Use service role with glance service

glance just used to admin role for token validation, the service role is sufficient for this. glance also needs an user with enough permission to use swift, so creating a dedictated service user for swift usage when s-proxy is enabled. Change-Id: I6df3905e5db35ea3421468ca1ee6d8de3271f8d1
2014-01-21 11:13:55 +01:00 · 2014-01-21 11:13:55 +01:00 · 85a85f87f8
commit 85a85f87f8
parent 78ab80e558
2 changed files with 20 additions and 6 deletions
--- a/files/keystone_data.sh
+++ b/files/keystone_data.sh
@ -2,12 +2,14 @@
 #
 # Initial data for Keystone using python-keystoneclient
 #
-# Tenant               User       Roles
+# Tenant               User         Roles
 # ------------------------------------------------------------------
-# service              glance     admin
-# service              heat       service        # if enabled
+# service              glance       service
+# service              glance-swift ResellerAdmin
+# service              heat         service        # if enabled
+# service              ceilometer   admin          # if enabled
 # Tempest Only:
-# alt_demo             alt_demo  Member
+# alt_demo             alt_demo     Member
 #
 # Variables set before calling this script:
 # SERVICE_TOKEN - aka admin_token in keystone.conf
@ -96,7 +98,19 @@ if [[ "$ENABLED_SERVICES" =~ "g-api" ]]; then
    keystone user-role-add \
        --tenant $SERVICE_TENANT_NAME \
        --user glance \
-        --role admin
+        --role service
+    # required for swift access
+    if [[ "$ENABLED_SERVICES" =~ "s-proxy" ]]; then
+        keystone user-create \
+            --name=glance-swift \
+            --pass="$SERVICE_PASSWORD" \
+            --tenant $SERVICE_TENANT_NAME \
+            --email=glance-swift@example.com
+        keystone user-role-add \
+            --tenant $SERVICE_TENANT_NAME \
+            --user glance-swift \
+            --role ResellerAdmin
+    fi
    if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
        keystone service-create \
            --name=glance \
--- a/lib/glance
+++ b/lib/glance
@ -124,7 +124,7 @@ function configure_glance() {
    if is_service_enabled s-proxy; then
        iniset $GLANCE_API_CONF DEFAULT default_store swift
        iniset $GLANCE_API_CONF DEFAULT swift_store_auth_address $KEYSTONE_SERVICE_PROTOCOL://$KEYSTONE_SERVICE_HOST:$KEYSTONE_SERVICE_PORT/v2.0/
-        iniset $GLANCE_API_CONF DEFAULT swift_store_user $SERVICE_TENANT_NAME:glance
+        iniset $GLANCE_API_CONF DEFAULT swift_store_user $SERVICE_TENANT_NAME:glance-swift
        iniset $GLANCE_API_CONF DEFAULT swift_store_key $SERVICE_PASSWORD
        iniset $GLANCE_API_CONF DEFAULT swift_store_create_container_on_put True