Merge "Allow putting service users in a seperate domain"
diff --git a/functions-common b/functions-common
index 0806681..71dda76 100644
--- a/functions-common
+++ b/functions-common
@@ -840,27 +840,49 @@
echo $role_id
}
+# Returns the domain parts of a function call if present
+# Usage: _get_domain_args [<user_domain> <project_domain>]
+function _get_domain_args {
+ local domain
+ domain=""
+
+ if [[ -n "$1" ]]; then
+ domain="$domain --user-domain $1"
+ fi
+ if [[ -n "$2" ]]; then
+ domain="$domain --project-domain $2"
+ fi
+
+ echo $domain
+}
+
# Gets or adds user role to project
-# Usage: get_or_add_user_project_role <role> <user> <project>
+# Usage: get_or_add_user_project_role <role> <user> <project> [<user_domain> <project_domain>]
function get_or_add_user_project_role {
local user_role_id
+
+ domain_args=$(_get_domain_args $4 $5)
+
# Gets user role id
user_role_id=$(openstack role list \
--user $2 \
--column "ID" \
--project $3 \
--column "Name" \
+ $domain_args \
| grep " $1 " | get_field 1)
if [[ -z "$user_role_id" ]]; then
# Adds role to user and get it
openstack role add $1 \
--user $2 \
- --project $3
+ --project $3 \
+ $domain_args
user_role_id=$(openstack role list \
--user $2 \
--column "ID" \
--project $3 \
--column "Name" \
+ $domain_args \
| grep " $1 " | get_field 1)
fi
echo $user_role_id
diff --git a/lib/glance b/lib/glance
index 3743e16..f2a6db6 100644
--- a/lib/glance
+++ b/lib/glance
@@ -173,8 +173,8 @@
iniset $GLANCE_SWIFT_STORE_CONF ref1 key $SERVICE_PASSWORD
iniset $GLANCE_SWIFT_STORE_CONF ref1 auth_address $KEYSTONE_SERVICE_URI/v3
- iniset $GLANCE_SWIFT_STORE_CONF ref1 user_domain_id default
- iniset $GLANCE_SWIFT_STORE_CONF ref1 project_domain_id default
+ iniset $GLANCE_SWIFT_STORE_CONF ref1 user_domain_name $SERVICE_DOMAIN_NAME
+ iniset $GLANCE_SWIFT_STORE_CONF ref1 project_domain_name $SERVICE_DOMAIN_NAME
iniset $GLANCE_SWIFT_STORE_CONF ref1 auth_version 3
# commenting is not strictly necessary but it's confusing to have bad values in conf
@@ -288,11 +288,7 @@
# required for swift access
if is_service_enabled s-proxy; then
-
- local glance_swift_user
- glance_swift_user=$(get_or_create_user "glance-swift" \
- "$SERVICE_PASSWORD" "default" "glance-swift@example.com")
- get_or_add_user_project_role "ResellerAdmin" $glance_swift_user $SERVICE_PROJECT_NAME
+ create_service_user "glance-swift" "ResellerAdmin"
fi
get_or_create_service "glance" "image" "Glance Image Service"
diff --git a/lib/keystone b/lib/keystone
index c6208ae..542bd05 100644
--- a/lib/keystone
+++ b/lib/keystone
@@ -106,7 +106,9 @@
# Bind hosts
KEYSTONE_ADMIN_BIND_HOST=${KEYSTONE_ADMIN_BIND_HOST:-$KEYSTONE_SERVICE_HOST}
+
# Set the project for service accounts in Keystone
+SERVICE_DOMAIN_NAME=${SERVICE_DOMAIN_NAME:-Default}
SERVICE_PROJECT_NAME=${SERVICE_PROJECT_NAME:-service}
# Note 2016-03 : SERVICE_TENANT_NAME is kept for backwards
@@ -373,6 +375,7 @@
get_or_add_user_domain_role $admin_role $admin_user default
# Create service project/role
+ get_or_create_domain "$SERVICE_DOMAIN_NAME"
get_or_create_project "$SERVICE_PROJECT_NAME" default
# Service role, so service users do not have to be admins
@@ -445,9 +448,8 @@
function create_service_user {
local role=${2:-service}
- local user
- user=$(get_or_create_user "$1" "$SERVICE_PASSWORD" default)
- get_or_add_user_project_role "$role" "$user" "$SERVICE_PROJECT_NAME"
+ get_or_create_user "$1" "$SERVICE_PASSWORD" "$SERVICE_DOMAIN_NAME"
+ get_or_add_user_project_role "$role" "$1" "$SERVICE_PROJECT_NAME" "$SERVICE_DOMAIN_NAME" "$SERVICE_DOMAIN_NAME"
}
# Configure the service to use the auth token middleware.
@@ -467,9 +469,9 @@
iniset $conf_file $section auth_url $KEYSTONE_AUTH_URI
iniset $conf_file $section username $admin_user
iniset $conf_file $section password $SERVICE_PASSWORD
- iniset $conf_file $section user_domain_id default
+ iniset $conf_file $section user_domain_name "$SERVICE_DOMAIN_NAME"
iniset $conf_file $section project_name $SERVICE_PROJECT_NAME
- iniset $conf_file $section project_domain_id default
+ iniset $conf_file $section project_domain_name "$SERVICE_DOMAIN_NAME"
iniset $conf_file $section auth_uri $KEYSTONE_SERVICE_URI
iniset $conf_file $section cafile $SSL_BUNDLE_FILE
diff --git a/lib/neutron-legacy b/lib/neutron-legacy
index c2729cb..a357159 100644
--- a/lib/neutron-legacy
+++ b/lib/neutron-legacy
@@ -491,9 +491,9 @@
iniset $NOVA_CONF neutron auth_url "$KEYSTONE_SERVICE_PROTOCOL://$KEYSTONE_SERVICE_HOST:$KEYSTONE_AUTH_PORT/v3"
iniset $NOVA_CONF neutron username "$Q_ADMIN_USERNAME"
iniset $NOVA_CONF neutron password "$SERVICE_PASSWORD"
- iniset $NOVA_CONF neutron user_domain_name "Default"
+ iniset $NOVA_CONF neutron user_domain_name "$SERVICE_DOMAIN_NAME"
iniset $NOVA_CONF neutron project_name "$SERVICE_PROJECT_NAME"
- iniset $NOVA_CONF neutron project_domain_name "Default"
+ iniset $NOVA_CONF neutron project_domain_name "$SERVICE_DOMAIN_NAME"
iniset $NOVA_CONF neutron auth_strategy "$Q_AUTH_STRATEGY"
iniset $NOVA_CONF neutron region_name "$REGION_NAME"
iniset $NOVA_CONF neutron url "${Q_PROTOCOL}://$Q_HOST:$Q_PORT"
diff --git a/lib/nova b/lib/nova
index 7c22910..818ecc4 100644
--- a/lib/nova
+++ b/lib/nova
@@ -439,7 +439,7 @@
if is_service_enabled swift; then
# Nova needs ResellerAdmin role to download images when accessing
# swift through the s3 api.
- get_or_add_user_project_role ResellerAdmin nova $SERVICE_PROJECT_NAME
+ get_or_add_user_project_role ResellerAdmin nova $SERVICE_PROJECT_NAME $SERVICE_DOMAIN_NAME $SERVICE_DOMAIN_NAME
fi
fi
diff --git a/lib/swift b/lib/swift
index f47608c..8cb94ef 100644
--- a/lib/swift
+++ b/lib/swift
@@ -846,7 +846,9 @@
# note we are using swift credentials!
OS_USERNAME=swift \
OS_PASSWORD=$SERVICE_PASSWORD \
+ OS_USER_DOMAIN_NAME=$SERVICE_DOMAIN_NAME \
OS_PROJECT_NAME=$SERVICE_PROJECT_NAME \
+ OS_PROJECT_DOMAIN_NAME=$SERVICE_DOMAIN_NAME \
openstack object store account \
set --property "Temp-URL-Key=$SWIFT_TEMPURL_KEY"
}