Add additional project personas for secure RBAC
This commit formalizes some additional users to act as different project users and updates clouds.yaml file so they're easy to use. It creates: - a reader on the demo project - a reader on the alt_demo project - a member on the alt_demo project With the adoption of secure RBAC personas, these are useful for using OpenStack APIs as that work continues. Change-Id: I3237a771275311377313b7d7d80ac059ac69d031
This commit is contained in:
parent
021ae0bcc8
commit
9c81321bfc
@ -85,7 +85,7 @@ function write_clouds_yaml {
|
|||||||
if [ -f "$SSL_BUNDLE_FILE" ]; then
|
if [ -f "$SSL_BUNDLE_FILE" ]; then
|
||||||
CA_CERT_ARG="--os-cacert $SSL_BUNDLE_FILE"
|
CA_CERT_ARG="--os-cacert $SSL_BUNDLE_FILE"
|
||||||
fi
|
fi
|
||||||
# demo -> devstack
|
# devstack: user with the member role on demo project
|
||||||
$PYTHON $TOP_DIR/tools/update_clouds_yaml.py \
|
$PYTHON $TOP_DIR/tools/update_clouds_yaml.py \
|
||||||
--file $CLOUDS_YAML \
|
--file $CLOUDS_YAML \
|
||||||
--os-cloud devstack \
|
--os-cloud devstack \
|
||||||
@ -96,18 +96,7 @@ function write_clouds_yaml {
|
|||||||
--os-password $ADMIN_PASSWORD \
|
--os-password $ADMIN_PASSWORD \
|
||||||
--os-project-name demo
|
--os-project-name demo
|
||||||
|
|
||||||
# alt_demo -> devstack-alt
|
# devstack-admin: user with the admin role on the admin project
|
||||||
$PYTHON $TOP_DIR/tools/update_clouds_yaml.py \
|
|
||||||
--file $CLOUDS_YAML \
|
|
||||||
--os-cloud devstack-alt \
|
|
||||||
--os-region-name $REGION_NAME \
|
|
||||||
$CA_CERT_ARG \
|
|
||||||
--os-auth-url $KEYSTONE_SERVICE_URI \
|
|
||||||
--os-username alt_demo \
|
|
||||||
--os-password $ADMIN_PASSWORD \
|
|
||||||
--os-project-name alt_demo
|
|
||||||
|
|
||||||
# admin -> devstack-admin
|
|
||||||
$PYTHON $TOP_DIR/tools/update_clouds_yaml.py \
|
$PYTHON $TOP_DIR/tools/update_clouds_yaml.py \
|
||||||
--file $CLOUDS_YAML \
|
--file $CLOUDS_YAML \
|
||||||
--os-cloud devstack-admin \
|
--os-cloud devstack-admin \
|
||||||
@ -118,7 +107,51 @@ function write_clouds_yaml {
|
|||||||
--os-password $ADMIN_PASSWORD \
|
--os-password $ADMIN_PASSWORD \
|
||||||
--os-project-name admin
|
--os-project-name admin
|
||||||
|
|
||||||
# admin with a system-scoped token -> devstack-system
|
# devstack-alt: user with the member role on alt_demo project
|
||||||
|
$PYTHON $TOP_DIR/tools/update_clouds_yaml.py \
|
||||||
|
--file $CLOUDS_YAML \
|
||||||
|
--os-cloud devstack-alt \
|
||||||
|
--os-region-name $REGION_NAME \
|
||||||
|
$CA_CERT_ARG \
|
||||||
|
--os-auth-url $KEYSTONE_SERVICE_URI \
|
||||||
|
--os-username alt_demo \
|
||||||
|
--os-password $ADMIN_PASSWORD \
|
||||||
|
--os-project-name alt_demo
|
||||||
|
|
||||||
|
# devstack-alt-member: user with the member role on alt_demo project
|
||||||
|
$PYTHON $TOP_DIR/tools/update_clouds_yaml.py \
|
||||||
|
--file $CLOUDS_YAML \
|
||||||
|
--os-cloud devstack-alt-member \
|
||||||
|
--os-region-name $REGION_NAME \
|
||||||
|
$CA_CERT_ARG \
|
||||||
|
--os-auth-url $KEYSTONE_SERVICE_URI \
|
||||||
|
--os-username alt_demo_member \
|
||||||
|
--os-password $ADMIN_PASSWORD \
|
||||||
|
--os-project-name alt_demo
|
||||||
|
|
||||||
|
# devstack-alt-reader: user with the reader role on alt_demo project
|
||||||
|
$PYTHON $TOP_DIR/tools/update_clouds_yaml.py \
|
||||||
|
--file $CLOUDS_YAML \
|
||||||
|
--os-cloud devstack-alt-reader \
|
||||||
|
--os-region-name $REGION_NAME \
|
||||||
|
$CA_CERT_ARG \
|
||||||
|
--os-auth-url $KEYSTONE_SERVICE_URI \
|
||||||
|
--os-username alt_demo_reader \
|
||||||
|
--os-password $ADMIN_PASSWORD \
|
||||||
|
--os-project-name alt_demo
|
||||||
|
|
||||||
|
# devstack-reader: user with the reader role on demo project
|
||||||
|
$PYTHON $TOP_DIR/tools/update_clouds_yaml.py \
|
||||||
|
--file $CLOUDS_YAML \
|
||||||
|
--os-cloud devstack-reader \
|
||||||
|
--os-region-name $REGION_NAME \
|
||||||
|
$CA_CERT_ARG \
|
||||||
|
--os-auth-url $KEYSTONE_SERVICE_URI \
|
||||||
|
--os-username demo_reader \
|
||||||
|
--os-password $ADMIN_PASSWORD \
|
||||||
|
--os-project-name demo
|
||||||
|
|
||||||
|
# devstack-system-admin: user with the admin role on the system
|
||||||
$PYTHON $TOP_DIR/tools/update_clouds_yaml.py \
|
$PYTHON $TOP_DIR/tools/update_clouds_yaml.py \
|
||||||
--file $CLOUDS_YAML \
|
--file $CLOUDS_YAML \
|
||||||
--os-cloud devstack-system-admin \
|
--os-cloud devstack-system-admin \
|
||||||
@ -129,7 +162,7 @@ function write_clouds_yaml {
|
|||||||
--os-password $ADMIN_PASSWORD \
|
--os-password $ADMIN_PASSWORD \
|
||||||
--os-system-scope all
|
--os-system-scope all
|
||||||
|
|
||||||
# system member
|
# devstack-system-member: user with the member role on the system
|
||||||
$PYTHON $TOP_DIR/tools/update_clouds_yaml.py \
|
$PYTHON $TOP_DIR/tools/update_clouds_yaml.py \
|
||||||
--file $CLOUDS_YAML \
|
--file $CLOUDS_YAML \
|
||||||
--os-cloud devstack-system-member \
|
--os-cloud devstack-system-member \
|
||||||
@ -140,7 +173,7 @@ function write_clouds_yaml {
|
|||||||
--os-password $ADMIN_PASSWORD \
|
--os-password $ADMIN_PASSWORD \
|
||||||
--os-system-scope all
|
--os-system-scope all
|
||||||
|
|
||||||
# system reader
|
# devstack-system-reader: user with the reader role on the system
|
||||||
$PYTHON $TOP_DIR/tools/update_clouds_yaml.py \
|
$PYTHON $TOP_DIR/tools/update_clouds_yaml.py \
|
||||||
--file $CLOUDS_YAML \
|
--file $CLOUDS_YAML \
|
||||||
--os-cloud devstack-system-reader \
|
--os-cloud devstack-system-reader \
|
||||||
|
32
lib/keystone
32
lib/keystone
@ -346,19 +346,39 @@ function create_keystone_accounts {
|
|||||||
async_run ks-demo-another get_or_add_user_project_role $another_role $demo_user $demo_project
|
async_run ks-demo-another get_or_add_user_project_role $another_role $demo_user $demo_project
|
||||||
async_run ks-demo-invis get_or_add_user_project_role $member_role $demo_user $invis_project
|
async_run ks-demo-invis get_or_add_user_project_role $member_role $demo_user $invis_project
|
||||||
|
|
||||||
# alt_demo
|
# Create a user to act as a reader on project demo
|
||||||
|
local demo_reader
|
||||||
|
demo_reader=$(get_or_create_user "demo_reader" \
|
||||||
|
"$ADMIN_PASSWORD" "default" "demo_reader@example.com")
|
||||||
|
|
||||||
|
async_run ks-demo-reader get_or_add_user_project_role $reader_role $demo_reader $demo_project
|
||||||
|
|
||||||
|
# Create a different project called alt_demo
|
||||||
local alt_demo_project
|
local alt_demo_project
|
||||||
alt_demo_project=$(get_or_create_project "alt_demo" default)
|
alt_demo_project=$(get_or_create_project "alt_demo" default)
|
||||||
|
# Create a user to act as member, admin and anotherrole on project alt_demo
|
||||||
local alt_demo_user
|
local alt_demo_user
|
||||||
alt_demo_user=$(get_or_create_user "alt_demo" \
|
alt_demo_user=$(get_or_create_user "alt_demo" \
|
||||||
"$ADMIN_PASSWORD" "default" "alt_demo@example.com")
|
"$ADMIN_PASSWORD" "default" "alt_demo@example.com")
|
||||||
|
|
||||||
async_run ks-alt-member get_or_add_user_project_role $member_role $alt_demo_user $alt_demo_project
|
async_run ks-alt-member get_or_add_user_project_role $member_role $alt_demo_user $alt_demo_project
|
||||||
async_run ks-alt-admin get_or_add_user_project_role $admin_role $admin_user $alt_demo_project
|
async_run ks-alt-admin get_or_add_user_project_role $admin_role $alt_demo_user $alt_demo_project
|
||||||
async_run ks-alt-another get_or_add_user_project_role $another_role $alt_demo_user $alt_demo_project
|
async_run ks-alt-another get_or_add_user_project_role $another_role $alt_demo_user $alt_demo_project
|
||||||
|
|
||||||
# Create two users, give one the member role on the system and the other
|
# Create another user to act as a member on project alt_demo
|
||||||
# the reader role on the system. These two users model system-member and
|
local alt_demo_member
|
||||||
|
alt_demo_member=$(get_or_create_user "alt_demo_member" \
|
||||||
|
"$ADMIN_PASSWORD" "default" "alt_demo_member@example.com")
|
||||||
|
async_run ks-alt-member-user get_or_add_user_project_role $member_role $alt_demo_member $alt_demo_project
|
||||||
|
|
||||||
|
# Create another user to act as a reader on project alt_demo
|
||||||
|
local alt_demo_reader
|
||||||
|
alt_demo_reader=$(get_or_create_user "alt_demo_reader" \
|
||||||
|
"$ADMIN_PASSWORD" "default" "alt_demo_reader@example.com")
|
||||||
|
async_run ks-alt-reader-user get_or_add_user_project_role $reader_role $alt_demo_reader $alt_demo_project
|
||||||
|
|
||||||
|
# Create two users, give one the member role on the system and the other the
|
||||||
|
# reader role on the system. These two users model system-member and
|
||||||
# system-reader personas. The admin user already has the admin role on the
|
# system-reader personas. The admin user already has the admin role on the
|
||||||
# system and we can re-use this user as a system-admin.
|
# system and we can re-use this user as a system-admin.
|
||||||
system_member_user=$(get_or_create_user "system_member" \
|
system_member_user=$(get_or_create_user "system_member" \
|
||||||
@ -383,8 +403,8 @@ function create_keystone_accounts {
|
|||||||
async_run ks-group-anotheralt get_or_add_group_project_role $another_role $non_admin_group $alt_demo_project
|
async_run ks-group-anotheralt get_or_add_group_project_role $another_role $non_admin_group $alt_demo_project
|
||||||
async_run ks-group-admin get_or_add_group_project_role $admin_role $admin_group $admin_project
|
async_run ks-group-admin get_or_add_group_project_role $admin_role $admin_group $admin_project
|
||||||
|
|
||||||
async_wait ks-demo-{member,admin,another,invis}
|
async_wait ks-demo-{member,admin,another,invis,reader}
|
||||||
async_wait ks-alt-{member,admin,another}
|
async_wait ks-alt-{member,admin,another,member-user,reader-user}
|
||||||
async_wait ks-system-{member,reader}
|
async_wait ks-system-{member,reader}
|
||||||
async_wait ks-group-{memberdemo,anotherdemo,memberalt,anotheralt,admin}
|
async_wait ks-group-{memberdemo,anotherdemo,memberalt,anotheralt,admin}
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user