Skip to content

Commit 42a59c2

Browse files
author
Dean Troyer
committed
Complete moving Keystone setup out of keystone_data.sh
* Move remaining role creation to create_keystone_accounts() * Move glance creation to create_glance_accounts() * Move nova/ec2/s3 creation to create_nova_accounts() * Move ceilometer creation to create_ceilometer_accounts() * Move tempest creation to create_tempest_accounts() * Convert moved code to use OpenStackClient for setup * files/keystone_data.sh is removed Note that the SERVICE_TENANT and ADMIN_ROLE lookups in the other service implementations are not necessary with OSC, all operations can be done using names rather than requiring IDs. Change-Id: I4283ca0036ae39fd44ed2eed834b69d78e4f8257
1 parent c880fb4 commit 42a59c2

File tree

8 files changed

+146
-168
lines changed

8 files changed

+146
-168
lines changed

extras.d/80-tempest.sh

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -9,7 +9,7 @@ if is_service_enabled tempest; then
99
install_tempest
1010
elif [[ "$1" == "stack" && "$2" == "post-config" ]]; then
1111
# Tempest config must come after layer 2 services are running
12-
:
12+
create_tempest_accounts
1313
elif [[ "$1" == "stack" && "$2" == "extra" ]]; then
1414
echo_summary "Initializing Tempest"
1515
configure_tempest

files/keystone_data.sh

Lines changed: 0 additions & 146 deletions
This file was deleted.

lib/ceilometer

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -69,6 +69,11 @@ function is_ceilometer_enabled {
6969

7070
# create_ceilometer_accounts() - Set up common required ceilometer accounts
7171

72+
# Project User Roles
73+
# ------------------------------------------------------------------
74+
# SERVICE_TENANT_NAME ceilometer admin
75+
# SERVICE_TENANT_NAME ceilometer ResellerAdmin (if Swift is enabled)
76+
7277
create_ceilometer_accounts() {
7378

7479
SERVICE_TENANT=$(openstack project list | awk "/ $SERVICE_TENANT_NAME / { print \$2 }")
@@ -99,6 +104,13 @@ create_ceilometer_accounts() {
99104
--adminurl "$CEILOMETER_SERVICE_PROTOCOL://$CEILOMETER_SERVICE_HOST:$CEILOMETER_SERVICE_PORT/" \
100105
--internalurl "$CEILOMETER_SERVICE_PROTOCOL://$CEILOMETER_SERVICE_HOST:$CEILOMETER_SERVICE_PORT/"
101106
fi
107+
if is_service_enabled swift; then
108+
# Ceilometer needs ResellerAdmin role to access swift account stats.
109+
openstack role add \
110+
--project $SERVICE_TENANT_NAME \
111+
--user ceilometer \
112+
ResellerAdmin
113+
fi
102114
fi
103115
}
104116

lib/glance

Lines changed: 43 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -159,6 +159,49 @@ function configure_glance {
159159
cp -p $GLANCE_DIR/etc/schema-image.json $GLANCE_SCHEMA_JSON
160160
}
161161

162+
# create_glance_accounts() - Set up common required glance accounts
163+
164+
# Project User Roles
165+
# ------------------------------------------------------------------
166+
# SERVICE_TENANT_NAME glance service
167+
# SERVICE_TENANT_NAME glance-swift ResellerAdmin (if Swift is enabled)
168+
169+
function create_glance_accounts {
170+
if is_service_enabled g-api; then
171+
openstack user create \
172+
--password "$SERVICE_PASSWORD" \
173+
--project $SERVICE_TENANT_NAME \
174+
glance
175+
openstack role add \
176+
--project $SERVICE_TENANT_NAME \
177+
--user glance \
178+
service
179+
# required for swift access
180+
if is_service_enabled s-proxy; then
181+
openstack user create \
182+
--password "$SERVICE_PASSWORD" \
183+
--project $SERVICE_TENANT_NAME \
184+
glance-swift
185+
openstack role add \
186+
--project $SERVICE_TENANT_NAME \
187+
--user glance-swift \
188+
ResellerAdmin
189+
fi
190+
if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
191+
openstack service create \
192+
--type image \
193+
--description "Glance Image Service" \
194+
glance
195+
openstack endpoint create \
196+
--region RegionOne \
197+
--publicurl "http://$GLANCE_HOSTPORT" \
198+
--adminurl "http://$GLANCE_HOSTPORT" \
199+
--internalurl "http://$GLANCE_HOSTPORT" \
200+
glance
201+
fi
202+
fi
203+
}
204+
162205
# create_glance_cache_dir() - Part of the init_glance() process
163206
function create_glance_cache_dir {
164207
# Create cache dir

lib/keystone

Lines changed: 14 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -266,9 +266,11 @@ function configure_keystone {
266266

267267
# Tenant User Roles
268268
# ------------------------------------------------------------------
269+
# admin admin admin
269270
# service -- --
271+
# -- -- service
272+
# -- -- ResellerAdmin
270273
# -- -- Member
271-
# admin admin admin
272274
# demo admin admin
273275
# demo demo Member, anotherrole
274276
# invisible_to_admin demo Member
@@ -294,10 +296,17 @@ function create_keystone_accounts {
294296
--project $ADMIN_TENANT \
295297
--user $ADMIN_USER
296298

297-
# service
298-
SERVICE_TENANT=$(openstack project create \
299-
$SERVICE_TENANT_NAME \
300-
| grep " id " | get_field 2)
299+
# Create service project/role
300+
openstack project create $SERVICE_TENANT_NAME
301+
302+
# Service role, so service users do not have to be admins
303+
openstack role create service
304+
305+
# The ResellerAdmin role is used by Nova and Ceilometer so we need to keep it.
306+
# The admin role in swift allows a user to act as an admin for their tenant,
307+
# but ResellerAdmin is needed for a user to act as any tenant. The name of this
308+
# role is also configurable in swift-proxy.conf
309+
openstack role create ResellerAdmin
301310

302311
# The Member role is used by Horizon and Swift so we need to keep it:
303312
MEMBER_ROLE=$(openstack role create \

lib/nova

Lines changed: 45 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -316,9 +316,10 @@ function configure_nova {
316316

317317
# create_nova_accounts() - Set up common required nova accounts
318318

319-
# Tenant User Roles
319+
# Project User Roles
320320
# ------------------------------------------------------------------
321-
# service nova admin, [ResellerAdmin (swift only)]
321+
# SERVICE_TENANT_NAME nova admin
322+
# SERVICE_TENANT_NAME nova ResellerAdmin (if Swift is enabled)
322323

323324
# Migrated from keystone_data.sh
324325
create_nova_accounts() {
@@ -363,6 +364,48 @@ create_nova_accounts() {
363364
--internalurl "$NOVA_SERVICE_PROTOCOL://$NOVA_SERVICE_HOST:$NOVA_SERVICE_PORT/v3"
364365
fi
365366
fi
367+
368+
if is_service_enabled n-api; then
369+
# Swift
370+
if is_service_enabled swift; then
371+
# Nova needs ResellerAdmin role to download images when accessing
372+
# swift through the s3 api.
373+
openstack role add \
374+
--project $SERVICE_TENANT_NAME \
375+
--user nova \
376+
ResellerAdmin
377+
fi
378+
379+
# EC2
380+
if [[ "$KEYSTONE_CATALOG_BACKEND" = "sql" ]]; then
381+
openstack service create \
382+
--type ec2 \
383+
--description "EC2 Compatibility Layer" \
384+
ec2
385+
openstack endpoint create \
386+
--region RegionOne \
387+
--publicurl "http://$SERVICE_HOST:8773/services/Cloud" \
388+
--adminurl "http://$SERVICE_HOST:8773/services/Admin" \
389+
--internalurl "http://$SERVICE_HOST:8773/services/Cloud" \
390+
ec2
391+
fi
392+
fi
393+
394+
# S3
395+
if is_service_enabled n-obj swift3; then
396+
if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
397+
openstack service create \
398+
--type s3 \
399+
--description "S3" \
400+
s3
401+
openstack endpoint create \
402+
--region RegionOne \
403+
--publicurl "http://$SERVICE_HOST:$S3_SERVICE_PORT" \
404+
--adminurl "http://$SERVICE_HOST:$S3_SERVICE_PORT" \
405+
--internalurl "http://$SERVICE_HOST:$S3_SERVICE_PORT" \
406+
s3
407+
fi
408+
fi
366409
}
367410

368411
# create_nova_conf() - Create a new nova.conf file

lib/tempest

Lines changed: 24 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -358,6 +358,30 @@ function configure_tempest {
358358
$errexit
359359
}
360360

361+
# create_tempest_accounts() - Set up common required tempest accounts
362+
363+
# Project User Roles
364+
# ------------------------------------------------------------------
365+
# alt_demo alt_demo Member
366+
367+
# Migrated from keystone_data.sh
368+
function create_tempest_accounts {
369+
if is_service_enabled tempest; then
370+
# Tempest has some tests that validate various authorization checks
371+
# between two regular users in separate tenants
372+
openstack project create \
373+
alt_demo
374+
openstack user create \
375+
--project alt_demo \
376+
--password "$ADMIN_PASSWORD" \
377+
alt_demo
378+
openstack role add \
379+
--project alt_demo \
380+
--user alt_demo \
381+
Member
382+
fi
383+
}
384+
361385
# install_tempest() - Collect source and prepare
362386
function install_tempest {
363387
git_clone $TEMPEST_REPO $TEMPEST_DIR $TEMPEST_BRANCH

0 commit comments

Comments
 (0)