Cleanup keystone_data.sh
* Remove the compatibility code for older keystone client * Reformat commands similar to keystone sample_data.sh * Improve documentation Change-Id: I2fc544555a1b936d28f11c3c4eaaf885b2cb6d17
This commit is contained in:
Dean Troyer
parent
ee4ac37383
commit
b7d1fbbe20
@ -1,165 +1,149 @@
|
||||
#!/bin/bash
|
||||
# Tenants
|
||||
#
|
||||
# Initial data for Keystone using python-keystoneclient
|
||||
#
|
||||
# A set of EC2-compatible credentials is created for both admin and demo
|
||||
# users and placed in $DEVSTACK_DIR/ec2rc.
|
||||
#
|
||||
# Tenant User Roles
|
||||
# -------------------------------------------------------
|
||||
# admin admin admin
|
||||
# service glance admin
|
||||
# service nova admin
|
||||
# service quantum admin # if enabled
|
||||
# service swift admin # if enabled
|
||||
# demo admin admin
|
||||
# demo demo Member,sysadmin,netadmin
|
||||
# invisible_to_admin demo Member
|
||||
#
|
||||
# Variables set before calling this script:
|
||||
# SERVICE_TOKEN - aka admin_token in keystone.conf
|
||||
# SERVICE_ENDPOINT - local Keystone admin endpoint
|
||||
# SERVICE_TENANT_NAME - name of tenant containing service accounts
|
||||
# ENABLED_SERVICES - stack.sh's list of services to start
|
||||
# DEVSTACK_DIR - Top-level DevStack directory
|
||||
|
||||
ADMIN_PASSWORD=${ADMIN_PASSWORD:-secrete}
|
||||
SERVICE_PASSWORD=${SERVICE_PASSWORD:-$ADMIN_PASSWORD}
|
||||
export SERVICE_TOKEN=$SERVICE_TOKEN
|
||||
export SERVICE_ENDPOINT=$SERVICE_ENDPOINT
|
||||
SERVICE_TENANT_NAME=${SERVICE_TENANT_NAME:-service}
|
||||
|
||||
function get_id () {
|
||||
echo `$@ | grep ' id ' | awk '{print $4}'`
|
||||
echo `$@ | awk '/ id / { print $4 }'`
|
||||
}
|
||||
|
||||
# Detect if the keystone cli binary has the command names changed
|
||||
# in https://review.openstack.org/4375
|
||||
# FIXME(dtroyer): Remove the keystone client command checking
|
||||
# after a suitable transition period. add-user-role
|
||||
# and ec2-create-credentials were renamed
|
||||
if keystone help | grep -q user-role-add; then
|
||||
KEYSTONE_COMMAND_4375=1
|
||||
fi
|
||||
|
||||
ADMIN_TENANT=`get_id keystone tenant-create --name=admin`
|
||||
SERVICE_TENANT=`get_id keystone tenant-create --name=$SERVICE_TENANT_NAME`
|
||||
DEMO_TENANT=`get_id keystone tenant-create --name=demo`
|
||||
INVIS_TENANT=`get_id keystone tenant-create --name=invisible_to_admin`
|
||||
# Tenants
|
||||
ADMIN_TENANT=$(get_id keystone tenant-create --name=admin)
|
||||
SERVICE_TENANT=$(get_id keystone tenant-create --name=$SERVICE_TENANT_NAME)
|
||||
DEMO_TENANT=$(get_id keystone tenant-create --name=demo)
|
||||
INVIS_TENANT=$(get_id keystone tenant-create --name=invisible_to_admin)
|
||||
|
||||
|
||||
# Users
|
||||
ADMIN_USER=`get_id keystone user-create \
|
||||
--name=admin \
|
||||
--pass="$ADMIN_PASSWORD" \
|
||||
--email=admin@example.com`
|
||||
DEMO_USER=`get_id keystone user-create \
|
||||
--name=demo \
|
||||
--pass="$ADMIN_PASSWORD" \
|
||||
--email=admin@example.com`
|
||||
ADMIN_USER=$(get_id keystone user-create --name=admin \
|
||||
--pass="$ADMIN_PASSWORD" \
|
||||
--email=admin@example.com)
|
||||
DEMO_USER=$(get_id keystone user-create --name=demo \
|
||||
--pass="$ADMIN_PASSWORD" \
|
||||
--email=demo@example.com)
|
||||
|
||||
# Roles
|
||||
ADMIN_ROLE=`get_id keystone role-create --name=admin`
|
||||
MEMBER_ROLE=`get_id keystone role-create --name=Member`
|
||||
KEYSTONEADMIN_ROLE=`get_id keystone role-create --name=KeystoneAdmin`
|
||||
KEYSTONESERVICE_ROLE=`get_id keystone role-create --name=KeystoneServiceAdmin`
|
||||
SYSADMIN_ROLE=`get_id keystone role-create --name=sysadmin`
|
||||
NETADMIN_ROLE=`get_id keystone role-create --name=netadmin`
|
||||
ADMIN_ROLE=$(get_id keystone role-create --name=admin)
|
||||
KEYSTONEADMIN_ROLE=$(get_id keystone role-create --name=KeystoneAdmin)
|
||||
KEYSTONESERVICE_ROLE=$(get_id keystone role-create --name=KeystoneServiceAdmin)
|
||||
SYSADMIN_ROLE=$(get_id keystone role-create --name=sysadmin)
|
||||
NETADMIN_ROLE=$(get_id keystone role-create --name=netadmin)
|
||||
|
||||
|
||||
if [[ -n "$KEYSTONE_COMMAND_4375" ]]; then
|
||||
# Add Roles to Users in Tenants
|
||||
keystone user-role-add --user $ADMIN_USER --role $ADMIN_ROLE --tenant_id $ADMIN_TENANT
|
||||
keystone user-role-add --user $DEMO_USER --role $MEMBER_ROLE --tenant_id $DEMO_TENANT
|
||||
keystone user-role-add --user $DEMO_USER --role $SYSADMIN_ROLE --tenant_id $DEMO_TENANT
|
||||
keystone user-role-add --user $DEMO_USER --role $NETADMIN_ROLE --tenant_id $DEMO_TENANT
|
||||
keystone user-role-add --user $DEMO_USER --role $MEMBER_ROLE --tenant_id $INVIS_TENANT
|
||||
keystone user-role-add --user $ADMIN_USER --role $ADMIN_ROLE --tenant_id $DEMO_TENANT
|
||||
# Add Roles to Users in Tenants
|
||||
keystone user-role-add --user $ADMIN_USER --role $ADMIN_ROLE --tenant_id $ADMIN_TENANT
|
||||
keystone user-role-add --user $ADMIN_USER --role $ADMIN_ROLE --tenant_id $DEMO_TENANT
|
||||
keystone user-role-add --user $DEMO_USER --role $SYSADMIN_ROLE --tenant_id $DEMO_TENANT
|
||||
keystone user-role-add --user $DEMO_USER --role $NETADMIN_ROLE --tenant_id $DEMO_TENANT
|
||||
|
||||
# TODO(termie): these two might be dubious
|
||||
keystone user-role-add --user $ADMIN_USER --role $KEYSTONEADMIN_ROLE --tenant_id $ADMIN_TENANT
|
||||
keystone user-role-add --user $ADMIN_USER --role $KEYSTONESERVICE_ROLE --tenant_id $ADMIN_TENANT
|
||||
else
|
||||
### compat
|
||||
# Add Roles to Users in Tenants
|
||||
keystone add-user-role $ADMIN_USER $ADMIN_ROLE $ADMIN_TENANT
|
||||
keystone add-user-role $DEMO_USER $MEMBER_ROLE $DEMO_TENANT
|
||||
keystone add-user-role $DEMO_USER $SYSADMIN_ROLE $DEMO_TENANT
|
||||
keystone add-user-role $DEMO_USER $NETADMIN_ROLE $DEMO_TENANT
|
||||
keystone add-user-role $DEMO_USER $MEMBER_ROLE $INVIS_TENANT
|
||||
keystone add-user-role $ADMIN_USER $ADMIN_ROLE $DEMO_TENANT
|
||||
# TODO(termie): these two might be dubious
|
||||
keystone user-role-add --user $ADMIN_USER --role $KEYSTONEADMIN_ROLE --tenant_id $ADMIN_TENANT
|
||||
keystone user-role-add --user $ADMIN_USER --role $KEYSTONESERVICE_ROLE --tenant_id $ADMIN_TENANT
|
||||
|
||||
|
||||
# The Member role is used by Horizon and Swift so we need to keep it:
|
||||
MEMBER_ROLE=$(get_id keystone role-create --name=Member)
|
||||
keystone user-role-add --user $DEMO_USER --role $MEMBER_ROLE --tenant_id $DEMO_TENANT
|
||||
keystone user-role-add --user $DEMO_USER --role $MEMBER_ROLE --tenant_id $INVIS_TENANT
|
||||
|
||||
# TODO(termie): these two might be dubious
|
||||
keystone add-user-role $ADMIN_USER $KEYSTONEADMIN_ROLE $ADMIN_TENANT
|
||||
keystone add-user-role $ADMIN_USER $KEYSTONESERVICE_ROLE $ADMIN_TENANT
|
||||
###
|
||||
fi
|
||||
|
||||
# Services
|
||||
keystone service-create \
|
||||
--name=nova \
|
||||
--type=compute \
|
||||
--description="Nova Compute Service"
|
||||
NOVA_USER=`get_id keystone user-create \
|
||||
--name=nova \
|
||||
--pass="$SERVICE_PASSWORD" \
|
||||
--tenant_id $SERVICE_TENANT \
|
||||
--email=nova@example.com`
|
||||
keystone service-create --name=keystone \
|
||||
--type=identity \
|
||||
--description="Keystone Identity Service"
|
||||
|
||||
keystone service-create --name=nova \
|
||||
--type=compute \
|
||||
--description="Nova Compute Service"
|
||||
NOVA_USER=$(get_id keystone user-create --name=nova \
|
||||
--pass="$SERVICE_PASSWORD" \
|
||||
--tenant_id $SERVICE_TENANT \
|
||||
--email=nova@example.com)
|
||||
keystone user-role-add --tenant_id $SERVICE_TENANT \
|
||||
--user $NOVA_USER \
|
||||
--role $ADMIN_ROLE
|
||||
--user $NOVA_USER \
|
||||
--role $ADMIN_ROLE
|
||||
|
||||
keystone service-create \
|
||||
--name=ec2 \
|
||||
--type=ec2 \
|
||||
--description="EC2 Compatibility Layer"
|
||||
keystone service-create --name=ec2 \
|
||||
--type=ec2 \
|
||||
--description="EC2 Compatibility Layer"
|
||||
|
||||
keystone service-create \
|
||||
--name=glance \
|
||||
--type=image \
|
||||
--description="Glance Image Service"
|
||||
GLANCE_USER=`get_id keystone user-create \
|
||||
--name=glance \
|
||||
--pass="$SERVICE_PASSWORD" \
|
||||
--tenant_id $SERVICE_TENANT \
|
||||
--email=glance@example.com`
|
||||
keystone service-create --name=glance \
|
||||
--type=image \
|
||||
--description="Glance Image Service"
|
||||
GLANCE_USER=$(get_id keystone user-create --name=glance \
|
||||
--pass="$SERVICE_PASSWORD" \
|
||||
--tenant_id $SERVICE_TENANT \
|
||||
--email=glance@example.com)
|
||||
keystone user-role-add --tenant_id $SERVICE_TENANT \
|
||||
--user $GLANCE_USER \
|
||||
--role $ADMIN_ROLE
|
||||
|
||||
keystone service-create \
|
||||
--name=keystone \
|
||||
--type=identity \
|
||||
--description="Keystone Identity Service"
|
||||
--user $GLANCE_USER \
|
||||
--role $ADMIN_ROLE
|
||||
|
||||
if [[ "$ENABLED_SERVICES" =~ "n-vol" ]]; then
|
||||
keystone service-create \
|
||||
--name="nova-volume" \
|
||||
--type=volume \
|
||||
--description="Nova Volume Service"
|
||||
keystone service-create --name="nova-volume" \
|
||||
--type=volume \
|
||||
--description="Nova Volume Service"
|
||||
fi
|
||||
|
||||
if [[ "$ENABLED_SERVICES" =~ "swift" ]]; then
|
||||
keystone service-create \
|
||||
--name=swift \
|
||||
--type="object-store" \
|
||||
--description="Swift Service"
|
||||
SWIFT_USER=`get_id keystone user-create \
|
||||
--name=swift \
|
||||
--pass="$SERVICE_PASSWORD" \
|
||||
--tenant_id $SERVICE_TENANT \
|
||||
--email=swift@example.com`
|
||||
keystone service-create --name=swift \
|
||||
--type="object-store" \
|
||||
--description="Swift Service"
|
||||
SWIFT_USER=$(get_id keystone user-create --name=swift \
|
||||
--pass="$SERVICE_PASSWORD" \
|
||||
--tenant_id $SERVICE_TENANT \
|
||||
--email=swift@example.com)
|
||||
keystone user-role-add --tenant_id $SERVICE_TENANT \
|
||||
--user $SWIFT_USER \
|
||||
--role $ADMIN_ROLE
|
||||
--user $SWIFT_USER \
|
||||
--role $ADMIN_ROLE
|
||||
fi
|
||||
|
||||
if [[ "$ENABLED_SERVICES" =~ "quantum" ]]; then
|
||||
keystone service-create \
|
||||
--name=quantum \
|
||||
--type=network \
|
||||
--description="Quantum Service"
|
||||
QUANTUM_USER=`get_id keystone user-create \
|
||||
--name=quantum \
|
||||
--pass="$SERVICE_PASSWORD" \
|
||||
--tenant_id $SERVICE_TENANT \
|
||||
--email=quantum@example.com`
|
||||
keystone service-create --name=quantum \
|
||||
--type=network \
|
||||
--description="Quantum Service"
|
||||
QUANTUM_USER=$(get_id keystone user-create --name=quantum \
|
||||
--pass="$SERVICE_PASSWORD" \
|
||||
--tenant_id $SERVICE_TENANT \
|
||||
--email=quantum@example.com)
|
||||
keystone user-role-add --tenant_id $SERVICE_TENANT \
|
||||
--user $QUANTUM_USER \
|
||||
--role $ADMIN_ROLE
|
||||
--user $QUANTUM_USER \
|
||||
--role $ADMIN_ROLE
|
||||
fi
|
||||
|
||||
# create ec2 creds and parse the secret and access key returned
|
||||
if [[ -n "$KEYSTONE_COMMAND_4375" ]]; then
|
||||
RESULT=`keystone ec2-credentials-create --tenant_id=$ADMIN_TENANT --user=$ADMIN_USER`
|
||||
else
|
||||
RESULT=`keystone ec2-create-credentials --tenant_id=$ADMIN_TENANT --user_id=$ADMIN_USER`
|
||||
fi
|
||||
echo `$@ | grep id | awk '{print $4}'`
|
||||
ADMIN_ACCESS=`echo "$RESULT" | grep access | awk '{print $4}'`
|
||||
ADMIN_SECRET=`echo "$RESULT" | grep secret | awk '{print $4}'`
|
||||
RESULT=$(keystone ec2-credentials-create --tenant_id=$ADMIN_TENANT --user=$ADMIN_USER)
|
||||
ADMIN_ACCESS=$(echo "$RESULT" | awk '/ access / { print $4 }')
|
||||
ADMIN_SECRET=$(echo "$RESULT" | awk '/ secret / { print $4 }')
|
||||
|
||||
|
||||
if [[ -n "$KEYSTONE_COMMAND_4375" ]]; then
|
||||
RESULT=`keystone ec2-credentials-create --tenant_id=$DEMO_TENANT --user=$DEMO_USER`
|
||||
else
|
||||
RESULT=`keystone ec2-create-credentials --tenant_id=$DEMO_TENANT --user_id=$DEMO_USER`
|
||||
fi
|
||||
DEMO_ACCESS=`echo "$RESULT" | grep access | awk '{print $4}'`
|
||||
DEMO_SECRET=`echo "$RESULT" | grep secret | awk '{print $4}'`
|
||||
RESULT=$(keystone ec2-credentials-create --tenant_id=$DEMO_TENANT --user=$DEMO_USER)
|
||||
DEMO_ACCESS=$(echo "$RESULT" | awk '/ access / { print $4 }')
|
||||
DEMO_SECRET=$(echo "$RESULT" | awk '/ secret / { print $4 }')
|
||||
|
||||
# write the secret and access to ec2rc
|
||||
cat > $DEVSTACK_DIR/ec2rc <<EOF
|
||||
|
||||
Loading…
Reference in New Issue
Block a user