From 4ce859ab2b99e68ce937c9c9df83d9270c8ef9fb Mon Sep 17 00:00:00 2001 From: Steve Martinelli Date: Sun, 20 Dec 2015 01:27:30 -0500 Subject: [PATCH] update create_heat_accounts, don't use os_url and os_token Currently, the function create_heat_accounts uses the OS_URL and OS_TOKEN environment variables. This is a bad choice for several reasons, most importantly we are sending the "ADMIN_TOKEN" value as a header. There is also no reason to not use a standard admin user to create these resources. Change-Id: I70b41d69917b9e53ad09c2c61e022ef09a50acfd --- functions-common | 26 ++++++++++++++++++++++++++ lib/heat | 29 +++++++---------------------- 2 files changed, 33 insertions(+), 22 deletions(-) diff --git a/functions-common b/functions-common index 1b01eefaf9..b15c3d7653 100644 --- a/functions-common +++ b/functions-common @@ -866,6 +866,32 @@ function get_or_add_user_project_role { echo $user_role_id } +# Gets or adds user role to domain +# Usage: get_or_add_user_domain_role +function get_or_add_user_domain_role { + local user_role_id + # Gets user role id + user_role_id=$(openstack role list \ + --user $2 \ + --column "ID" \ + --domain $3 \ + --column "Name" \ + | grep " $1 " | get_field 1) + if [[ -z "$user_role_id" ]]; then + # Adds role to user and get it + openstack role add $1 \ + --user $2 \ + --domain $3 + user_role_id=$(openstack role list \ + --user $2 \ + --column "ID" \ + --domain $3 \ + --column "Name" \ + | grep " $1 " | get_field 1) + fi + echo $user_role_id +} + # Gets or adds group role to project # Usage: get_or_add_group_project_role function get_or_add_group_project_role { diff --git a/lib/heat b/lib/heat index fdcf5bcaad..ff196f4a81 100644 --- a/lib/heat +++ b/lib/heat @@ -402,28 +402,13 @@ function create_heat_accounts { fi if [[ "$HEAT_STACK_DOMAIN" == "True" ]]; then - # Note we have to pass token/endpoint here because the current endpoint and - # version negotiation in OSC means just --os-identity-api-version=3 won't work - D_ID=$(openstack --os-token $OS_TOKEN --os-url=$KEYSTONE_SERVICE_URI_V3 \ - --os-identity-api-version=3 domain list | grep ' heat ' | get_field 1) - - if [[ -z "$D_ID" ]]; then - D_ID=$(openstack --os-token $OS_TOKEN --os-url=$KEYSTONE_SERVICE_URI_V3 \ - --os-identity-api-version=3 domain create heat \ - --description "Owns users and projects created by heat" \ - | grep ' id ' | get_field 2) - iniset $HEAT_CONF DEFAULT stack_user_domain_id ${D_ID} - - openstack --os-token $OS_TOKEN --os-url=$KEYSTONE_SERVICE_URI_V3 \ - --os-identity-api-version=3 user create --password $SERVICE_PASSWORD \ - --domain $D_ID heat_domain_admin \ - --description "Manages users and projects created by heat" - openstack --os-token $OS_TOKEN --os-url=$KEYSTONE_SERVICE_URI_V3 \ - --os-identity-api-version=3 role add \ - --user heat_domain_admin --domain ${D_ID} admin - iniset $HEAT_CONF DEFAULT stack_domain_admin heat_domain_admin - iniset $HEAT_CONF DEFAULT stack_domain_admin_password $SERVICE_PASSWORD - fi + # domain -> heat and user -> heat_domain_admin + domain_id=$(get_or_create_domain heat 'Owns users and projects created by heat') + iniset $HEAT_CONF DEFAULT stack_user_domain_id ${domain_id} + get_or_create_user heat_domain_admin $SERVICE_PASSWORD heat + get_or_add_user_domain_role admin heat_domain_admin heat + iniset $HEAT_CONF DEFAULT stack_domain_admin heat_domain_admin + iniset $HEAT_CONF DEFAULT stack_domain_admin_password $SERVICE_PASSWORD fi }