files/keystone_data.sh - devstack - Gitiles

 #!/bin/bash
 #
 # Initial data for Keystone using python-keystoneclient
 #
 # Tenant               User      Roles
 # ------------------------------------------------------------------
 # admin                admin     admin
 # service              glance    admin
 # service              nova      admin, [ResellerAdmin (swift only)]
 # service              quantum   admin        # if enabled
 # service              swift     admin        # if enabled
 # demo                 admin     admin
 # demo                 demo      Member, anotherrole
 # invisible_to_admin   demo      Member
 #
 # Variables set before calling this script:
 # SERVICE_TOKEN - aka admin_token in keystone.conf
 # SERVICE_ENDPOINT - local Keystone admin endpoint
 # SERVICE_TENANT_NAME - name of tenant containing service accounts
 # ENABLED_SERVICES - stack.sh's list of services to start
 # DEVSTACK_DIR - Top-level DevStack directory

 ADMIN_PASSWORD=${ADMIN_PASSWORD:-secrete}
 SERVICE_PASSWORD=${SERVICE_PASSWORD:-$ADMIN_PASSWORD}
 export SERVICE_TOKEN=$SERVICE_TOKEN
 export SERVICE_ENDPOINT=$SERVICE_ENDPOINT
 SERVICE_TENANT_NAME=${SERVICE_TENANT_NAME:-service}

 function get_id () {
     echo `$@ | awk '/ id / { print $4 }'`
 }

 # Tenants
 ADMIN_TENANT=$(get_id keystone tenant-create --name=admin)
 SERVICE_TENANT=$(get_id keystone tenant-create --name=$SERVICE_TENANT_NAME)
 DEMO_TENANT=$(get_id keystone tenant-create --name=demo)
 INVIS_TENANT=$(get_id keystone tenant-create --name=invisible_to_admin)


 # Users
 ADMIN_USER=$(get_id keystone user-create --name=admin \
                                          --pass="$ADMIN_PASSWORD" \
                                          --email=admin@example.com)
 DEMO_USER=$(get_id keystone user-create --name=demo \
                                         --pass="$ADMIN_PASSWORD" \
                                         --email=demo@example.com)


 # Roles
 ADMIN_ROLE=$(get_id keystone role-create --name=admin)
 KEYSTONEADMIN_ROLE=$(get_id keystone role-create --name=KeystoneAdmin)
 KEYSTONESERVICE_ROLE=$(get_id keystone role-create --name=KeystoneServiceAdmin)
 # ANOTHER_ROLE demonstrates that an arbitrary role may be created and used
 # TODO(sleepsonthefloor): show how this can be used for rbac in the future!
 ANOTHER_ROLE=$(get_id keystone role-create --name=anotherrole)


 # Add Roles to Users in Tenants
 keystone user-role-add --user $ADMIN_USER --role $ADMIN_ROLE --tenant_id $ADMIN_TENANT
 keystone user-role-add --user $ADMIN_USER --role $ADMIN_ROLE --tenant_id $DEMO_TENANT
 keystone user-role-add --user $DEMO_USER --role $ANOTHER_ROLE --tenant_id $DEMO_TENANT

 # TODO(termie): these two might be dubious
 keystone user-role-add --user $ADMIN_USER --role $KEYSTONEADMIN_ROLE --tenant_id $ADMIN_TENANT
 keystone user-role-add --user $ADMIN_USER --role $KEYSTONESERVICE_ROLE --tenant_id $ADMIN_TENANT


 # The Member role is used by Horizon and Swift so we need to keep it:
 MEMBER_ROLE=$(get_id keystone role-create --name=Member)
 keystone user-role-add --user $DEMO_USER --role $MEMBER_ROLE --tenant_id $DEMO_TENANT
 keystone user-role-add --user $DEMO_USER --role $MEMBER_ROLE --tenant_id $INVIS_TENANT


 # Configure service users/roles
 NOVA_USER=$(get_id keystone user-create --name=nova \
                                         --pass="$SERVICE_PASSWORD" \
                                         --tenant_id $SERVICE_TENANT \
                                         --email=nova@example.com)
 keystone user-role-add --tenant_id $SERVICE_TENANT \
                        --user $NOVA_USER \
                        --role $ADMIN_ROLE

 GLANCE_USER=$(get_id keystone user-create --name=glance \
                                           --pass="$SERVICE_PASSWORD" \
                                           --tenant_id $SERVICE_TENANT \
                                           --email=glance@example.com)
 keystone user-role-add --tenant_id $SERVICE_TENANT \
                        --user $GLANCE_USER \
                        --role $ADMIN_ROLE

 if [[ "$ENABLED_SERVICES" =~ "swift" ]]; then
     SWIFT_USER=$(get_id keystone user-create --name=swift \
                                              --pass="$SERVICE_PASSWORD" \
                                              --tenant_id $SERVICE_TENANT \
                                              --email=swift@example.com)
     keystone user-role-add --tenant_id $SERVICE_TENANT \
                            --user $SWIFT_USER \
                            --role $ADMIN_ROLE
     # Nova needs ResellerAdmin role to download images when accessing
     # swift through the s3 api. The admin role in swift allows a user
     # to act as an admin for their tenant, but ResellerAdmin is needed
     # for a user to act as any tenant. The name of this role is also
     # configurable in swift-proxy.conf
     RESELLER_ROLE=$(get_id keystone role-create --name=ResellerAdmin)
     keystone user-role-add --tenant_id $SERVICE_TENANT \
                            --user $NOVA_USER \
                            --role $RESELLER_ROLE
 fi

 if [[ "$ENABLED_SERVICES" =~ "quantum" ]]; then
     QUANTUM_USER=$(get_id keystone user-create --name=quantum \
                                                --pass="$SERVICE_PASSWORD" \
                                                --tenant_id $SERVICE_TENANT \
                                                --email=quantum@example.com)
     keystone user-role-add --tenant_id $SERVICE_TENANT \
                            --user $QUANTUM_USER \
                            --role $ADMIN_ROLE
 fi
	#!/bin/bash
	#
	# Initial data for Keystone using python-keystoneclient
	#
	# Tenant User Roles
	# ------------------------------------------------------------------
	# admin admin admin
	# service glance admin
	# service nova admin, [ResellerAdmin (swift only)]
	# service quantum admin # if enabled
	# service swift admin # if enabled
	# demo admin admin
	# demo demo Member, anotherrole
	# invisible_to_admin demo Member
	#
	# Variables set before calling this script:
	# SERVICE_TOKEN - aka admin_token in keystone.conf
	# SERVICE_ENDPOINT - local Keystone admin endpoint
	# SERVICE_TENANT_NAME - name of tenant containing service accounts
	# ENABLED_SERVICES - stack.sh's list of services to start
	# DEVSTACK_DIR - Top-level DevStack directory

	ADMIN_PASSWORD=${ADMIN_PASSWORD:-secrete}
	SERVICE_PASSWORD=${SERVICE_PASSWORD:-$ADMIN_PASSWORD}
	export SERVICE_TOKEN=$SERVICE_TOKEN
	export SERVICE_ENDPOINT=$SERVICE_ENDPOINT
	SERVICE_TENANT_NAME=${SERVICE_TENANT_NAME:-service}

	function get_id () {
	echo `$@ \| awk '/ id / { print $4 }'`
	}

	# Tenants
	ADMIN_TENANT=$(get_id keystone tenant-create --name=admin)
	SERVICE_TENANT=$(get_id keystone tenant-create --name=$SERVICE_TENANT_NAME)
	DEMO_TENANT=$(get_id keystone tenant-create --name=demo)
	INVIS_TENANT=$(get_id keystone tenant-create --name=invisible_to_admin)


	# Users
	ADMIN_USER=$(get_id keystone user-create --name=admin \
	--pass="$ADMIN_PASSWORD" \
	--email=admin@example.com)
	DEMO_USER=$(get_id keystone user-create --name=demo \
	--pass="$ADMIN_PASSWORD" \
	--email=demo@example.com)


	# Roles
	ADMIN_ROLE=$(get_id keystone role-create --name=admin)
	KEYSTONEADMIN_ROLE=$(get_id keystone role-create --name=KeystoneAdmin)
	KEYSTONESERVICE_ROLE=$(get_id keystone role-create --name=KeystoneServiceAdmin)
	# ANOTHER_ROLE demonstrates that an arbitrary role may be created and used
	# TODO(sleepsonthefloor): show how this can be used for rbac in the future!
	ANOTHER_ROLE=$(get_id keystone role-create --name=anotherrole)


	# Add Roles to Users in Tenants
	keystone user-role-add --user $ADMIN_USER --role $ADMIN_ROLE --tenant_id $ADMIN_TENANT
	keystone user-role-add --user $ADMIN_USER --role $ADMIN_ROLE --tenant_id $DEMO_TENANT
	keystone user-role-add --user $DEMO_USER --role $ANOTHER_ROLE --tenant_id $DEMO_TENANT

	# TODO(termie): these two might be dubious
	keystone user-role-add --user $ADMIN_USER --role $KEYSTONEADMIN_ROLE --tenant_id $ADMIN_TENANT
	keystone user-role-add --user $ADMIN_USER --role $KEYSTONESERVICE_ROLE --tenant_id $ADMIN_TENANT


	# The Member role is used by Horizon and Swift so we need to keep it:
	MEMBER_ROLE=$(get_id keystone role-create --name=Member)
	keystone user-role-add --user $DEMO_USER --role $MEMBER_ROLE --tenant_id $DEMO_TENANT
	keystone user-role-add --user $DEMO_USER --role $MEMBER_ROLE --tenant_id $INVIS_TENANT


	# Configure service users/roles
	NOVA_USER=$(get_id keystone user-create --name=nova \
	--pass="$SERVICE_PASSWORD" \
	--tenant_id $SERVICE_TENANT \
	--email=nova@example.com)
	keystone user-role-add --tenant_id $SERVICE_TENANT \
	--user $NOVA_USER \
	--role $ADMIN_ROLE

	GLANCE_USER=$(get_id keystone user-create --name=glance \
	--pass="$SERVICE_PASSWORD" \
	--tenant_id $SERVICE_TENANT \
	--email=glance@example.com)
	keystone user-role-add --tenant_id $SERVICE_TENANT \
	--user $GLANCE_USER \
	--role $ADMIN_ROLE

	if [[ "$ENABLED_SERVICES" =~ "swift" ]]; then
	SWIFT_USER=$(get_id keystone user-create --name=swift \
	--pass="$SERVICE_PASSWORD" \
	--tenant_id $SERVICE_TENANT \
	--email=swift@example.com)
	keystone user-role-add --tenant_id $SERVICE_TENANT \
	--user $SWIFT_USER \
	--role $ADMIN_ROLE
	# Nova needs ResellerAdmin role to download images when accessing
	# swift through the s3 api. The admin role in swift allows a user
	# to act as an admin for their tenant, but ResellerAdmin is needed
	# for a user to act as any tenant. The name of this role is also
	# configurable in swift-proxy.conf
	RESELLER_ROLE=$(get_id keystone role-create --name=ResellerAdmin)
	keystone user-role-add --tenant_id $SERVICE_TENANT \
	--user $NOVA_USER \
	--role $RESELLER_ROLE
	fi

	if [[ "$ENABLED_SERVICES" =~ "quantum" ]]; then
	QUANTUM_USER=$(get_id keystone user-create --name=quantum \
	--pass="$SERVICE_PASSWORD" \
	--tenant_id $SERVICE_TENANT \
	--email=quantum@example.com)
	keystone user-role-add --tenant_id $SERVICE_TENANT \
	--user $QUANTUM_USER \
	--role $ADMIN_ROLE
	fi