Complete moving Keystone setup out of keystone_data.sh

Dean Troyer · Dean Troyer · commit 42a59c2bfae6 · 2014-03-10T15:17:30.000-05:00
* Move remaining role creation to create_keystone_accounts()
* Move glance creation to create_glance_accounts()
* Move nova/ec2/s3 creation to create_nova_accounts()
* Move ceilometer creation to create_ceilometer_accounts()
* Move tempest creation to create_tempest_accounts()
* Convert moved code to use OpenStackClient for setup
* files/keystone_data.sh is removed

Note that the SERVICE_TENANT and ADMIN_ROLE lookups in the other service
implementations are not necessary with OSC, all operations can be done
using names rather than requiring IDs.

Change-Id: I4283ca0036ae39fd44ed2eed834b69d78e4f8257
diff --git a/extras.d/80-tempest.sh b/extras.d/80-tempest.sh
@@ -9,7 +9,7 @@ if is_service_enabled tempest; then
         install_tempest
     elif [[ "$1" == "stack" && "$2" == "post-config" ]]; then
         # Tempest config must come after layer 2 services are running
-        :
+        create_tempest_accounts
     elif [[ "$1" == "stack" && "$2" == "extra" ]]; then
         echo_summary "Initializing Tempest"
         configure_tempest
diff --git a/files/keystone_data.sh b/files/keystone_data.sh
diff --git a/lib/ceilometer b/lib/ceilometer
@@ -69,6 +69,11 @@ function is_ceilometer_enabled {
 
 # create_ceilometer_accounts() - Set up common required ceilometer accounts
 
+# Project              User         Roles
+# ------------------------------------------------------------------
+# SERVICE_TENANT_NAME  ceilometer   admin
+# SERVICE_TENANT_NAME  ceilometer   ResellerAdmin (if Swift is enabled)
+
 create_ceilometer_accounts() {
 
     SERVICE_TENANT=$(openstack project list | awk "/ $SERVICE_TENANT_NAME / { print \$2 }")
@@ -99,6 +104,13 @@ create_ceilometer_accounts() {
                 --adminurl "$CEILOMETER_SERVICE_PROTOCOL://$CEILOMETER_SERVICE_HOST:$CEILOMETER_SERVICE_PORT/" \
                 --internalurl "$CEILOMETER_SERVICE_PROTOCOL://$CEILOMETER_SERVICE_HOST:$CEILOMETER_SERVICE_PORT/"
         fi
+        if is_service_enabled swift; then
+            # Ceilometer needs ResellerAdmin role to access swift account stats.
+            openstack role add \
+                --project $SERVICE_TENANT_NAME \
+                --user ceilometer \
+                ResellerAdmin
+        fi
     fi
 }
 
diff --git a/lib/glance b/lib/glance
@@ -159,6 +159,49 @@ function configure_glance {
     cp -p $GLANCE_DIR/etc/schema-image.json $GLANCE_SCHEMA_JSON
 }
 
+# create_glance_accounts() - Set up common required glance accounts
+
+# Project              User         Roles
+# ------------------------------------------------------------------
+# SERVICE_TENANT_NAME  glance       service
+# SERVICE_TENANT_NAME  glance-swift ResellerAdmin (if Swift is enabled)
+
+function create_glance_accounts {
+    if is_service_enabled g-api; then
+        openstack user create \
+            --password "$SERVICE_PASSWORD" \
+            --project $SERVICE_TENANT_NAME \
+            glance
+        openstack role add \
+            --project $SERVICE_TENANT_NAME \
+            --user glance \
+            service
+        # required for swift access
+        if is_service_enabled s-proxy; then
+            openstack user create \
+                --password "$SERVICE_PASSWORD" \
+                --project $SERVICE_TENANT_NAME \
+                glance-swift
+            openstack role add \
+                --project $SERVICE_TENANT_NAME \
+                --user glance-swift \
+                ResellerAdmin
+        fi
+        if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
+            openstack service create \
+                --type image \
+                --description "Glance Image Service" \
+                glance
+            openstack endpoint create \
+                --region RegionOne \
+                --publicurl "http://$GLANCE_HOSTPORT" \
+                --adminurl "http://$GLANCE_HOSTPORT" \
+                --internalurl "http://$GLANCE_HOSTPORT" \
+                glance
+        fi
+    fi
+}
+
 # create_glance_cache_dir() - Part of the init_glance() process
 function create_glance_cache_dir {
     # Create cache dir
diff --git a/lib/keystone b/lib/keystone
@@ -266,9 +266,11 @@ function configure_keystone {
 
 # Tenant               User       Roles
 # ------------------------------------------------------------------
+# admin                admin      admin
 # service              --         --
+# --                   --         service
+# --                   --         ResellerAdmin
 # --                   --         Member
-# admin                admin      admin
 # demo                 admin      admin
 # demo                 demo       Member, anotherrole
 # invisible_to_admin   demo       Member
@@ -294,10 +296,17 @@ function create_keystone_accounts {
         --project $ADMIN_TENANT \
         --user $ADMIN_USER
 
-    # service
-    SERVICE_TENANT=$(openstack project create \
-        $SERVICE_TENANT_NAME \
-        | grep " id " | get_field 2)
+    # Create service project/role
+    openstack project create $SERVICE_TENANT_NAME
+
+    # Service role, so service users do not have to be admins
+    openstack role create service
+
+    # The ResellerAdmin role is used by Nova and Ceilometer so we need to keep it.
+    # The admin role in swift allows a user to act as an admin for their tenant,
+    # but ResellerAdmin is needed for a user to act as any tenant. The name of this
+    # role is also configurable in swift-proxy.conf
+    openstack role create ResellerAdmin
 
     # The Member role is used by Horizon and Swift so we need to keep it:
     MEMBER_ROLE=$(openstack role create \
diff --git a/lib/nova b/lib/nova
@@ -316,9 +316,10 @@ function configure_nova {
 
 # create_nova_accounts() - Set up common required nova accounts
 
-# Tenant               User       Roles
+# Project              User         Roles
 # ------------------------------------------------------------------
-# service              nova       admin, [ResellerAdmin (swift only)]
+# SERVICE_TENANT_NAME  nova         admin
+# SERVICE_TENANT_NAME  nova         ResellerAdmin (if Swift is enabled)
 
 # Migrated from keystone_data.sh
 create_nova_accounts() {
@@ -363,6 +364,48 @@ create_nova_accounts() {
                 --internalurl "$NOVA_SERVICE_PROTOCOL://$NOVA_SERVICE_HOST:$NOVA_SERVICE_PORT/v3"
         fi
     fi
+
+    if is_service_enabled n-api; then
+        # Swift
+        if is_service_enabled swift; then
+            # Nova needs ResellerAdmin role to download images when accessing
+            # swift through the s3 api.
+            openstack role add \
+                --project $SERVICE_TENANT_NAME \
+                --user nova \
+                ResellerAdmin
+        fi
+
+        # EC2
+        if [[ "$KEYSTONE_CATALOG_BACKEND" = "sql" ]]; then
+            openstack service create \
+                --type ec2 \
+                --description "EC2 Compatibility Layer" \
+                ec2
+            openstack endpoint create \
+                --region RegionOne \
+                --publicurl "http://$SERVICE_HOST:8773/services/Cloud" \
+                --adminurl "http://$SERVICE_HOST:8773/services/Admin" \
+                --internalurl "http://$SERVICE_HOST:8773/services/Cloud" \
+                ec2
+        fi
+    fi
+
+    # S3
+    if is_service_enabled n-obj swift3; then
+        if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
+            openstack service create \
+                --type s3 \
+                --description "S3" \
+                s3
+            openstack endpoint create \
+                --region RegionOne \
+                --publicurl "http://$SERVICE_HOST:$S3_SERVICE_PORT" \
+                --adminurl "http://$SERVICE_HOST:$S3_SERVICE_PORT" \
+                --internalurl "http://$SERVICE_HOST:$S3_SERVICE_PORT" \
+                s3
+        fi
+    fi
 }
 
 # create_nova_conf() - Create a new nova.conf file
diff --git a/lib/tempest b/lib/tempest
@@ -358,6 +358,30 @@ function configure_tempest {
     $errexit
 }
 
+# create_tempest_accounts() - Set up common required tempest accounts
+
+# Project              User         Roles
+# ------------------------------------------------------------------
+# alt_demo             alt_demo     Member
+
+# Migrated from keystone_data.sh
+function create_tempest_accounts {
+    if is_service_enabled tempest; then
+        # Tempest has some tests that validate various authorization checks
+        # between two regular users in separate tenants
+        openstack project create \
+            alt_demo
+        openstack user create \
+            --project alt_demo \
+            --password "$ADMIN_PASSWORD" \
+            alt_demo
+        openstack role add \
+            --project alt_demo \
+            --user alt_demo \
+            Member
+    fi
+}
+
 # install_tempest() - Collect source and prepare
 function install_tempest {
     git_clone $TEMPEST_REPO $TEMPEST_DIR $TEMPEST_BRANCH
diff --git a/stack.sh b/stack.sh
