Update lib/keystone to add more system users
Keystone has supported system-scope since Queens and we already make sure we create a cloud profile for system-admin in /etc/openstack/clouds.yaml. This commit ensures keystone creates a couple of new users to model system-member and system-reader personas. Doing this by default in devstack makes it easier for people to use. We've already taken a similar approach in tempest by setting up the various system personas for tempest clients to use. Change-Id: Iceb7c5f517db20072e121dc7538abaa888423c67
This commit is contained in:
parent
9101fbf5c4
commit
021ae0bcc8
@ -129,6 +129,28 @@ function write_clouds_yaml {
|
|||||||
--os-password $ADMIN_PASSWORD \
|
--os-password $ADMIN_PASSWORD \
|
||||||
--os-system-scope all
|
--os-system-scope all
|
||||||
|
|
||||||
|
# system member
|
||||||
|
$PYTHON $TOP_DIR/tools/update_clouds_yaml.py \
|
||||||
|
--file $CLOUDS_YAML \
|
||||||
|
--os-cloud devstack-system-member \
|
||||||
|
--os-region-name $REGION_NAME \
|
||||||
|
$CA_CERT_ARG \
|
||||||
|
--os-auth-url $KEYSTONE_SERVICE_URI \
|
||||||
|
--os-username system_member \
|
||||||
|
--os-password $ADMIN_PASSWORD \
|
||||||
|
--os-system-scope all
|
||||||
|
|
||||||
|
# system reader
|
||||||
|
$PYTHON $TOP_DIR/tools/update_clouds_yaml.py \
|
||||||
|
--file $CLOUDS_YAML \
|
||||||
|
--os-cloud devstack-system-reader \
|
||||||
|
--os-region-name $REGION_NAME \
|
||||||
|
$CA_CERT_ARG \
|
||||||
|
--os-auth-url $KEYSTONE_SERVICE_URI \
|
||||||
|
--os-username system_reader \
|
||||||
|
--os-password $ADMIN_PASSWORD \
|
||||||
|
--os-system-scope all
|
||||||
|
|
||||||
cat >> $CLOUDS_YAML <<EOF
|
cat >> $CLOUDS_YAML <<EOF
|
||||||
functional:
|
functional:
|
||||||
image_name: $DEFAULT_IMAGE_NAME
|
image_name: $DEFAULT_IMAGE_NAME
|
||||||
@ -936,6 +958,37 @@ function get_or_add_user_domain_role {
|
|||||||
echo $user_role_id
|
echo $user_role_id
|
||||||
}
|
}
|
||||||
|
|
||||||
|
# Gets or adds user role to system
|
||||||
|
# Usage: get_or_add_user_system_role <role> <user> <system> [<user_domain>]
|
||||||
|
function get_or_add_user_system_role {
|
||||||
|
local user_role_id
|
||||||
|
local domain_args
|
||||||
|
|
||||||
|
domain_args=$(_get_domain_args $4)
|
||||||
|
|
||||||
|
# Gets user role id
|
||||||
|
user_role_id=$(openstack role assignment list \
|
||||||
|
--role $1 \
|
||||||
|
--user $2 \
|
||||||
|
--system $3 \
|
||||||
|
$domain_args \
|
||||||
|
-f value -c Role)
|
||||||
|
if [[ -z "$user_role_id" ]]; then
|
||||||
|
# Adds role to user and get it
|
||||||
|
openstack role add $1 \
|
||||||
|
--user $2 \
|
||||||
|
--system $3 \
|
||||||
|
$domain_args
|
||||||
|
user_role_id=$(openstack role assignment list \
|
||||||
|
--role $1 \
|
||||||
|
--user $2 \
|
||||||
|
--system $3 \
|
||||||
|
$domain_args \
|
||||||
|
-f value -c Role)
|
||||||
|
fi
|
||||||
|
echo $user_role_id
|
||||||
|
}
|
||||||
|
|
||||||
# Gets or adds group role to project
|
# Gets or adds group role to project
|
||||||
# Usage: get_or_add_group_project_role <role> <group> <project>
|
# Usage: get_or_add_group_project_role <role> <group> <project>
|
||||||
function get_or_add_group_project_role {
|
function get_or_add_group_project_role {
|
||||||
|
23
lib/keystone
23
lib/keystone
@ -285,20 +285,28 @@ function configure_keystone {
|
|||||||
# admins admin admin admin
|
# admins admin admin admin
|
||||||
# nonadmins demo, alt_demo member, anotherrole demo, alt_demo
|
# nonadmins demo, alt_demo member, anotherrole demo, alt_demo
|
||||||
|
|
||||||
|
# System User Roles
|
||||||
|
# ------------------------------------------------------------------
|
||||||
|
# all admin admin
|
||||||
|
# all system_reader reader
|
||||||
|
# all system_member member
|
||||||
|
|
||||||
|
|
||||||
# Migrated from keystone_data.sh
|
# Migrated from keystone_data.sh
|
||||||
function create_keystone_accounts {
|
function create_keystone_accounts {
|
||||||
|
|
||||||
# The keystone bootstrapping process (performed via keystone-manage
|
# The keystone bootstrapping process (performed via keystone-manage
|
||||||
# bootstrap) creates an admin user, admin role, member role, and admin
|
# bootstrap) creates an admin user and an admin
|
||||||
# project. As a sanity check we exercise the CLI to retrieve the IDs for
|
# project. As a sanity check we exercise the CLI to retrieve the IDs for
|
||||||
# these values.
|
# these values.
|
||||||
local admin_project
|
local admin_project
|
||||||
admin_project=$(openstack project show "admin" -f value -c id)
|
admin_project=$(openstack project show "admin" -f value -c id)
|
||||||
local admin_user
|
local admin_user
|
||||||
admin_user=$(openstack user show "admin" -f value -c id)
|
admin_user=$(openstack user show "admin" -f value -c id)
|
||||||
|
# These roles are also created during bootstrap but we don't need their IDs
|
||||||
local admin_role="admin"
|
local admin_role="admin"
|
||||||
local member_role="member"
|
local member_role="member"
|
||||||
|
local reader_role="reader"
|
||||||
|
|
||||||
async_run ks-domain-role get_or_add_user_domain_role $admin_role $admin_user default
|
async_run ks-domain-role get_or_add_user_domain_role $admin_role $admin_user default
|
||||||
|
|
||||||
@ -349,6 +357,18 @@ function create_keystone_accounts {
|
|||||||
async_run ks-alt-admin get_or_add_user_project_role $admin_role $admin_user $alt_demo_project
|
async_run ks-alt-admin get_or_add_user_project_role $admin_role $admin_user $alt_demo_project
|
||||||
async_run ks-alt-another get_or_add_user_project_role $another_role $alt_demo_user $alt_demo_project
|
async_run ks-alt-another get_or_add_user_project_role $another_role $alt_demo_user $alt_demo_project
|
||||||
|
|
||||||
|
# Create two users, give one the member role on the system and the other
|
||||||
|
# the reader role on the system. These two users model system-member and
|
||||||
|
# system-reader personas. The admin user already has the admin role on the
|
||||||
|
# system and we can re-use this user as a system-admin.
|
||||||
|
system_member_user=$(get_or_create_user "system_member" \
|
||||||
|
"$ADMIN_PASSWORD" "default" "system_member@example.com")
|
||||||
|
async_run ks-system-member get_or_add_user_system_role $member_role $system_member_user "all"
|
||||||
|
|
||||||
|
system_reader_user=$(get_or_create_user "system_reader" \
|
||||||
|
"$ADMIN_PASSWORD" "default" "system_reader@example.com")
|
||||||
|
async_run ks-system-reader get_or_add_user_system_role $reader_role $system_reader_user "all"
|
||||||
|
|
||||||
# groups
|
# groups
|
||||||
local admin_group
|
local admin_group
|
||||||
admin_group=$(get_or_create_group "admins" \
|
admin_group=$(get_or_create_group "admins" \
|
||||||
@ -365,6 +385,7 @@ function create_keystone_accounts {
|
|||||||
|
|
||||||
async_wait ks-demo-{member,admin,another,invis}
|
async_wait ks-demo-{member,admin,another,invis}
|
||||||
async_wait ks-alt-{member,admin,another}
|
async_wait ks-alt-{member,admin,another}
|
||||||
|
async_wait ks-system-{member,reader}
|
||||||
async_wait ks-group-{memberdemo,anotherdemo,memberalt,anotheralt,admin}
|
async_wait ks-group-{memberdemo,anotherdemo,memberalt,anotheralt,admin}
|
||||||
|
|
||||||
if is_service_enabled ldap; then
|
if is_service_enabled ldap; then
|
||||||
|
Loading…
Reference in New Issue
Block a user