devstack/files/keystone_data.sh

345 lines
14 KiB
Bash
Executable File

#!/bin/bash
#
# Initial data for Keystone using python-keystoneclient
#
# Tenant User Roles
# ------------------------------------------------------------------
# admin admin admin
# service glance admin
# service nova admin, [ResellerAdmin (swift only)]
# service quantum admin # if enabled
# service swift admin # if enabled
# service cinder admin # if enabled
# service heat admin # if enabled
# service ceilometer admin # if enabled
# demo admin admin
# demo demo Member, anotherrole
# invisible_to_admin demo Member
# Tempest Only:
# alt_demo alt_demo Member
#
# Variables set before calling this script:
# SERVICE_TOKEN - aka admin_token in keystone.conf
# SERVICE_ENDPOINT - local Keystone admin endpoint
# SERVICE_TENANT_NAME - name of tenant containing service accounts
# SERVICE_HOST - host used for endpoint creation
# ENABLED_SERVICES - stack.sh's list of services to start
# DEVSTACK_DIR - Top-level DevStack directory
# KEYSTONE_CATALOG_BACKEND - used to determine service catalog creation
# Defaults
# --------
ADMIN_PASSWORD=${ADMIN_PASSWORD:-secrete}
SERVICE_PASSWORD=${SERVICE_PASSWORD:-$ADMIN_PASSWORD}
export SERVICE_TOKEN=$SERVICE_TOKEN
export SERVICE_ENDPOINT=$SERVICE_ENDPOINT
SERVICE_TENANT_NAME=${SERVICE_TENANT_NAME:-service}
function get_id () {
echo `"$@" | awk '/ id / { print $4 }'`
}
# Tenants
# -------
ADMIN_TENANT=$(get_id keystone tenant-create --name=admin)
SERVICE_TENANT=$(get_id keystone tenant-create --name=$SERVICE_TENANT_NAME)
DEMO_TENANT=$(get_id keystone tenant-create --name=demo)
INVIS_TENANT=$(get_id keystone tenant-create --name=invisible_to_admin)
# Users
# -----
ADMIN_USER=$(get_id keystone user-create --name=admin \
--pass="$ADMIN_PASSWORD" \
--email=admin@example.com)
DEMO_USER=$(get_id keystone user-create --name=demo \
--pass="$ADMIN_PASSWORD" \
--email=demo@example.com)
# Roles
# -----
ADMIN_ROLE=$(get_id keystone role-create --name=admin)
KEYSTONEADMIN_ROLE=$(get_id keystone role-create --name=KeystoneAdmin)
KEYSTONESERVICE_ROLE=$(get_id keystone role-create --name=KeystoneServiceAdmin)
# ANOTHER_ROLE demonstrates that an arbitrary role may be created and used
# TODO(sleepsonthefloor): show how this can be used for rbac in the future!
ANOTHER_ROLE=$(get_id keystone role-create --name=anotherrole)
# Add Roles to Users in Tenants
keystone user-role-add --user_id $ADMIN_USER --role_id $ADMIN_ROLE --tenant_id $ADMIN_TENANT
keystone user-role-add --user_id $ADMIN_USER --role_id $ADMIN_ROLE --tenant_id $DEMO_TENANT
keystone user-role-add --user_id $DEMO_USER --role_id $ANOTHER_ROLE --tenant_id $DEMO_TENANT
# TODO(termie): these two might be dubious
keystone user-role-add --user_id $ADMIN_USER --role_id $KEYSTONEADMIN_ROLE --tenant_id $ADMIN_TENANT
keystone user-role-add --user_id $ADMIN_USER --role_id $KEYSTONESERVICE_ROLE --tenant_id $ADMIN_TENANT
# The Member role is used by Horizon and Swift so we need to keep it:
MEMBER_ROLE=$(get_id keystone role-create --name=Member)
keystone user-role-add --user_id $DEMO_USER --role_id $MEMBER_ROLE --tenant_id $DEMO_TENANT
keystone user-role-add --user_id $DEMO_USER --role_id $MEMBER_ROLE --tenant_id $INVIS_TENANT
# The ResellerAdmin role is used by Nova and Ceilometer so we need to keep it.
# The admin role in swift allows a user to act as an admin for their tenant,
# but ResellerAdmin is needed for a user to act as any tenant. The name of this
# role is also configurable in swift-proxy.conf
RESELLER_ROLE=$(get_id keystone role-create --name=ResellerAdmin)
# Services
# --------
# Keystone
if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
KEYSTONE_SERVICE=$(get_id keystone service-create \
--name=keystone \
--type=identity \
--description="Keystone Identity Service")
keystone endpoint-create \
--region RegionOne \
--service_id $KEYSTONE_SERVICE \
--publicurl "http://$SERVICE_HOST:\$(public_port)s/v2.0" \
--adminurl "http://$SERVICE_HOST:\$(admin_port)s/v2.0" \
--internalurl "http://$SERVICE_HOST:\$(public_port)s/v2.0"
fi
# Nova
if [[ "$ENABLED_SERVICES" =~ "n-api" ]]; then
NOVA_USER=$(get_id keystone user-create \
--name=nova \
--pass="$SERVICE_PASSWORD" \
--tenant_id $SERVICE_TENANT \
--email=nova@example.com)
keystone user-role-add \
--tenant_id $SERVICE_TENANT \
--user_id $NOVA_USER \
--role_id $ADMIN_ROLE
if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
NOVA_SERVICE=$(get_id keystone service-create \
--name=nova \
--type=compute \
--description="Nova Compute Service")
keystone endpoint-create \
--region RegionOne \
--service_id $NOVA_SERVICE \
--publicurl "http://$SERVICE_HOST:\$(compute_port)s/v2/\$(tenant_id)s" \
--adminurl "http://$SERVICE_HOST:\$(compute_port)s/v2/\$(tenant_id)s" \
--internalurl "http://$SERVICE_HOST:\$(compute_port)s/v2/\$(tenant_id)s"
fi
# Nova needs ResellerAdmin role to download images when accessing
# swift through the s3 api.
keystone user-role-add \
--tenant_id $SERVICE_TENANT \
--user_id $NOVA_USER \
--role_id $RESELLER_ROLE
fi
# Heat
if [[ "$ENABLED_SERVICES" =~ "heat" ]]; then
HEAT_USER=$(get_id keystone user-create --name=heat \
--pass="$SERVICE_PASSWORD" \
--tenant_id $SERVICE_TENANT \
--email=heat@example.com)
keystone user-role-add --tenant_id $SERVICE_TENANT \
--user_id $HEAT_USER \
--role_id $ADMIN_ROLE
if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
HEAT_CFN_SERVICE=$(get_id keystone service-create \
--name=heat-cfn \
--type=cloudformation \
--description="Heat CloudFormation Service")
keystone endpoint-create \
--region RegionOne \
--service_id $HEAT_CFN_SERVICE \
--publicurl "http://$SERVICE_HOST:$HEAT_API_CFN_PORT/v1" \
--adminurl "http://$SERVICE_HOST:$HEAT_API_CFN_PORT/v1" \
--internalurl "http://$SERVICE_HOST:$HEAT_API_CFN_PORT/v1"
HEAT_SERVICE=$(get_id keystone service-create \
--name=heat \
--type=orchestration \
--description="Heat Service")
keystone endpoint-create \
--region RegionOne \
--service_id $HEAT_SERVICE \
--publicurl "http://$SERVICE_HOST:$HEAT_API_PORT/v1/\$(tenant_id)s" \
--adminurl "http://$SERVICE_HOST:$HEAT_API_PORT/v1/\$(tenant_id)s" \
--internalurl "http://$SERVICE_HOST:$HEAT_API_PORT/v1/\$(tenant_id)s"
fi
fi
# Glance
if [[ "$ENABLED_SERVICES" =~ "g-api" ]]; then
GLANCE_USER=$(get_id keystone user-create \
--name=glance \
--pass="$SERVICE_PASSWORD" \
--tenant_id $SERVICE_TENANT \
--email=glance@example.com)
keystone user-role-add \
--tenant_id $SERVICE_TENANT \
--user_id $GLANCE_USER \
--role_id $ADMIN_ROLE
if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
GLANCE_SERVICE=$(get_id keystone service-create \
--name=glance \
--type=image \
--description="Glance Image Service")
keystone endpoint-create \
--region RegionOne \
--service_id $GLANCE_SERVICE \
--publicurl "http://$SERVICE_HOST:9292" \
--adminurl "http://$SERVICE_HOST:9292" \
--internalurl "http://$SERVICE_HOST:9292"
fi
fi
# Swift
if [[ "$ENABLED_SERVICES" =~ "swift" ]]; then
SWIFT_USER=$(get_id keystone user-create \
--name=swift \
--pass="$SERVICE_PASSWORD" \
--tenant_id $SERVICE_TENANT \
--email=swift@example.com)
keystone user-role-add \
--tenant_id $SERVICE_TENANT \
--user_id $SWIFT_USER \
--role_id $ADMIN_ROLE
if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
SWIFT_SERVICE=$(get_id keystone service-create \
--name=swift \
--type="object-store" \
--description="Swift Service")
keystone endpoint-create \
--region RegionOne \
--service_id $SWIFT_SERVICE \
--publicurl "http://$SERVICE_HOST:8080/v1/AUTH_\$(tenant_id)s" \
--adminurl "http://$SERVICE_HOST:8080" \
--internalurl "http://$SERVICE_HOST:8080/v1/AUTH_\$(tenant_id)s"
fi
fi
if [[ "$ENABLED_SERVICES" =~ "q-svc" ]]; then
QUANTUM_USER=$(get_id keystone user-create \
--name=quantum \
--pass="$SERVICE_PASSWORD" \
--tenant_id $SERVICE_TENANT \
--email=quantum@example.com)
keystone user-role-add \
--tenant_id $SERVICE_TENANT \
--user_id $QUANTUM_USER \
--role_id $ADMIN_ROLE
if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
QUANTUM_SERVICE=$(get_id keystone service-create \
--name=quantum \
--type=network \
--description="Quantum Service")
keystone endpoint-create \
--region RegionOne \
--service_id $QUANTUM_SERVICE \
--publicurl "http://$SERVICE_HOST:9696/" \
--adminurl "http://$SERVICE_HOST:9696/" \
--internalurl "http://$SERVICE_HOST:9696/"
fi
fi
if [[ "$ENABLED_SERVICES" =~ "ceilometer" ]]; then
CEILOMETER_USER=$(get_id keystone user-create --name=ceilometer \
--pass="$SERVICE_PASSWORD" \
--tenant_id $SERVICE_TENANT \
--email=ceilometer@example.com)
keystone user-role-add --tenant_id $SERVICE_TENANT \
--user_id $CEILOMETER_USER \
--role_id $ADMIN_ROLE
# Ceilometer needs ResellerAdmin role to access swift account stats.
keystone user-role-add --tenant_id $SERVICE_TENANT \
--user_id $CEILOMETER_USER \
--role_id $RESELLER_ROLE
if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
CEILOMETER_SERVICE=$(get_id keystone service-create \
--name=ceilometer \
--type=metering \
--description="Ceilometer Service")
keystone endpoint-create \
--region RegionOne \
--service_id $CEILOMETER_SERVICE \
--publicurl "http://$SERVICE_HOST:8777/" \
--adminurl "http://$SERVICE_HOST:8777/" \
--internalurl "http://$SERVICE_HOST:8777/"
fi
fi
# EC2
if [[ "$ENABLED_SERVICES" =~ "n-api" ]]; then
if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
EC2_SERVICE=$(get_id keystone service-create \
--name=ec2 \
--type=ec2 \
--description="EC2 Compatibility Layer")
keystone endpoint-create \
--region RegionOne \
--service_id $EC2_SERVICE \
--publicurl "http://$SERVICE_HOST:8773/services/Cloud" \
--adminurl "http://$SERVICE_HOST:8773/services/Admin" \
--internalurl "http://$SERVICE_HOST:8773/services/Cloud"
fi
fi
# S3
if [[ "$ENABLED_SERVICES" =~ "n-obj" || "$ENABLED_SERVICES" =~ "swift" ]]; then
if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
S3_SERVICE=$(get_id keystone service-create \
--name=s3 \
--type=s3 \
--description="S3")
keystone endpoint-create \
--region RegionOne \
--service_id $S3_SERVICE \
--publicurl "http://$SERVICE_HOST:$S3_SERVICE_PORT" \
--adminurl "http://$SERVICE_HOST:$S3_SERVICE_PORT" \
--internalurl "http://$SERVICE_HOST:$S3_SERVICE_PORT"
fi
fi
if [[ "$ENABLED_SERVICES" =~ "tempest" ]]; then
# Tempest has some tests that validate various authorization checks
# between two regular users in separate tenants
ALT_DEMO_TENANT=$(get_id keystone tenant-create \
--name=alt_demo)
ALT_DEMO_USER=$(get_id keystone user-create \
--name=alt_demo \
--pass="$ADMIN_PASSWORD" \
--email=alt_demo@example.com)
keystone user-role-add \
--tenant_id $ALT_DEMO_TENANT \
--user_id $ALT_DEMO_USER \
--role_id $MEMBER_ROLE
fi
if [[ "$ENABLED_SERVICES" =~ "c-api" ]]; then
CINDER_USER=$(get_id keystone user-create --name=cinder \
--pass="$SERVICE_PASSWORD" \
--tenant_id $SERVICE_TENANT \
--email=cinder@example.com)
keystone user-role-add --tenant_id $SERVICE_TENANT \
--user_id $CINDER_USER \
--role_id $ADMIN_ROLE
if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
CINDER_SERVICE=$(get_id keystone service-create \
--name=cinder \
--type=volume \
--description="Cinder Service")
keystone endpoint-create \
--region RegionOne \
--service_id $CINDER_SERVICE \
--publicurl "http://$SERVICE_HOST:8776/v1/\$(tenant_id)s" \
--adminurl "http://$SERVICE_HOST:8776/v1/\$(tenant_id)s" \
--internalurl "http://$SERVICE_HOST:8776/v1/\$(tenant_id)s"
fi
fi