#!/bin/bash # # Initial data for Keystone using python-keystoneclient # # Tenant User Roles # ------------------------------------------------------------------ # service glance service # service glance-swift ResellerAdmin # service heat service # if enabled # service ceilometer admin # if enabled # Tempest Only: # alt_demo alt_demo Member # # Variables set before calling this script: # SERVICE_TOKEN - aka admin_token in keystone.conf # SERVICE_ENDPOINT - local Keystone admin endpoint # SERVICE_TENANT_NAME - name of tenant containing service accounts # SERVICE_HOST - host used for endpoint creation # ENABLED_SERVICES - stack.sh's list of services to start # DEVSTACK_DIR - Top-level DevStack directory # KEYSTONE_CATALOG_BACKEND - used to determine service catalog creation # Defaults # -------- ADMIN_PASSWORD=${ADMIN_PASSWORD:-secrete} SERVICE_PASSWORD=${SERVICE_PASSWORD:-$ADMIN_PASSWORD} export SERVICE_TOKEN=$SERVICE_TOKEN export SERVICE_ENDPOINT=$SERVICE_ENDPOINT SERVICE_TENANT_NAME=${SERVICE_TENANT_NAME:-service} # Roles # ----- # The ResellerAdmin role is used by Nova and Ceilometer so we need to keep it. # The admin role in swift allows a user to act as an admin for their tenant, # but ResellerAdmin is needed for a user to act as any tenant. The name of this # role is also configurable in swift-proxy.conf keystone role-create --name=ResellerAdmin # Service role, so service users do not have to be admins keystone role-create --name=service # Services # -------- if [[ "$ENABLED_SERVICES" =~ "n-api" ]] && [[ "$ENABLED_SERVICES" =~ "s-proxy" || "$ENABLED_SERVICES" =~ "swift" ]]; then # Nova needs ResellerAdmin role to download images when accessing # swift through the s3 api. keystone user-role-add \ --tenant $SERVICE_TENANT_NAME \ --user nova \ --role ResellerAdmin fi # Heat if [[ "$ENABLED_SERVICES" =~ "heat" ]]; then keystone user-create --name=heat \ --pass="$SERVICE_PASSWORD" \ --tenant $SERVICE_TENANT_NAME \ --email=heat@example.com keystone user-role-add --tenant $SERVICE_TENANT_NAME \ --user heat \ --role service # heat_stack_user role is for users created by Heat keystone role-create --name heat_stack_user if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then keystone service-create \ --name=heat-cfn \ --type=cloudformation \ --description="Heat CloudFormation Service" keystone endpoint-create \ --region RegionOne \ --service heat-cfn \ --publicurl "http://$SERVICE_HOST:$HEAT_API_CFN_PORT/v1" \ --adminurl "http://$SERVICE_HOST:$HEAT_API_CFN_PORT/v1" \ --internalurl "http://$SERVICE_HOST:$HEAT_API_CFN_PORT/v1" keystone service-create \ --name=heat \ --type=orchestration \ --description="Heat Service" keystone endpoint-create \ --region RegionOne \ --service heat \ --publicurl "http://$SERVICE_HOST:$HEAT_API_PORT/v1/\$(tenant_id)s" \ --adminurl "http://$SERVICE_HOST:$HEAT_API_PORT/v1/\$(tenant_id)s" \ --internalurl "http://$SERVICE_HOST:$HEAT_API_PORT/v1/\$(tenant_id)s" fi fi # Glance if [[ "$ENABLED_SERVICES" =~ "g-api" ]]; then keystone user-create \ --name=glance \ --pass="$SERVICE_PASSWORD" \ --tenant $SERVICE_TENANT_NAME \ --email=glance@example.com keystone user-role-add \ --tenant $SERVICE_TENANT_NAME \ --user glance \ --role service # required for swift access if [[ "$ENABLED_SERVICES" =~ "s-proxy" ]]; then keystone user-create \ --name=glance-swift \ --pass="$SERVICE_PASSWORD" \ --tenant $SERVICE_TENANT_NAME \ --email=glance-swift@example.com keystone user-role-add \ --tenant $SERVICE_TENANT_NAME \ --user glance-swift \ --role ResellerAdmin fi if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then keystone service-create \ --name=glance \ --type=image \ --description="Glance Image Service" keystone endpoint-create \ --region RegionOne \ --service glance \ --publicurl "http://$SERVICE_HOST:9292" \ --adminurl "http://$SERVICE_HOST:9292" \ --internalurl "http://$SERVICE_HOST:9292" fi fi # Ceilometer if [[ "$ENABLED_SERVICES" =~ "ceilometer" ]] && [[ "$ENABLED_SERVICES" =~ "s-proxy" || "$ENABLED_SERVICES" =~ "swift" ]]; then # Ceilometer needs ResellerAdmin role to access swift account stats. keystone user-role-add --tenant $SERVICE_TENANT_NAME \ --user ceilometer \ --role ResellerAdmin fi # EC2 if [[ "$ENABLED_SERVICES" =~ "n-api" ]]; then if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then keystone service-create \ --name=ec2 \ --type=ec2 \ --description="EC2 Compatibility Layer" keystone endpoint-create \ --region RegionOne \ --service ec2 \ --publicurl "http://$SERVICE_HOST:8773/services/Cloud" \ --adminurl "http://$SERVICE_HOST:8773/services/Admin" \ --internalurl "http://$SERVICE_HOST:8773/services/Cloud" fi fi # S3 if [[ "$ENABLED_SERVICES" =~ "n-obj" || "$ENABLED_SERVICES" =~ "swift3" ]]; then if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then keystone service-create \ --name=s3 \ --type=s3 \ --description="S3" keystone endpoint-create \ --region RegionOne \ --service s3 \ --publicurl "http://$SERVICE_HOST:$S3_SERVICE_PORT" \ --adminurl "http://$SERVICE_HOST:$S3_SERVICE_PORT" \ --internalurl "http://$SERVICE_HOST:$S3_SERVICE_PORT" fi fi if [[ "$ENABLED_SERVICES" =~ "tempest" ]]; then # Tempest has some tests that validate various authorization checks # between two regular users in separate tenants keystone tenant-create \ --name=alt_demo keystone user-create \ --name=alt_demo \ --pass="$ADMIN_PASSWORD" \ --email=alt_demo@example.com keystone user-role-add \ --tenant alt_demo \ --user alt_demo \ --role Member fi