openstack/devstack
Code Issues Proposed changes

Merge "Allow putting service users in a seperate domain"

Browse Source
This commit is contained in:
Jenkins 2016-04-20 21:49:01 +00:00 committed by Gerrit Code Review
commit 039fc1a542
6 changed files with 39 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
functions-common
View File

@ -840,27 +840,49 @@ function get_or_create_role {
echo $role_id
}
# Returns the domain parts of a function call if present
# Usage: _get_domain_args [<user_domain> <project_domain>]
function _get_domain_args {
local domain
domain=""
if [[ -n "$1" ]]; then
domain="$domain --user-domain $1"
fi
if [[ -n "$2" ]]; then
domain="$domain --project-domain $2"
fi
echo $domain
}
# Gets or adds user role to project
# Usage: get_or_add_user_project_role <role> <user> <project>
# Usage: get_or_add_user_project_role <role> <user> <project> [<user_domain> <project_domain>]
function get_or_add_user_project_role {
local user_role_id
domain_args=$(_get_domain_args $4 $5)
# Gets user role id
user_role_id=$(openstack role list \
--user $2 \
--column "ID" \
--project $3 \
--column "Name" \
$domain_args \
| grep " $1 " | get_field 1)
if [[ -z "$user_role_id" ]]; then
# Adds role to user and get it
openstack role add $1 \
--user $2 \
--project $3
--project $3 \
$domain_args
user_role_id=$(openstack role list \
--user $2 \
--column "ID" \
--project $3 \
--column "Name" \
$domain_args \
| grep " $1 " | get_field 1)
fi
echo $user_role_id

10
lib/glance
View File

@ -173,8 +173,8 @@ function configure_glance {
iniset $GLANCE_SWIFT_STORE_CONF ref1 key $SERVICE_PASSWORD
iniset $GLANCE_SWIFT_STORE_CONF ref1 auth_address $KEYSTONE_SERVICE_URI/v3
iniset $GLANCE_SWIFT_STORE_CONF ref1 user_domain_id default
iniset $GLANCE_SWIFT_STORE_CONF ref1 project_domain_id default
iniset $GLANCE_SWIFT_STORE_CONF ref1 user_domain_name $SERVICE_DOMAIN_NAME
iniset $GLANCE_SWIFT_STORE_CONF ref1 project_domain_name $SERVICE_DOMAIN_NAME
iniset $GLANCE_SWIFT_STORE_CONF ref1 auth_version 3
# commenting is not strictly necessary but it's confusing to have bad values in conf
@ -288,11 +288,7 @@ function create_glance_accounts {
# required for swift access
if is_service_enabled s-proxy; then
local glance_swift_user
glance_swift_user=$(get_or_create_user "glance-swift" \
"$SERVICE_PASSWORD" "default" "glance-swift@example.com")
get_or_add_user_project_role "ResellerAdmin" $glance_swift_user $SERVICE_PROJECT_NAME
create_service_user "glance-swift" "ResellerAdmin"
fi
get_or_create_service "glance" "image" "Glance Image Service"

12
lib/keystone
View File

@ -106,7 +106,9 @@ KEYSTONE_SERVICE_PROTOCOL=${KEYSTONE_SERVICE_PROTOCOL:-$SERVICE_PROTOCOL}
# Bind hosts
KEYSTONE_ADMIN_BIND_HOST=${KEYSTONE_ADMIN_BIND_HOST:-$KEYSTONE_SERVICE_HOST}
# Set the project for service accounts in Keystone
SERVICE_DOMAIN_NAME=${SERVICE_DOMAIN_NAME:-Default}
SERVICE_PROJECT_NAME=${SERVICE_PROJECT_NAME:-service}
# Note 2016-03 : SERVICE_TENANT_NAME is kept for backwards
@ -373,6 +375,7 @@ function create_keystone_accounts {
get_or_add_user_domain_role $admin_role $admin_user default
# Create service project/role
get_or_create_domain "$SERVICE_DOMAIN_NAME"
get_or_create_project "$SERVICE_PROJECT_NAME" default
# Service role, so service users do not have to be admins
@ -445,9 +448,8 @@ function create_keystone_accounts {
function create_service_user {
local role=${2:-service}
local user
user=$(get_or_create_user "$1" "$SERVICE_PASSWORD" default)
get_or_add_user_project_role "$role" "$user" "$SERVICE_PROJECT_NAME"
get_or_create_user "$1" "$SERVICE_PASSWORD" "$SERVICE_DOMAIN_NAME"
get_or_add_user_project_role "$role" "$1" "$SERVICE_PROJECT_NAME" "$SERVICE_DOMAIN_NAME" "$SERVICE_DOMAIN_NAME"
}
# Configure the service to use the auth token middleware.
@ -467,9 +469,9 @@ function configure_auth_token_middleware {
iniset $conf_file $section auth_url $KEYSTONE_AUTH_URI
iniset $conf_file $section username $admin_user
iniset $conf_file $section password $SERVICE_PASSWORD
iniset $conf_file $section user_domain_id default
iniset $conf_file $section user_domain_name "$SERVICE_DOMAIN_NAME"
iniset $conf_file $section project_name $SERVICE_PROJECT_NAME
iniset $conf_file $section project_domain_id default
iniset $conf_file $section project_domain_name "$SERVICE_DOMAIN_NAME"
iniset $conf_file $section auth_uri $KEYSTONE_SERVICE_URI
iniset $conf_file $section cafile $SSL_BUNDLE_FILE

4
lib/neutron-legacy
View File

@ -491,9 +491,9 @@ function create_nova_conf_neutron {
iniset $NOVA_CONF neutron auth_url "$KEYSTONE_SERVICE_PROTOCOL://$KEYSTONE_SERVICE_HOST:$KEYSTONE_AUTH_PORT/v3"
iniset $NOVA_CONF neutron username "$Q_ADMIN_USERNAME"
iniset $NOVA_CONF neutron password "$SERVICE_PASSWORD"
iniset $NOVA_CONF neutron user_domain_name "Default"
iniset $NOVA_CONF neutron user_domain_name "$SERVICE_DOMAIN_NAME"
iniset $NOVA_CONF neutron project_name "$SERVICE_PROJECT_NAME"
iniset $NOVA_CONF neutron project_domain_name "Default"
iniset $NOVA_CONF neutron project_domain_name "$SERVICE_DOMAIN_NAME"
iniset $NOVA_CONF neutron auth_strategy "$Q_AUTH_STRATEGY"
iniset $NOVA_CONF neutron region_name "$REGION_NAME"
iniset $NOVA_CONF neutron url "${Q_PROTOCOL}://$Q_HOST:$Q_PORT"

2
lib/nova
View File

@ -439,7 +439,7 @@ function create_nova_accounts {
if is_service_enabled swift; then
# Nova needs ResellerAdmin role to download images when accessing
# swift through the s3 api.
get_or_add_user_project_role ResellerAdmin nova $SERVICE_PROJECT_NAME
get_or_add_user_project_role ResellerAdmin nova $SERVICE_PROJECT_NAME $SERVICE_DOMAIN_NAME $SERVICE_DOMAIN_NAME
fi
fi

2
lib/swift
View File

@ -846,7 +846,9 @@ function swift_configure_tempurls {
# note we are using swift credentials!
OS_USERNAME=swift \
OS_PASSWORD=$SERVICE_PASSWORD \
OS_USER_DOMAIN_NAME=$SERVICE_DOMAIN_NAME \
OS_PROJECT_NAME=$SERVICE_PROJECT_NAME \
OS_PROJECT_DOMAIN_NAME=$SERVICE_DOMAIN_NAME \
openstack object store account \
set --property "Temp-URL-Key=$SWIFT_TEMPURL_KEY"
}