diff --git a/extras.d/70-tuskar.sh b/extras.d/70-tuskar.sh
index 551916f35a..aa8f46af11 100644
--- a/extras.d/70-tuskar.sh
+++ b/extras.d/70-tuskar.sh
@@ -176,12 +176,8 @@ function stop_tuskar {
# create_tuskar_accounts() - Set up common required tuskar accounts
function create_tuskar_accounts {
- # migrated from files/keystone_data.sh
- local service_tenant=$(openstack project list | awk "/ $SERVICE_TENANT_NAME / { print \$2 }")
- local admin_role=$(openstack role list | awk "/ admin / { print \$2 }")
- local tuskar_user=$(get_or_create_user "tuskar" "$SERVICE_PASSWORD")
- get_or_add_user_role $admin_role $tuskar_user $service_tenant
+ create_service_user "tuskar" "admin"
if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
diff --git a/lib/ceilometer b/lib/ceilometer
index f1617fb9e4..f03bab21fc 100644
--- a/lib/ceilometer
+++ b/lib/ceilometer
@@ -105,13 +105,10 @@ function is_ceilometer_enabled {
# SERVICE_TENANT_NAME ceilometer ResellerAdmin (if Swift is enabled)
function create_ceilometer_accounts {
- local service_tenant=$(openstack project list | awk "/ $SERVICE_TENANT_NAME / { print \$2 }")
- local admin_role=$(openstack role list | awk "/ admin / { print \$2 }")
-
# Ceilometer
if [[ "$ENABLED_SERVICES" =~ "ceilometer-api" ]]; then
- local ceilometer_user=$(get_or_create_user "ceilometer" "$SERVICE_PASSWORD")
- get_or_add_user_role $admin_role $ceilometer_user $service_tenant
+
+ create_service_user "ceilometer" "admin"
if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
local ceilometer_service=$(get_or_create_service "ceilometer" \
diff --git a/lib/cinder b/lib/cinder
index 937689a528..12ba51e49b 100644
--- a/lib/cinder
+++ b/lib/cinder
@@ -330,14 +330,10 @@ function configure_cinder {
# Migrated from keystone_data.sh
function create_cinder_accounts {
- local service_tenant=$(openstack project list | awk "/ $SERVICE_TENANT_NAME / { print \$2 }")
- local admin_role=$(openstack role list | awk "/ admin / { print \$2 }")
-
# Cinder
if [[ "$ENABLED_SERVICES" =~ "c-api" ]]; then
- local cinder_user=$(get_or_create_user "cinder" "$SERVICE_PASSWORD")
- get_or_add_user_role $admin_role $cinder_user $service_tenant
+ create_service_user "cinder" "admin"
if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
diff --git a/lib/glance b/lib/glance
index bee57a3100..0340c21ee0 100644
--- a/lib/glance
+++ b/lib/glance
@@ -232,8 +232,7 @@ function configure_glance {
function create_glance_accounts {
if is_service_enabled g-api; then
- local glance_user=$(get_or_create_user "glance" "$SERVICE_PASSWORD")
- get_or_add_user_role service $glance_user $SERVICE_TENANT_NAME
+ create_service_user "glance"
# required for swift access
if is_service_enabled s-proxy; then
diff --git a/lib/heat b/lib/heat
index 48e2afc5bb..c1021639b4 100644
--- a/lib/heat
+++ b/lib/heat
@@ -242,12 +242,7 @@ function stop_heat {
# create_heat_accounts() - Set up common required heat accounts
function create_heat_accounts {
- # migrated from files/keystone_data.sh
- local service_tenant=$(openstack project list | awk "/ $SERVICE_TENANT_NAME / { print \$2 }")
- local admin_role=$(openstack role list | awk "/ admin / { print \$2 }")
-
- local heat_user=$(get_or_create_user "heat" "$SERVICE_PASSWORD")
- get_or_add_user_role $admin_role $heat_user $service_tenant
+ create_service_user "heat" "admin"
if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
diff --git a/lib/ironic b/lib/ironic
index fced2949f4..921bcf1a26 100644
--- a/lib/ironic
+++ b/lib/ironic
@@ -358,15 +358,11 @@ function create_ironic_cache_dir {
# service ironic admin # if enabled
function create_ironic_accounts {
- local service_tenant=$(openstack project list | awk "/ $SERVICE_TENANT_NAME / { print \$2 }")
- local admin_role=$(openstack role list | awk "/ admin / { print \$2 }")
-
# Ironic
if [[ "$ENABLED_SERVICES" =~ "ir-api" ]]; then
# Get ironic user if exists
- local ironic_user=$(get_or_create_user "ironic" "$SERVICE_PASSWORD")
- get_or_add_user_role $admin_role $ironic_user $service_tenant
+ create_service_user "ironic" "admin"
if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
diff --git a/lib/keystone b/lib/keystone
index 1e9db1e760..79806b8fd1 100644
--- a/lib/keystone
+++ b/lib/keystone
@@ -415,6 +415,20 @@ function create_keystone_accounts {
fi
}
+# Create a user that is capable of verifying keystone tokens for use with auth_token middleware.
+#
+# create_service_user <name> [role]
+#
+# The role defaults to the service role. It is allowed to be provided as optional as historically
+# a lot of projects have configured themselves with the admin or other role here if they are
+# using this user for other purposes beyond simply auth_token middleware.
+function create_service_user {
+ local role=${2:-service}
+
+ local user=$(get_or_create_user "$1" "$SERVICE_PASSWORD")
+ get_or_add_user_role "$role" "$user" "$SERVICE_TENANT_NAME"
+}
+
# Configure the service to use the auth token middleware.
#
# configure_auth_token_middleware conf_file admin_user signing_dir [section]
diff --git a/lib/neutron b/lib/neutron
index df9d8049fe..15a5f00fa0 100755
--- a/lib/neutron
+++ b/lib/neutron
@@ -508,14 +508,9 @@ function create_neutron_cache_dir {
# Migrated from keystone_data.sh
function create_neutron_accounts {
-
- local service_tenant=$(openstack project list | awk "/ $SERVICE_TENANT_NAME / { print \$2 }")
- local service_role=$(openstack role list | awk "/ service / { print \$2 }")
-
if [[ "$ENABLED_SERVICES" =~ "q-svc" ]]; then
- local neutron_user=$(get_or_create_user "neutron" "$SERVICE_PASSWORD")
- get_or_add_user_role $service_role $neutron_user $service_tenant
+ create_service_user "neutron"
if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
diff --git a/lib/nova b/lib/nova
index 0f4729fb63..c760066f15 100644
--- a/lib/nova
+++ b/lib/nova
@@ -353,14 +353,10 @@ function configure_nova {
# SERVICE_TENANT_NAME nova ResellerAdmin (if Swift is enabled)
function create_nova_accounts {
- local service_tenant=$(openstack project list | awk "/ $SERVICE_TENANT_NAME / { print \$2 }")
- local admin_role=$(openstack role list | awk "/ admin / { print \$2 }")
-
# Nova
if [[ "$ENABLED_SERVICES" =~ "n-api" ]]; then
- local nova_user=$(get_or_create_user "nova" "$SERVICE_PASSWORD")
- get_or_add_user_role $admin_role $nova_user $service_tenant
+ create_service_user "nova" "admin"
if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
diff --git a/lib/sahara b/lib/sahara
index 44c06d3c46..cb6ecc3be3 100644
--- a/lib/sahara
+++ b/lib/sahara
@@ -61,11 +61,7 @@ TEMPEST_SERVICES+=,sahara
# service sahara admin
function create_sahara_accounts {
- local service_tenant=$(openstack project list | awk "/ $SERVICE_TENANT_NAME / { print \$2 }")
- local admin_role=$(openstack role list | awk "/ admin / { print \$2 }")
-
- local sahara_user=$(get_or_create_user "sahara" "$SERVICE_PASSWORD")
- get_or_add_user_role $admin_role $sahara_user $service_tenant
+ create_service_user "sahara" "admin"
if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
diff --git a/lib/swift b/lib/swift
index 683bc17871..d9f750c27f 100644
--- a/lib/swift
+++ b/lib/swift
@@ -601,12 +601,9 @@ function create_swift_accounts {
KEYSTONE_CATALOG_BACKEND=${KEYSTONE_CATALOG_BACKEND:-sql}
- local service_tenant=$(openstack project list | awk "/ $SERVICE_TENANT_NAME / { print \$2 }")
- local admin_role=$(openstack role list | awk "/ admin / { print \$2 }")
local another_role=$(openstack role list | awk "/ anotherrole / { print \$2 }")
- local swift_user=$(get_or_create_user "swift" "$SERVICE_PASSWORD")
- get_or_add_user_role $admin_role $swift_user $service_tenant
+ create_service_user "swift" "admin"
if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
@@ -623,7 +620,7 @@ function create_swift_accounts {
die_if_not_set $LINENO swift_tenant_test1 "Failure creating swift_tenant_test1"
SWIFT_USER_TEST1=$(get_or_create_user swiftusertest1 $swiftusertest1_password "test@example.com")
die_if_not_set $LINENO SWIFT_USER_TEST1 "Failure creating SWIFT_USER_TEST1"
- get_or_add_user_role $admin_role $SWIFT_USER_TEST1 $swift_tenant_test1
+ get_or_add_user_role admin $SWIFT_USER_TEST1 $swift_tenant_test1
local swift_user_test3=$(get_or_create_user swiftusertest3 $swiftusertest3_password "test3@example.com")
die_if_not_set $LINENO swift_user_test3 "Failure creating swift_user_test3"
@@ -634,7 +631,7 @@ function create_swift_accounts {
local swift_user_test2=$(get_or_create_user swiftusertest2 $swiftusertest2_password "test2@example.com")
die_if_not_set $LINENO swift_user_test2 "Failure creating swift_user_test2"
- get_or_add_user_role $admin_role $swift_user_test2 $swift_tenant_test2
+ get_or_add_user_role admin $swift_user_test2 $swift_tenant_test2
local swift_domain=$(get_or_create_domain swift_test 'Used for swift functional testing')
die_if_not_set $LINENO swift_domain "Failure creating swift_test domain"
@@ -644,7 +641,7 @@ function create_swift_accounts {
local swift_user_test4=$(get_or_create_user swiftusertest4 $swiftusertest4_password "test4@example.com" $swift_domain)
die_if_not_set $LINENO swift_user_test4 "Failure creating swift_user_test4"
- get_or_add_user_role $admin_role $swift_user_test4 $swift_tenant_test4
+ get_or_add_user_role admin $swift_user_test4 $swift_tenant_test4
}
# init_swift() - Initialize rings
diff --git a/lib/trove b/lib/trove
index 5e6b1b39c3..d32c7765e0 100644
--- a/lib/trove
+++ b/lib/trove
@@ -79,13 +79,9 @@ function setup_trove_logging {
# service trove admin # if enabled
function create_trove_accounts {
- local service_tenant=$(openstack project list | awk "/ $SERVICE_TENANT_NAME / { print \$2 }")
- local service_role=$(openstack role list | awk "/ admin / { print \$2 }")
-
if [[ "$ENABLED_SERVICES" =~ "trove" ]]; then
- local trove_user=$(get_or_create_user "trove" "$SERVICE_PASSWORD")
- get_or_add_user_role $service_role $trove_user $service_tenant
+ create_service_user "trove" "admin"
if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
diff --git a/lib/zaqar b/lib/zaqar
index 618ac30534..8b560bb4d5 100644
--- a/lib/zaqar
+++ b/lib/zaqar
@@ -215,11 +215,7 @@ function stop_zaqar {
}
function create_zaqar_accounts {
- local service_tenant=$(openstack project list | awk "/ $SERVICE_TENANT_NAME / { print \$2 }")
- ADMIN_ROLE=$(openstack role list | awk "/ admin / { print \$2 }")
-
- local zaqar_user=$(get_or_create_user "zaqar" "$SERVICE_PASSWORD")
- get_or_add_user_role $ADMIN_ROLE $zaqar_user $service_tenant
+ create_service_user "zaqar" "admin"
if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then