| #!/bin/bash |
| # |
| # Initial data for Keystone using python-keystoneclient |
| # |
| # A set of EC2-compatible credentials is created for both admin and demo |
| # users and placed in $DEVSTACK_DIR/ec2rc. |
| # |
| # Tenant User Roles |
| # ------------------------------------------------------- |
| # admin admin admin |
| # service glance admin |
| # service nova admin |
| # service quantum admin # if enabled |
| # service swift admin # if enabled |
| # demo admin admin |
| # demo demo Member,sysadmin,netadmin |
| # invisible_to_admin demo Member |
| # |
| # Variables set before calling this script: |
| # SERVICE_TOKEN - aka admin_token in keystone.conf |
| # SERVICE_ENDPOINT - local Keystone admin endpoint |
| # SERVICE_TENANT_NAME - name of tenant containing service accounts |
| # ENABLED_SERVICES - stack.sh's list of services to start |
| # DEVSTACK_DIR - Top-level DevStack directory |
| |
| ADMIN_PASSWORD=${ADMIN_PASSWORD:-secrete} |
| SERVICE_PASSWORD=${SERVICE_PASSWORD:-$ADMIN_PASSWORD} |
| export SERVICE_TOKEN=$SERVICE_TOKEN |
| export SERVICE_ENDPOINT=$SERVICE_ENDPOINT |
| SERVICE_TENANT_NAME=${SERVICE_TENANT_NAME:-service} |
| |
| function get_id () { |
| echo `$@ | awk '/ id / { print $4 }'` |
| } |
| |
| # Tenants |
| ADMIN_TENANT=$(get_id keystone tenant-create --name=admin) |
| SERVICE_TENANT=$(get_id keystone tenant-create --name=$SERVICE_TENANT_NAME) |
| DEMO_TENANT=$(get_id keystone tenant-create --name=demo) |
| INVIS_TENANT=$(get_id keystone tenant-create --name=invisible_to_admin) |
| |
| |
| # Users |
| ADMIN_USER=$(get_id keystone user-create --name=admin \ |
| --pass="$ADMIN_PASSWORD" \ |
| --email=admin@example.com) |
| DEMO_USER=$(get_id keystone user-create --name=demo \ |
| --pass="$ADMIN_PASSWORD" \ |
| --email=demo@example.com) |
| |
| # Roles |
| ADMIN_ROLE=$(get_id keystone role-create --name=admin) |
| KEYSTONEADMIN_ROLE=$(get_id keystone role-create --name=KeystoneAdmin) |
| KEYSTONESERVICE_ROLE=$(get_id keystone role-create --name=KeystoneServiceAdmin) |
| SYSADMIN_ROLE=$(get_id keystone role-create --name=sysadmin) |
| NETADMIN_ROLE=$(get_id keystone role-create --name=netadmin) |
| |
| |
| # Add Roles to Users in Tenants |
| keystone user-role-add --user $ADMIN_USER --role $ADMIN_ROLE --tenant_id $ADMIN_TENANT |
| keystone user-role-add --user $ADMIN_USER --role $ADMIN_ROLE --tenant_id $DEMO_TENANT |
| keystone user-role-add --user $DEMO_USER --role $SYSADMIN_ROLE --tenant_id $DEMO_TENANT |
| keystone user-role-add --user $DEMO_USER --role $NETADMIN_ROLE --tenant_id $DEMO_TENANT |
| |
| # TODO(termie): these two might be dubious |
| keystone user-role-add --user $ADMIN_USER --role $KEYSTONEADMIN_ROLE --tenant_id $ADMIN_TENANT |
| keystone user-role-add --user $ADMIN_USER --role $KEYSTONESERVICE_ROLE --tenant_id $ADMIN_TENANT |
| |
| |
| # The Member role is used by Horizon and Swift so we need to keep it: |
| MEMBER_ROLE=$(get_id keystone role-create --name=Member) |
| keystone user-role-add --user $DEMO_USER --role $MEMBER_ROLE --tenant_id $DEMO_TENANT |
| keystone user-role-add --user $DEMO_USER --role $MEMBER_ROLE --tenant_id $INVIS_TENANT |
| |
| |
| # Services |
| keystone service-create --name=keystone \ |
| --type=identity \ |
| --description="Keystone Identity Service" |
| |
| keystone service-create --name=nova \ |
| --type=compute \ |
| --description="Nova Compute Service" |
| NOVA_USER=$(get_id keystone user-create --name=nova \ |
| --pass="$SERVICE_PASSWORD" \ |
| --tenant_id $SERVICE_TENANT \ |
| --email=nova@example.com) |
| keystone user-role-add --tenant_id $SERVICE_TENANT \ |
| --user $NOVA_USER \ |
| --role $ADMIN_ROLE |
| |
| keystone service-create --name=ec2 \ |
| --type=ec2 \ |
| --description="EC2 Compatibility Layer" |
| |
| keystone service-create --name=glance \ |
| --type=image \ |
| --description="Glance Image Service" |
| GLANCE_USER=$(get_id keystone user-create --name=glance \ |
| --pass="$SERVICE_PASSWORD" \ |
| --tenant_id $SERVICE_TENANT \ |
| --email=glance@example.com) |
| keystone user-role-add --tenant_id $SERVICE_TENANT \ |
| --user $GLANCE_USER \ |
| --role $ADMIN_ROLE |
| |
| if [[ "$ENABLED_SERVICES" =~ "n-vol" ]]; then |
| keystone service-create --name="nova-volume" \ |
| --type=volume \ |
| --description="Nova Volume Service" |
| fi |
| |
| if [[ "$ENABLED_SERVICES" =~ "swift" ]]; then |
| keystone service-create --name=swift \ |
| --type="object-store" \ |
| --description="Swift Service" |
| SWIFT_USER=$(get_id keystone user-create --name=swift \ |
| --pass="$SERVICE_PASSWORD" \ |
| --tenant_id $SERVICE_TENANT \ |
| --email=swift@example.com) |
| keystone user-role-add --tenant_id $SERVICE_TENANT \ |
| --user $SWIFT_USER \ |
| --role $ADMIN_ROLE |
| fi |
| |
| if [[ "$ENABLED_SERVICES" =~ "quantum" ]]; then |
| keystone service-create --name=quantum \ |
| --type=network \ |
| --description="Quantum Service" |
| QUANTUM_USER=$(get_id keystone user-create --name=quantum \ |
| --pass="$SERVICE_PASSWORD" \ |
| --tenant_id $SERVICE_TENANT \ |
| --email=quantum@example.com) |
| keystone user-role-add --tenant_id $SERVICE_TENANT \ |
| --user $QUANTUM_USER \ |
| --role $ADMIN_ROLE |
| fi |
| |
| # create ec2 creds and parse the secret and access key returned |
| RESULT=$(keystone ec2-credentials-create --tenant_id=$ADMIN_TENANT --user=$ADMIN_USER) |
| ADMIN_ACCESS=$(echo "$RESULT" | awk '/ access / { print $4 }') |
| ADMIN_SECRET=$(echo "$RESULT" | awk '/ secret / { print $4 }') |
| |
| RESULT=$(keystone ec2-credentials-create --tenant_id=$DEMO_TENANT --user=$DEMO_USER) |
| DEMO_ACCESS=$(echo "$RESULT" | awk '/ access / { print $4 }') |
| DEMO_SECRET=$(echo "$RESULT" | awk '/ secret / { print $4 }') |
| |
| # write the secret and access to ec2rc |
| cat > $DEVSTACK_DIR/ec2rc <<EOF |
| ADMIN_ACCESS=$ADMIN_ACCESS |
| ADMIN_SECRET=$ADMIN_SECRET |
| DEMO_ACCESS=$DEMO_ACCESS |
| DEMO_SECRET=$DEMO_SECRET |
| EOF |