diff --git a/extras.d/80-tempest.sh b/extras.d/80-tempest.sh index 0186e36aee..74f4c60d10 100644 --- a/extras.d/80-tempest.sh +++ b/extras.d/80-tempest.sh @@ -9,7 +9,7 @@ if is_service_enabled tempest; then install_tempest elif [[ "$1" == "stack" && "$2" == "post-config" ]]; then # Tempest config must come after layer 2 services are running - : + create_tempest_accounts elif [[ "$1" == "stack" && "$2" == "extra" ]]; then echo_summary "Initializing Tempest" configure_tempest diff --git a/files/keystone_data.sh b/files/keystone_data.sh deleted file mode 100755 index fc1e8136a4..0000000000 --- a/files/keystone_data.sh +++ /dev/null @@ -1,146 +0,0 @@ -#!/bin/bash -# -# Initial data for Keystone using python-keystoneclient -# -# Tenant User Roles -# ------------------------------------------------------------------ -# service glance service -# service glance-swift ResellerAdmin -# service heat service # if enabled -# service ceilometer admin # if enabled -# Tempest Only: -# alt_demo alt_demo Member -# -# Variables set before calling this script: -# SERVICE_TOKEN - aka admin_token in keystone.conf -# SERVICE_ENDPOINT - local Keystone admin endpoint -# SERVICE_TENANT_NAME - name of tenant containing service accounts -# SERVICE_HOST - host used for endpoint creation -# ENABLED_SERVICES - stack.sh's list of services to start -# DEVSTACK_DIR - Top-level DevStack directory -# KEYSTONE_CATALOG_BACKEND - used to determine service catalog creation - -# Defaults -# -------- - -ADMIN_PASSWORD=${ADMIN_PASSWORD:-secrete} -SERVICE_PASSWORD=${SERVICE_PASSWORD:-$ADMIN_PASSWORD} -export SERVICE_TOKEN=$SERVICE_TOKEN -export SERVICE_ENDPOINT=$SERVICE_ENDPOINT -SERVICE_TENANT_NAME=${SERVICE_TENANT_NAME:-service} - -# Roles -# ----- - -# The ResellerAdmin role is used by Nova and Ceilometer so we need to keep it. -# The admin role in swift allows a user to act as an admin for their tenant, -# but ResellerAdmin is needed for a user to act as any tenant. The name of this -# role is also configurable in swift-proxy.conf -keystone role-create --name=ResellerAdmin -# Service role, so service users do not have to be admins -keystone role-create --name=service - - -# Services -# -------- - -if [[ "$ENABLED_SERVICES" =~ "n-api" ]] && [[ "$ENABLED_SERVICES" =~ "s-proxy" || "$ENABLED_SERVICES" =~ "swift" ]]; then - # Nova needs ResellerAdmin role to download images when accessing - # swift through the s3 api. - keystone user-role-add \ - --tenant $SERVICE_TENANT_NAME \ - --user nova \ - --role ResellerAdmin -fi - -# Glance -if [[ "$ENABLED_SERVICES" =~ "g-api" ]]; then - keystone user-create \ - --name=glance \ - --pass="$SERVICE_PASSWORD" \ - --tenant $SERVICE_TENANT_NAME \ - --email=glance@example.com - keystone user-role-add \ - --tenant $SERVICE_TENANT_NAME \ - --user glance \ - --role service - # required for swift access - if [[ "$ENABLED_SERVICES" =~ "s-proxy" ]]; then - keystone user-create \ - --name=glance-swift \ - --pass="$SERVICE_PASSWORD" \ - --tenant $SERVICE_TENANT_NAME \ - --email=glance-swift@example.com - keystone user-role-add \ - --tenant $SERVICE_TENANT_NAME \ - --user glance-swift \ - --role ResellerAdmin - fi - if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then - keystone service-create \ - --name=glance \ - --type=image \ - --description="Glance Image Service" - keystone endpoint-create \ - --region RegionOne \ - --service glance \ - --publicurl "http://$SERVICE_HOST:9292" \ - --adminurl "http://$SERVICE_HOST:9292" \ - --internalurl "http://$SERVICE_HOST:9292" - fi -fi - -# Ceilometer -if [[ "$ENABLED_SERVICES" =~ "ceilometer" ]] && [[ "$ENABLED_SERVICES" =~ "s-proxy" || "$ENABLED_SERVICES" =~ "swift" ]]; then - # Ceilometer needs ResellerAdmin role to access swift account stats. - keystone user-role-add --tenant $SERVICE_TENANT_NAME \ - --user ceilometer \ - --role ResellerAdmin -fi - -# EC2 -if [[ "$ENABLED_SERVICES" =~ "n-api" ]]; then - if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then - keystone service-create \ - --name=ec2 \ - --type=ec2 \ - --description="EC2 Compatibility Layer" - keystone endpoint-create \ - --region RegionOne \ - --service ec2 \ - --publicurl "http://$SERVICE_HOST:8773/services/Cloud" \ - --adminurl "http://$SERVICE_HOST:8773/services/Admin" \ - --internalurl "http://$SERVICE_HOST:8773/services/Cloud" - fi -fi - -# S3 -if [[ "$ENABLED_SERVICES" =~ "n-obj" || "$ENABLED_SERVICES" =~ "swift3" ]]; then - if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then - keystone service-create \ - --name=s3 \ - --type=s3 \ - --description="S3" - keystone endpoint-create \ - --region RegionOne \ - --service s3 \ - --publicurl "http://$SERVICE_HOST:$S3_SERVICE_PORT" \ - --adminurl "http://$SERVICE_HOST:$S3_SERVICE_PORT" \ - --internalurl "http://$SERVICE_HOST:$S3_SERVICE_PORT" - fi -fi - -if [[ "$ENABLED_SERVICES" =~ "tempest" ]]; then - # Tempest has some tests that validate various authorization checks - # between two regular users in separate tenants - keystone tenant-create \ - --name=alt_demo - keystone user-create \ - --name=alt_demo \ - --pass="$ADMIN_PASSWORD" \ - --email=alt_demo@example.com - keystone user-role-add \ - --tenant alt_demo \ - --user alt_demo \ - --role Member -fi diff --git a/lib/ceilometer b/lib/ceilometer index 04c1a34b8b..b8305b1e9e 100644 --- a/lib/ceilometer +++ b/lib/ceilometer @@ -69,6 +69,11 @@ function is_ceilometer_enabled { # create_ceilometer_accounts() - Set up common required ceilometer accounts +# Project User Roles +# ------------------------------------------------------------------ +# SERVICE_TENANT_NAME ceilometer admin +# SERVICE_TENANT_NAME ceilometer ResellerAdmin (if Swift is enabled) + create_ceilometer_accounts() { SERVICE_TENANT=$(openstack project list | awk "/ $SERVICE_TENANT_NAME / { print \$2 }") @@ -99,6 +104,13 @@ create_ceilometer_accounts() { --adminurl "$CEILOMETER_SERVICE_PROTOCOL://$CEILOMETER_SERVICE_HOST:$CEILOMETER_SERVICE_PORT/" \ --internalurl "$CEILOMETER_SERVICE_PROTOCOL://$CEILOMETER_SERVICE_HOST:$CEILOMETER_SERVICE_PORT/" fi + if is_service_enabled swift; then + # Ceilometer needs ResellerAdmin role to access swift account stats. + openstack role add \ + --project $SERVICE_TENANT_NAME \ + --user ceilometer \ + ResellerAdmin + fi fi } diff --git a/lib/glance b/lib/glance index 8a4c21b3f2..51e4399388 100644 --- a/lib/glance +++ b/lib/glance @@ -159,6 +159,49 @@ function configure_glance { cp -p $GLANCE_DIR/etc/schema-image.json $GLANCE_SCHEMA_JSON } +# create_glance_accounts() - Set up common required glance accounts + +# Project User Roles +# ------------------------------------------------------------------ +# SERVICE_TENANT_NAME glance service +# SERVICE_TENANT_NAME glance-swift ResellerAdmin (if Swift is enabled) + +function create_glance_accounts { + if is_service_enabled g-api; then + openstack user create \ + --password "$SERVICE_PASSWORD" \ + --project $SERVICE_TENANT_NAME \ + glance + openstack role add \ + --project $SERVICE_TENANT_NAME \ + --user glance \ + service + # required for swift access + if is_service_enabled s-proxy; then + openstack user create \ + --password "$SERVICE_PASSWORD" \ + --project $SERVICE_TENANT_NAME \ + glance-swift + openstack role add \ + --project $SERVICE_TENANT_NAME \ + --user glance-swift \ + ResellerAdmin + fi + if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then + openstack service create \ + --type image \ + --description "Glance Image Service" \ + glance + openstack endpoint create \ + --region RegionOne \ + --publicurl "http://$GLANCE_HOSTPORT" \ + --adminurl "http://$GLANCE_HOSTPORT" \ + --internalurl "http://$GLANCE_HOSTPORT" \ + glance + fi + fi +} + # create_glance_cache_dir() - Part of the init_glance() process function create_glance_cache_dir { # Create cache dir diff --git a/lib/keystone b/lib/keystone index c6856c95c3..b31cc57a56 100644 --- a/lib/keystone +++ b/lib/keystone @@ -266,9 +266,11 @@ function configure_keystone { # Tenant User Roles # ------------------------------------------------------------------ -# service -- -- -# -- -- Member # admin admin admin +# service -- -- +# -- -- service +# -- -- ResellerAdmin +# -- -- Member # demo admin admin # demo demo Member, anotherrole # invisible_to_admin demo Member @@ -294,10 +296,17 @@ function create_keystone_accounts { --project $ADMIN_TENANT \ --user $ADMIN_USER - # service - SERVICE_TENANT=$(openstack project create \ - $SERVICE_TENANT_NAME \ - | grep " id " | get_field 2) + # Create service project/role + openstack project create $SERVICE_TENANT_NAME + + # Service role, so service users do not have to be admins + openstack role create service + + # The ResellerAdmin role is used by Nova and Ceilometer so we need to keep it. + # The admin role in swift allows a user to act as an admin for their tenant, + # but ResellerAdmin is needed for a user to act as any tenant. The name of this + # role is also configurable in swift-proxy.conf + openstack role create ResellerAdmin # The Member role is used by Horizon and Swift so we need to keep it: MEMBER_ROLE=$(openstack role create \ diff --git a/lib/nova b/lib/nova index 583a5923ce..a7c44211ca 100644 --- a/lib/nova +++ b/lib/nova @@ -316,9 +316,10 @@ function configure_nova { # create_nova_accounts() - Set up common required nova accounts -# Tenant User Roles +# Project User Roles # ------------------------------------------------------------------ -# service nova admin, [ResellerAdmin (swift only)] +# SERVICE_TENANT_NAME nova admin +# SERVICE_TENANT_NAME nova ResellerAdmin (if Swift is enabled) # Migrated from keystone_data.sh create_nova_accounts() { @@ -363,6 +364,48 @@ create_nova_accounts() { --internalurl "$NOVA_SERVICE_PROTOCOL://$NOVA_SERVICE_HOST:$NOVA_SERVICE_PORT/v3" fi fi + + if is_service_enabled n-api; then + # Swift + if is_service_enabled swift; then + # Nova needs ResellerAdmin role to download images when accessing + # swift through the s3 api. + openstack role add \ + --project $SERVICE_TENANT_NAME \ + --user nova \ + ResellerAdmin + fi + + # EC2 + if [[ "$KEYSTONE_CATALOG_BACKEND" = "sql" ]]; then + openstack service create \ + --type ec2 \ + --description "EC2 Compatibility Layer" \ + ec2 + openstack endpoint create \ + --region RegionOne \ + --publicurl "http://$SERVICE_HOST:8773/services/Cloud" \ + --adminurl "http://$SERVICE_HOST:8773/services/Admin" \ + --internalurl "http://$SERVICE_HOST:8773/services/Cloud" \ + ec2 + fi + fi + + # S3 + if is_service_enabled n-obj swift3; then + if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then + openstack service create \ + --type s3 \ + --description "S3" \ + s3 + openstack endpoint create \ + --region RegionOne \ + --publicurl "http://$SERVICE_HOST:$S3_SERVICE_PORT" \ + --adminurl "http://$SERVICE_HOST:$S3_SERVICE_PORT" \ + --internalurl "http://$SERVICE_HOST:$S3_SERVICE_PORT" \ + s3 + fi + fi } # create_nova_conf() - Create a new nova.conf file diff --git a/lib/tempest b/lib/tempest index 16f8744d85..897efa8a8f 100644 --- a/lib/tempest +++ b/lib/tempest @@ -358,6 +358,30 @@ function configure_tempest { $errexit } +# create_tempest_accounts() - Set up common required tempest accounts + +# Project User Roles +# ------------------------------------------------------------------ +# alt_demo alt_demo Member + +# Migrated from keystone_data.sh +function create_tempest_accounts { + if is_service_enabled tempest; then + # Tempest has some tests that validate various authorization checks + # between two regular users in separate tenants + openstack project create \ + alt_demo + openstack user create \ + --project alt_demo \ + --password "$ADMIN_PASSWORD" \ + alt_demo + openstack role add \ + --project alt_demo \ + --user alt_demo \ + Member + fi +} + # install_tempest() - Collect source and prepare function install_tempest { git_clone $TEMPEST_REPO $TEMPEST_DIR $TEMPEST_BRANCH diff --git a/stack.sh b/stack.sh index c990a1c6ca..f8973ee98f 100755 --- a/stack.sh +++ b/stack.sh @@ -907,14 +907,13 @@ if is_service_enabled key; then SERVICE_ENDPOINT=http://$KEYSTONE_AUTH_HOST:$KEYSTONE_AUTH_PORT_INT/v2.0 fi - # Do the keystone-specific bits from keystone_data.sh - export OS_SERVICE_TOKEN=$SERVICE_TOKEN - export OS_SERVICE_ENDPOINT=$SERVICE_ENDPOINT - # Add temporarily to make openstackclient work + # Setup OpenStackclient token-flow auth export OS_TOKEN=$SERVICE_TOKEN export OS_URL=$SERVICE_ENDPOINT + create_keystone_accounts create_nova_accounts + create_glance_accounts create_cinder_accounts create_neutron_accounts @@ -922,7 +921,7 @@ if is_service_enabled key; then create_ceilometer_accounts fi - if is_service_enabled swift || is_service_enabled s-proxy; then + if is_service_enabled swift; then create_swift_accounts fi @@ -930,20 +929,14 @@ if is_service_enabled key; then create_heat_accounts fi - # ``keystone_data.sh`` creates services, admin and demo users, and roles. - ADMIN_PASSWORD=$ADMIN_PASSWORD SERVICE_TENANT_NAME=$SERVICE_TENANT_NAME SERVICE_PASSWORD=$SERVICE_PASSWORD \ - SERVICE_TOKEN=$SERVICE_TOKEN SERVICE_ENDPOINT=$SERVICE_ENDPOINT SERVICE_HOST=$SERVICE_HOST \ - S3_SERVICE_PORT=$S3_SERVICE_PORT KEYSTONE_CATALOG_BACKEND=$KEYSTONE_CATALOG_BACKEND \ - DEVSTACK_DIR=$TOP_DIR ENABLED_SERVICES=$ENABLED_SERVICES \ - bash -x $FILES/keystone_data.sh - - # Set up auth creds now that keystone is bootstrapped + # Begone token-flow auth unset OS_TOKEN OS_URL + + # Set up password-flow auth creds now that keystone is bootstrapped export OS_AUTH_URL=$SERVICE_ENDPOINT export OS_TENANT_NAME=admin export OS_USERNAME=admin export OS_PASSWORD=$ADMIN_PASSWORD - unset OS_SERVICE_TOKEN OS_SERVICE_ENDPOINT fi