From 901eed70b4b6257ad3a9192c0d0522969ef67509 Mon Sep 17 00:00:00 2001
From: guillaume pernot <gpernot@praksys.org>
Date: Thu, 29 Nov 2012 08:44:58 +0100
Subject: [PATCH] Add ResellerAdmin role to ceilometer user.

For the sake of swift metering, 'ceilometer' user needs to be a
ResellerAdmin for tenant 'service'.

Change-Id: I65b3bdedddded9d5f3bac5c5d714288800ffa8b6
---
 files/keystone_data.sh | 15 ++++++++++-----
 1 file changed, 10 insertions(+), 5 deletions(-)

diff --git a/files/keystone_data.sh b/files/keystone_data.sh
index f75d24a6c3..35793d84d6 100755
--- a/files/keystone_data.sh
+++ b/files/keystone_data.sh
@@ -87,6 +87,11 @@ MEMBER_ROLE=$(get_id keystone role-create --name=Member)
 keystone user-role-add --user_id $DEMO_USER --role_id $MEMBER_ROLE --tenant_id $DEMO_TENANT
 keystone user-role-add --user_id $DEMO_USER --role_id $MEMBER_ROLE --tenant_id $INVIS_TENANT
 
+# The ResellerAdmin role is used by Nova and Ceilometer so we need to keep it.
+# The admin role in swift allows a user to act as an admin for their tenant,
+# but ResellerAdmin is needed for a user to act as any tenant. The name of this
+# role is also configurable in swift-proxy.conf
+RESELLER_ROLE=$(get_id keystone role-create --name=ResellerAdmin)
 
 # Services
 # --------
@@ -129,11 +134,7 @@ if [[ "$ENABLED_SERVICES" =~ "n-api" ]]; then
             --internalurl "http://$SERVICE_HOST:\$(compute_port)s/v2/\$(tenant_id)s"
     fi
     # Nova needs ResellerAdmin role to download images when accessing
-    # swift through the s3 api. The admin role in swift allows a user
-    # to act as an admin for their tenant, but ResellerAdmin is needed
-    # for a user to act as any tenant. The name of this role is also
-    # configurable in swift-proxy.conf
-    RESELLER_ROLE=$(get_id keystone role-create --name=ResellerAdmin)
+    # swift through the s3 api.
     keystone user-role-add \
         --tenant_id $SERVICE_TENANT \
         --user_id $NOVA_USER \
@@ -255,6 +256,10 @@ if [[ "$ENABLED_SERVICES" =~ "ceilometer" ]]; then
     keystone user-role-add --tenant_id $SERVICE_TENANT \
                            --user_id $CEILOMETER_USER \
                            --role_id $ADMIN_ROLE
+    # Ceilometer needs ResellerAdmin role to access swift account stats.
+    keystone user-role-add --tenant_id $SERVICE_TENANT \
+                           --user_id $CEILOMETER_USER \
+                           --role_id $RESELLER_ROLE
     if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
         CEILOMETER_SERVICE=$(get_id keystone service-create \
             --name=ceilometer \