openstack/devstack
Code Issues Proposed changes

Use service role with glance service

Browse Source 
glance just used to admin role for token validation,
the service role is sufficient for this.

glance also needs an user with enough permission to use swift,
so creating a dedictated service user for swift usage when s-proxy is
enabled.

Change-Id: I6df3905e5db35ea3421468ca1ee6d8de3271f8d1
This commit is contained in:
Attila Fazekas 2014-01-21 11:13:55 +01:00
parent 78ab80e558
commit 85a85f87f8
2 changed files with 20 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
files/keystone_data.sh
View File

@ -4,8 +4,10 @@
#
# Tenant User Roles
# ------------------------------------------------------------------
# service glance admin
# service glance service
# service glance-swift ResellerAdmin
# service heat service # if enabled
# service ceilometer admin # if enabled
# Tempest Only:
# alt_demo alt_demo Member
#
@ -96,7 +98,19 @@ if [[ "$ENABLED_SERVICES" =~ "g-api" ]]; then
keystone user-role-add \
--tenant $SERVICE_TENANT_NAME \
--user glance \
--role admin
--role service
# required for swift access
if [[ "$ENABLED_SERVICES" =~ "s-proxy" ]]; then
keystone user-create \
--name=glance-swift \
--pass="$SERVICE_PASSWORD" \
--tenant $SERVICE_TENANT_NAME \
--email=glance-swift@example.com
keystone user-role-add \
--tenant $SERVICE_TENANT_NAME \
--user glance-swift \
--role ResellerAdmin
fi
if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
keystone service-create \
--name=glance \

2
lib/glance
View File

@ -124,7 +124,7 @@ function configure_glance() {
if is_service_enabled s-proxy; then
iniset $GLANCE_API_CONF DEFAULT default_store swift
iniset $GLANCE_API_CONF DEFAULT swift_store_auth_address $KEYSTONE_SERVICE_PROTOCOL://$KEYSTONE_SERVICE_HOST:$KEYSTONE_SERVICE_PORT/v2.0/
iniset $GLANCE_API_CONF DEFAULT swift_store_user $SERVICE_TENANT_NAME:glance
iniset $GLANCE_API_CONF DEFAULT swift_store_user $SERVICE_TENANT_NAME:glance-swift
iniset $GLANCE_API_CONF DEFAULT swift_store_key $SERVICE_PASSWORD
iniset $GLANCE_API_CONF DEFAULT swift_store_create_container_on_put True