Merge "Allow putting service users in a seperate domain"
This commit is contained in:
commit
039fc1a542
@ -840,27 +840,49 @@ function get_or_create_role {
|
||||
echo $role_id
|
||||
}
|
||||
|
||||
# Returns the domain parts of a function call if present
|
||||
# Usage: _get_domain_args [<user_domain> <project_domain>]
|
||||
function _get_domain_args {
|
||||
local domain
|
||||
domain=""
|
||||
|
||||
if [[ -n "$1" ]]; then
|
||||
domain="$domain --user-domain $1"
|
||||
fi
|
||||
if [[ -n "$2" ]]; then
|
||||
domain="$domain --project-domain $2"
|
||||
fi
|
||||
|
||||
echo $domain
|
||||
}
|
||||
|
||||
# Gets or adds user role to project
|
||||
# Usage: get_or_add_user_project_role <role> <user> <project>
|
||||
# Usage: get_or_add_user_project_role <role> <user> <project> [<user_domain> <project_domain>]
|
||||
function get_or_add_user_project_role {
|
||||
local user_role_id
|
||||
|
||||
domain_args=$(_get_domain_args $4 $5)
|
||||
|
||||
# Gets user role id
|
||||
user_role_id=$(openstack role list \
|
||||
--user $2 \
|
||||
--column "ID" \
|
||||
--project $3 \
|
||||
--column "Name" \
|
||||
$domain_args \
|
||||
| grep " $1 " | get_field 1)
|
||||
if [[ -z "$user_role_id" ]]; then
|
||||
# Adds role to user and get it
|
||||
openstack role add $1 \
|
||||
--user $2 \
|
||||
--project $3
|
||||
--project $3 \
|
||||
$domain_args
|
||||
user_role_id=$(openstack role list \
|
||||
--user $2 \
|
||||
--column "ID" \
|
||||
--project $3 \
|
||||
--column "Name" \
|
||||
$domain_args \
|
||||
| grep " $1 " | get_field 1)
|
||||
fi
|
||||
echo $user_role_id
|
||||
|
10
lib/glance
10
lib/glance
@ -173,8 +173,8 @@ function configure_glance {
|
||||
|
||||
iniset $GLANCE_SWIFT_STORE_CONF ref1 key $SERVICE_PASSWORD
|
||||
iniset $GLANCE_SWIFT_STORE_CONF ref1 auth_address $KEYSTONE_SERVICE_URI/v3
|
||||
iniset $GLANCE_SWIFT_STORE_CONF ref1 user_domain_id default
|
||||
iniset $GLANCE_SWIFT_STORE_CONF ref1 project_domain_id default
|
||||
iniset $GLANCE_SWIFT_STORE_CONF ref1 user_domain_name $SERVICE_DOMAIN_NAME
|
||||
iniset $GLANCE_SWIFT_STORE_CONF ref1 project_domain_name $SERVICE_DOMAIN_NAME
|
||||
iniset $GLANCE_SWIFT_STORE_CONF ref1 auth_version 3
|
||||
|
||||
# commenting is not strictly necessary but it's confusing to have bad values in conf
|
||||
@ -288,11 +288,7 @@ function create_glance_accounts {
|
||||
|
||||
# required for swift access
|
||||
if is_service_enabled s-proxy; then
|
||||
|
||||
local glance_swift_user
|
||||
glance_swift_user=$(get_or_create_user "glance-swift" \
|
||||
"$SERVICE_PASSWORD" "default" "glance-swift@example.com")
|
||||
get_or_add_user_project_role "ResellerAdmin" $glance_swift_user $SERVICE_PROJECT_NAME
|
||||
create_service_user "glance-swift" "ResellerAdmin"
|
||||
fi
|
||||
|
||||
get_or_create_service "glance" "image" "Glance Image Service"
|
||||
|
12
lib/keystone
12
lib/keystone
@ -106,7 +106,9 @@ KEYSTONE_SERVICE_PROTOCOL=${KEYSTONE_SERVICE_PROTOCOL:-$SERVICE_PROTOCOL}
|
||||
|
||||
# Bind hosts
|
||||
KEYSTONE_ADMIN_BIND_HOST=${KEYSTONE_ADMIN_BIND_HOST:-$KEYSTONE_SERVICE_HOST}
|
||||
|
||||
# Set the project for service accounts in Keystone
|
||||
SERVICE_DOMAIN_NAME=${SERVICE_DOMAIN_NAME:-Default}
|
||||
SERVICE_PROJECT_NAME=${SERVICE_PROJECT_NAME:-service}
|
||||
|
||||
# Note 2016-03 : SERVICE_TENANT_NAME is kept for backwards
|
||||
@ -373,6 +375,7 @@ function create_keystone_accounts {
|
||||
get_or_add_user_domain_role $admin_role $admin_user default
|
||||
|
||||
# Create service project/role
|
||||
get_or_create_domain "$SERVICE_DOMAIN_NAME"
|
||||
get_or_create_project "$SERVICE_PROJECT_NAME" default
|
||||
|
||||
# Service role, so service users do not have to be admins
|
||||
@ -445,9 +448,8 @@ function create_keystone_accounts {
|
||||
function create_service_user {
|
||||
local role=${2:-service}
|
||||
|
||||
local user
|
||||
user=$(get_or_create_user "$1" "$SERVICE_PASSWORD" default)
|
||||
get_or_add_user_project_role "$role" "$user" "$SERVICE_PROJECT_NAME"
|
||||
get_or_create_user "$1" "$SERVICE_PASSWORD" "$SERVICE_DOMAIN_NAME"
|
||||
get_or_add_user_project_role "$role" "$1" "$SERVICE_PROJECT_NAME" "$SERVICE_DOMAIN_NAME" "$SERVICE_DOMAIN_NAME"
|
||||
}
|
||||
|
||||
# Configure the service to use the auth token middleware.
|
||||
@ -467,9 +469,9 @@ function configure_auth_token_middleware {
|
||||
iniset $conf_file $section auth_url $KEYSTONE_AUTH_URI
|
||||
iniset $conf_file $section username $admin_user
|
||||
iniset $conf_file $section password $SERVICE_PASSWORD
|
||||
iniset $conf_file $section user_domain_id default
|
||||
iniset $conf_file $section user_domain_name "$SERVICE_DOMAIN_NAME"
|
||||
iniset $conf_file $section project_name $SERVICE_PROJECT_NAME
|
||||
iniset $conf_file $section project_domain_id default
|
||||
iniset $conf_file $section project_domain_name "$SERVICE_DOMAIN_NAME"
|
||||
|
||||
iniset $conf_file $section auth_uri $KEYSTONE_SERVICE_URI
|
||||
iniset $conf_file $section cafile $SSL_BUNDLE_FILE
|
||||
|
@ -491,9 +491,9 @@ function create_nova_conf_neutron {
|
||||
iniset $NOVA_CONF neutron auth_url "$KEYSTONE_SERVICE_PROTOCOL://$KEYSTONE_SERVICE_HOST:$KEYSTONE_AUTH_PORT/v3"
|
||||
iniset $NOVA_CONF neutron username "$Q_ADMIN_USERNAME"
|
||||
iniset $NOVA_CONF neutron password "$SERVICE_PASSWORD"
|
||||
iniset $NOVA_CONF neutron user_domain_name "Default"
|
||||
iniset $NOVA_CONF neutron user_domain_name "$SERVICE_DOMAIN_NAME"
|
||||
iniset $NOVA_CONF neutron project_name "$SERVICE_PROJECT_NAME"
|
||||
iniset $NOVA_CONF neutron project_domain_name "Default"
|
||||
iniset $NOVA_CONF neutron project_domain_name "$SERVICE_DOMAIN_NAME"
|
||||
iniset $NOVA_CONF neutron auth_strategy "$Q_AUTH_STRATEGY"
|
||||
iniset $NOVA_CONF neutron region_name "$REGION_NAME"
|
||||
iniset $NOVA_CONF neutron url "${Q_PROTOCOL}://$Q_HOST:$Q_PORT"
|
||||
|
2
lib/nova
2
lib/nova
@ -439,7 +439,7 @@ function create_nova_accounts {
|
||||
if is_service_enabled swift; then
|
||||
# Nova needs ResellerAdmin role to download images when accessing
|
||||
# swift through the s3 api.
|
||||
get_or_add_user_project_role ResellerAdmin nova $SERVICE_PROJECT_NAME
|
||||
get_or_add_user_project_role ResellerAdmin nova $SERVICE_PROJECT_NAME $SERVICE_DOMAIN_NAME $SERVICE_DOMAIN_NAME
|
||||
fi
|
||||
fi
|
||||
|
||||
|
@ -846,7 +846,9 @@ function swift_configure_tempurls {
|
||||
# note we are using swift credentials!
|
||||
OS_USERNAME=swift \
|
||||
OS_PASSWORD=$SERVICE_PASSWORD \
|
||||
OS_USER_DOMAIN_NAME=$SERVICE_DOMAIN_NAME \
|
||||
OS_PROJECT_NAME=$SERVICE_PROJECT_NAME \
|
||||
OS_PROJECT_DOMAIN_NAME=$SERVICE_DOMAIN_NAME \
|
||||
openstack object store account \
|
||||
set --property "Temp-URL-Key=$SWIFT_TEMPURL_KEY"
|
||||
}
|
||||
|
Loading…
x
Reference in New Issue
Block a user