From cbcbd8f33c87904b2293e68ec9868be0b6e4393e Mon Sep 17 00:00:00 2001
From: Jamie Lennox <jamielennox@gmail.com>
Date: Thu, 21 Jan 2016 16:08:14 -0600
Subject: [PATCH] Allow putting service users in a seperate domain

Make it possible to construct the service users in their own seperate
domain. Changing this away from Default will not work for everyone yet,
though it does work for basic service interaction however enabling it
will allow us to start testing and hopefully gating that services aren't
relying on v2 only concepts.

Change-Id: I7e73df5dd1caabf355783da2bc0f3007ade92fba
---
 functions-common   | 26 ++++++++++++++++++++++++--
 lib/glance         | 10 +++-------
 lib/keystone       | 12 +++++++-----
 lib/neutron-legacy |  4 ++--
 lib/nova           |  2 +-
 lib/swift          |  2 ++
 6 files changed, 39 insertions(+), 17 deletions(-)

diff --git a/functions-common b/functions-common
index 0806681c3b..71dda76727 100644
--- a/functions-common
+++ b/functions-common
@@ -840,27 +840,49 @@ function get_or_create_role {
     echo $role_id
 }
 
+# Returns the domain parts of a function call if present
+# Usage: _get_domain_args [<user_domain> <project_domain>]
+function _get_domain_args {
+    local domain
+    domain=""
+
+    if [[ -n "$1" ]]; then
+        domain="$domain --user-domain $1"
+    fi
+    if [[ -n "$2" ]]; then
+        domain="$domain --project-domain $2"
+    fi
+
+    echo $domain
+}
+
 # Gets or adds user role to project
-# Usage: get_or_add_user_project_role <role> <user> <project>
+# Usage: get_or_add_user_project_role <role> <user> <project> [<user_domain> <project_domain>]
 function get_or_add_user_project_role {
     local user_role_id
+
+    domain_args=$(_get_domain_args $4 $5)
+
     # Gets user role id
     user_role_id=$(openstack role list \
         --user $2 \
         --column "ID" \
         --project $3 \
         --column "Name" \
+        $domain_args \
         | grep " $1 " | get_field 1)
     if [[ -z "$user_role_id" ]]; then
         # Adds role to user and get it
         openstack role add $1 \
             --user $2 \
-            --project $3
+            --project $3 \
+            $domain_args
         user_role_id=$(openstack role list \
             --user $2 \
             --column "ID" \
             --project $3 \
             --column "Name" \
+            $domain_args \
             | grep " $1 " | get_field 1)
     fi
     echo $user_role_id
diff --git a/lib/glance b/lib/glance
index 3743e161c4..f2a6db6edc 100644
--- a/lib/glance
+++ b/lib/glance
@@ -173,8 +173,8 @@ function configure_glance {
 
         iniset $GLANCE_SWIFT_STORE_CONF ref1 key $SERVICE_PASSWORD
         iniset $GLANCE_SWIFT_STORE_CONF ref1 auth_address $KEYSTONE_SERVICE_URI/v3
-        iniset $GLANCE_SWIFT_STORE_CONF ref1 user_domain_id default
-        iniset $GLANCE_SWIFT_STORE_CONF ref1 project_domain_id default
+        iniset $GLANCE_SWIFT_STORE_CONF ref1 user_domain_name $SERVICE_DOMAIN_NAME
+        iniset $GLANCE_SWIFT_STORE_CONF ref1 project_domain_name $SERVICE_DOMAIN_NAME
         iniset $GLANCE_SWIFT_STORE_CONF ref1 auth_version 3
 
         # commenting is not strictly necessary but it's confusing to have bad values in conf
@@ -288,11 +288,7 @@ function create_glance_accounts {
 
         # required for swift access
         if is_service_enabled s-proxy; then
-
-            local glance_swift_user
-            glance_swift_user=$(get_or_create_user "glance-swift" \
-                "$SERVICE_PASSWORD" "default" "glance-swift@example.com")
-            get_or_add_user_project_role "ResellerAdmin" $glance_swift_user $SERVICE_PROJECT_NAME
+            create_service_user "glance-swift" "ResellerAdmin"
         fi
 
         get_or_create_service "glance" "image" "Glance Image Service"
diff --git a/lib/keystone b/lib/keystone
index b5c107c138..cd07b78172 100644
--- a/lib/keystone
+++ b/lib/keystone
@@ -106,7 +106,9 @@ KEYSTONE_SERVICE_PROTOCOL=${KEYSTONE_SERVICE_PROTOCOL:-$SERVICE_PROTOCOL}
 
 # Bind hosts
 KEYSTONE_ADMIN_BIND_HOST=${KEYSTONE_ADMIN_BIND_HOST:-$KEYSTONE_SERVICE_HOST}
+
 # Set the project for service accounts in Keystone
+SERVICE_DOMAIN_NAME=${SERVICE_DOMAIN_NAME:-Default}
 SERVICE_PROJECT_NAME=${SERVICE_PROJECT_NAME:-service}
 SERVICE_TENANT_NAME=${SERVICE_PROJECT_NAME:-service}
 
@@ -370,6 +372,7 @@ function create_keystone_accounts {
     get_or_add_user_domain_role $admin_role $admin_user default
 
     # Create service project/role
+    get_or_create_domain "$SERVICE_DOMAIN_NAME"
     get_or_create_project "$SERVICE_PROJECT_NAME" default
 
     # Service role, so service users do not have to be admins
@@ -442,9 +445,8 @@ function create_keystone_accounts {
 function create_service_user {
     local role=${2:-service}
 
-    local user
-    user=$(get_or_create_user "$1" "$SERVICE_PASSWORD" default)
-    get_or_add_user_project_role "$role" "$user" "$SERVICE_PROJECT_NAME"
+    get_or_create_user "$1" "$SERVICE_PASSWORD" "$SERVICE_DOMAIN_NAME"
+    get_or_add_user_project_role "$role" "$1" "$SERVICE_PROJECT_NAME" "$SERVICE_DOMAIN_NAME" "$SERVICE_DOMAIN_NAME"
 }
 
 # Configure the service to use the auth token middleware.
@@ -464,9 +466,9 @@ function configure_auth_token_middleware {
     iniset $conf_file $section auth_url $KEYSTONE_AUTH_URI
     iniset $conf_file $section username $admin_user
     iniset $conf_file $section password $SERVICE_PASSWORD
-    iniset $conf_file $section user_domain_id default
+    iniset $conf_file $section user_domain_name "$SERVICE_DOMAIN_NAME"
     iniset $conf_file $section project_name $SERVICE_PROJECT_NAME
-    iniset $conf_file $section project_domain_id default
+    iniset $conf_file $section project_domain_name "$SERVICE_DOMAIN_NAME"
 
     iniset $conf_file $section auth_uri $KEYSTONE_SERVICE_URI
     iniset $conf_file $section cafile $SSL_BUNDLE_FILE
diff --git a/lib/neutron-legacy b/lib/neutron-legacy
index 084a3569ba..aaba8945cd 100644
--- a/lib/neutron-legacy
+++ b/lib/neutron-legacy
@@ -491,9 +491,9 @@ function create_nova_conf_neutron {
     iniset $NOVA_CONF neutron auth_url "$KEYSTONE_SERVICE_PROTOCOL://$KEYSTONE_SERVICE_HOST:$KEYSTONE_AUTH_PORT/v3"
     iniset $NOVA_CONF neutron username "$Q_ADMIN_USERNAME"
     iniset $NOVA_CONF neutron password "$SERVICE_PASSWORD"
-    iniset $NOVA_CONF neutron user_domain_name "Default"
+    iniset $NOVA_CONF neutron user_domain_name "$SERVICE_DOMAIN_NAME"
     iniset $NOVA_CONF neutron project_name "$SERVICE_PROJECT_NAME"
-    iniset $NOVA_CONF neutron project_domain_name "Default"
+    iniset $NOVA_CONF neutron project_domain_name "$SERVICE_DOMAIN_NAME"
     iniset $NOVA_CONF neutron auth_strategy "$Q_AUTH_STRATEGY"
     iniset $NOVA_CONF neutron region_name "$REGION_NAME"
     iniset $NOVA_CONF neutron url "${Q_PROTOCOL}://$Q_HOST:$Q_PORT"
diff --git a/lib/nova b/lib/nova
index 8823e1ddb4..15dae6837e 100644
--- a/lib/nova
+++ b/lib/nova
@@ -439,7 +439,7 @@ function create_nova_accounts {
         if is_service_enabled swift; then
             # Nova needs ResellerAdmin role to download images when accessing
             # swift through the s3 api.
-            get_or_add_user_project_role ResellerAdmin nova $SERVICE_PROJECT_NAME
+            get_or_add_user_project_role ResellerAdmin nova $SERVICE_PROJECT_NAME $SERVICE_DOMAIN_NAME $SERVICE_DOMAIN_NAME
         fi
     fi
 
diff --git a/lib/swift b/lib/swift
index f47608cd6e..8cb94efa66 100644
--- a/lib/swift
+++ b/lib/swift
@@ -846,7 +846,9 @@ function swift_configure_tempurls {
     # note we are using swift credentials!
     OS_USERNAME=swift \
     OS_PASSWORD=$SERVICE_PASSWORD \
+    OS_USER_DOMAIN_NAME=$SERVICE_DOMAIN_NAME \
     OS_PROJECT_NAME=$SERVICE_PROJECT_NAME \
+    OS_PROJECT_DOMAIN_NAME=$SERVICE_DOMAIN_NAME \
     openstack object store account \
         set --property "Temp-URL-Key=$SWIFT_TEMPURL_KEY"
 }