openstack/devstack
Code Issues Proposed changes
f84eb5ba43
devstack/files/keystone_data.sh
Gordon Chung ab0595e9cd ERRORs in ceilometer-acentral log after succesful tempest run 
recent merge added duplicate creation of ceilometer user. remove
ceilometer user creation from keystone_data so we can correctly add
ResellerAdmin role to ceilometer user which it needs to interact
with swift

Change-Id: I043c6b9337dfb147c3c8f364b462708a4030b41c
Closes-Bug: #1268730
2014-01-24 10:17:06 -05:00

168 lines
5.8 KiB
Bash
Executable File
Raw Blame History

#!/bin/bash
#
# Initial data for Keystone using python-keystoneclient
#
# Tenant User Roles
# ------------------------------------------------------------------
# service glance admin
# service heat service # if enabled
# Tempest Only:
# alt_demo alt_demo Member
#
# Variables set before calling this script:
# SERVICE_TOKEN - aka admin_token in keystone.conf
# SERVICE_ENDPOINT - local Keystone admin endpoint
# SERVICE_TENANT_NAME - name of tenant containing service accounts
# SERVICE_HOST - host used for endpoint creation
# ENABLED_SERVICES - stack.sh's list of services to start
# DEVSTACK_DIR - Top-level DevStack directory
# KEYSTONE_CATALOG_BACKEND - used to determine service catalog creation
# Defaults
# --------
ADMIN_PASSWORD=${ADMIN_PASSWORD:-secrete}
SERVICE_PASSWORD=${SERVICE_PASSWORD:-$ADMIN_PASSWORD}
export SERVICE_TOKEN=$SERVICE_TOKEN
export SERVICE_ENDPOINT=$SERVICE_ENDPOINT
SERVICE_TENANT_NAME=${SERVICE_TENANT_NAME:-service}
# Roles
# -----
# The ResellerAdmin role is used by Nova and Ceilometer so we need to keep it.
# The admin role in swift allows a user to act as an admin for their tenant,
# but ResellerAdmin is needed for a user to act as any tenant. The name of this
# role is also configurable in swift-proxy.conf
keystone role-create --name=ResellerAdmin
# Service role, so service users do not have to be admins
keystone role-create --name=service
# Services
# --------
if [[ "$ENABLED_SERVICES" =~ "n-api" ]] && [[ "$ENABLED_SERVICES" =~ "s-proxy" || "$ENABLED_SERVICES" =~ "swift" ]]; then
# Nova needs ResellerAdmin role to download images when accessing
# swift through the s3 api.
keystone user-role-add \
--tenant $SERVICE_TENANT_NAME \
--user nova \
--role ResellerAdmin
fi
# Heat
if [[ "$ENABLED_SERVICES" =~ "heat" ]]; then
keystone user-create --name=heat \
--pass="$SERVICE_PASSWORD" \
--tenant $SERVICE_TENANT_NAME \
--email=heat@example.com
keystone user-role-add --tenant $SERVICE_TENANT_NAME \
--user heat \
--role service
# heat_stack_user role is for users created by Heat
keystone role-create --name heat_stack_user
if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
keystone service-create \
--name=heat-cfn \
--type=cloudformation \
--description="Heat CloudFormation Service"
keystone endpoint-create \
--region RegionOne \
--service heat-cfn \
--publicurl "http://$SERVICE_HOST:$HEAT_API_CFN_PORT/v1" \
--adminurl "http://$SERVICE_HOST:$HEAT_API_CFN_PORT/v1" \
--internalurl "http://$SERVICE_HOST:$HEAT_API_CFN_PORT/v1"
keystone service-create \
--name=heat \
--type=orchestration \
--description="Heat Service"
keystone endpoint-create \
--region RegionOne \
--service heat \
--publicurl "http://$SERVICE_HOST:$HEAT_API_PORT/v1/\$(tenant_id)s" \
--adminurl "http://$SERVICE_HOST:$HEAT_API_PORT/v1/\$(tenant_id)s" \
--internalurl "http://$SERVICE_HOST:$HEAT_API_PORT/v1/\$(tenant_id)s"
fi
fi
# Glance
if [[ "$ENABLED_SERVICES" =~ "g-api" ]]; then
keystone user-create \
--name=glance \
--pass="$SERVICE_PASSWORD" \
--tenant $SERVICE_TENANT_NAME \
--email=glance@example.com
keystone user-role-add \
--tenant $SERVICE_TENANT_NAME \
--user glance \
--role admin
if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
keystone service-create \
--name=glance \
--type=image \
--description="Glance Image Service"
keystone endpoint-create \
--region RegionOne \
--service glance \
--publicurl "http://$SERVICE_HOST:9292" \
--adminurl "http://$SERVICE_HOST:9292" \
--internalurl "http://$SERVICE_HOST:9292"
fi
fi
# Ceilometer
if [[ "$ENABLED_SERVICES" =~ "ceilometer" ]] && [[ "$ENABLED_SERVICES" =~ "s-proxy" || "$ENABLED_SERVICES" =~ "swift" ]]; then
# Ceilometer needs ResellerAdmin role to access swift account stats.
keystone user-role-add --tenant $SERVICE_TENANT_NAME \
--user ceilometer \
--role ResellerAdmin
fi
# EC2
if [[ "$ENABLED_SERVICES" =~ "n-api" ]]; then
if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
keystone service-create \
--name=ec2 \
--type=ec2 \
--description="EC2 Compatibility Layer"
keystone endpoint-create \
--region RegionOne \
--service ec2 \
--publicurl "http://$SERVICE_HOST:8773/services/Cloud" \
--adminurl "http://$SERVICE_HOST:8773/services/Admin" \
--internalurl "http://$SERVICE_HOST:8773/services/Cloud"
fi
fi
# S3
if [[ "$ENABLED_SERVICES" =~ "n-obj" || "$ENABLED_SERVICES" =~ "swift3" ]]; then
if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
keystone service-create \
--name=s3 \
--type=s3 \
--description="S3"
keystone endpoint-create \
--region RegionOne \
--service s3 \
--publicurl "http://$SERVICE_HOST:$S3_SERVICE_PORT" \
--adminurl "http://$SERVICE_HOST:$S3_SERVICE_PORT" \
--internalurl "http://$SERVICE_HOST:$S3_SERVICE_PORT"
fi
fi
if [[ "$ENABLED_SERVICES" =~ "tempest" ]]; then
# Tempest has some tests that validate various authorization checks
# between two regular users in separate tenants
keystone tenant-create \
--name=alt_demo
keystone user-create \
--name=alt_demo \
--pass="$ADMIN_PASSWORD" \
--email=alt_demo@example.com
keystone user-role-add \
--tenant alt_demo \
--user alt_demo \
--role Member
fi
View Git Blame Copy Permalink