3=$(get_or_create_user swiftusertest3 $swiftusertest3_password "test3@example.com")
     die_if_not_set $LINENO swift_user_test3 "Failure creating swift_user_test3"
     get_or_add_user_role $another_role $swift_user_test3 $swift_tenant_test1
 
     local swift_tenant_test2=$(get_or_create_project swifttenanttest2)
     die_if_not_set $LINENO swift_tenant_test2 "Failure creating swift_tenant_test2"
 
-    local swift_user_test2=$(get_or_create_user swiftusertest2 $swiftusertest2_password \
-        "$swift_tenant_test2" "test2@example.com")
+    local swift_user_test2=$(get_or_create_user swiftusertest2 $swiftusertest2_password "test2@example.com")
     die_if_not_set $LINENO swift_user_test2 "Failure creating swift_user_test2"
     get_or_add_user_role $admin_role $swift_user_test2 $swift_tenant_test2
 
@@ -634,8 +630,8 @@ function create_swift_accounts {
 
     local swift_tenant_test4=$(get_or_create_project swifttenanttest4 $swift_domain)
     die_if_not_set $LINENO swift_tenant_test4 "Failure creating swift_tenant_test4"
-    local swift_user_test4=$(get_or_create_user swiftusertest4 $swiftusertest4_password \
-        $swift_tenant_test4 "test4@example.com" $swift_domain)
+
+    local swift_user_test4=$(get_or_create_user swiftusertest4 $swiftusertest4_password "test4@example.com" $swift_domain)
     die_if_not_set $LINENO swift_user_test4 "Failure creating swift_user_test4"
     get_or_add_user_role $admin_role $swift_user_test4 $swift_tenant_test4
 }
diff --git a/lib/tempest b/lib/tempest
@@ -502,7 +502,7 @@ function create_tempest_accounts {
         # Tempest has some tests that validate various authorization checks
         # between two regular users in separate tenants
         get_or_create_project alt_demo
-        get_or_create_user alt_demo "$ADMIN_PASSWORD" alt_demo "alt_demo@example.com"
+        get_or_create_user alt_demo "$ADMIN_PASSWORD" "alt_demo@example.com"
         get_or_add_user_role Member alt_demo alt_demo
     fi
 }
diff --git a/lib/trove b/lib/trove
@@ -84,8 +84,7 @@ function create_trove_accounts {
 
     if [[ "$ENABLED_SERVICES" =~ "trove" ]]; then
 
-        local trove_user=$(get_or_create_user "trove" \
-            "$SERVICE_PASSWORD" $service_tenant)
+        local trove_user=$(get_or_create_user "trove" "$SERVICE_PASSWORD")
         get_or_add_user_role $service_role $trove_user $service_tenant
 
         if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
diff --git a/lib/zaqar b/lib/zaqar
@@ -218,8 +218,7 @@ function create_zaqar_accounts {
     local service_tenant=$(openstack project list | awk "/ $SERVICE_TENANT_NAME / { print \$2 }")
     ADMIN_ROLE=$(openstack role list | awk "/ admin / { print \$2 }")
 
-    local zaqar_user=$(get_or_create_user "zaqar" \
-        "$SERVICE_PASSWORD" $service_tenant)
+    local zaqar_user=$(get_or_create_user "zaqar" "$SERVICE_PASSWORD")
     get_or_add_user_role $ADMIN_ROLE $zaqar_user $service_tenant
 
     if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
