Complete moving Keystone setup out of keystone_data.sh
* Move remaining role creation to create_keystone_accounts()
* Move glance creation to create_glance_accounts()
* Move nova/ec2/s3 creation to create_nova_accounts()
* Move ceilometer creation to create_ceilometer_accounts()
* Move tempest creation to create_tempest_accounts()
* Convert moved code to use OpenStackClient for setup
* files/keystone_data.sh is removed
Note that the SERVICE_TENANT and ADMIN_ROLE lookups in the other service
implementations are not necessary with OSC, all operations can be done
using names rather than requiring IDs.
Change-Id: I4283ca0036ae39fd44ed2eed834b69d78e4f8257
diff --git a/extras.d/80-tempest.sh b/extras.d/80-tempest.sh
index 0186e36..74f4c60 100644
--- a/extras.d/80-tempest.sh
+++ b/extras.d/80-tempest.sh
@@ -9,7 +9,7 @@
install_tempest
elif [[ "$1" == "stack" && "$2" == "post-config" ]]; then
# Tempest config must come after layer 2 services are running
- :
+ create_tempest_accounts
elif [[ "$1" == "stack" && "$2" == "extra" ]]; then
echo_summary "Initializing Tempest"
configure_tempest
diff --git a/files/keystone_data.sh b/files/keystone_data.sh
deleted file mode 100755
index fc1e813..0000000
--- a/files/keystone_data.sh
+++ /dev/null
@@ -1,146 +0,0 @@
-#!/bin/bash
-#
-# Initial data for Keystone using python-keystoneclient
-#
-# Tenant User Roles
-# ------------------------------------------------------------------
-# service glance service
-# service glance-swift ResellerAdmin
-# service heat service # if enabled
-# service ceilometer admin # if enabled
-# Tempest Only:
-# alt_demo alt_demo Member
-#
-# Variables set before calling this script:
-# SERVICE_TOKEN - aka admin_token in keystone.conf
-# SERVICE_ENDPOINT - local Keystone admin endpoint
-# SERVICE_TENANT_NAME - name of tenant containing service accounts
-# SERVICE_HOST - host used for endpoint creation
-# ENABLED_SERVICES - stack.sh's list of services to start
-# DEVSTACK_DIR - Top-level DevStack directory
-# KEYSTONE_CATALOG_BACKEND - used to determine service catalog creation
-
-# Defaults
-# --------
-
-ADMIN_PASSWORD=${ADMIN_PASSWORD:-secrete}
-SERVICE_PASSWORD=${SERVICE_PASSWORD:-$ADMIN_PASSWORD}
-export SERVICE_TOKEN=$SERVICE_TOKEN
-export SERVICE_ENDPOINT=$SERVICE_ENDPOINT
-SERVICE_TENANT_NAME=${SERVICE_TENANT_NAME:-service}
-
-# Roles
-# -----
-
-# The ResellerAdmin role is used by Nova and Ceilometer so we need to keep it.
-# The admin role in swift allows a user to act as an admin for their tenant,
-# but ResellerAdmin is needed for a user to act as any tenant. The name of this
-# role is also configurable in swift-proxy.conf
-keystone role-create --name=ResellerAdmin
-# Service role, so service users do not have to be admins
-keystone role-create --name=service
-
-
-# Services
-# --------
-
-if [[ "$ENABLED_SERVICES" =~ "n-api" ]] && [[ "$ENABLED_SERVICES" =~ "s-proxy" || "$ENABLED_SERVICES" =~ "swift" ]]; then
- # Nova needs ResellerAdmin role to download images when accessing
- # swift through the s3 api.
- keystone user-role-add \
- --tenant $SERVICE_TENANT_NAME \
- --user nova \
- --role ResellerAdmin
-fi
-
-# Glance
-if [[ "$ENABLED_SERVICES" =~ "g-api" ]]; then
- keystone user-create \
- --name=glance \
- --pass="$SERVICE_PASSWORD" \
- --tenant $SERVICE_TENANT_NAME \
- --email=glance@example.com
- keystone user-role-add \
- --tenant $SERVICE_TENANT_NAME \
- --user glance \
- --role service
- # required for swift access
- if [[ "$ENABLED_SERVICES" =~ "s-proxy" ]]; then
- keystone user-create \
- --name=glance-swift \
- --pass="$SERVICE_PASSWORD" \
- --tenant $SERVICE_TENANT_NAME \
- --email=glance-swift@example.com
- keystone user-role-add \
- --tenant $SERVICE_TENANT_NAME \
- --user glance-swift \
- --role ResellerAdmin
- fi
- if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
- keystone service-create \
- --name=glance \
- --type=image \
- --description="Glance Image Service"
- keystone endpoint-create \
- --region RegionOne \
- --service glance \
- --publicurl "http://$SERVICE_HOST:9292" \
- --adminurl "http://$SERVICE_HOST:9292" \
- --internalurl "http://$SERVICE_HOST:9292"
- fi
-fi
-
-# Ceilometer
-if [[ "$ENABLED_SERVICES" =~ "ceilometer" ]] && [[ "$ENABLED_SERVICES" =~ "s-proxy" || "$ENABLED_SERVICES" =~ "swift" ]]; then
- # Ceilometer needs ResellerAdmin role to access swift account stats.
- keystone user-role-add --tenant $SERVICE_TENANT_NAME \
- --user ceilometer \
- --role ResellerAdmin
-fi
-
-# EC2
-if [[ "$ENABLED_SERVICES" =~ "n-api" ]]; then
- if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
- keystone service-create \
- --name=ec2 \
- --type=ec2 \
- --description="EC2 Compatibility Layer"
- keystone endpoint-create \
- --region RegionOne \
- --service ec2 \
- --publicurl "http://$SERVICE_HOST:8773/services/Cloud" \
- --adminurl "http://$SERVICE_HOST:8773/services/Admin" \
- --internalurl "http://$SERVICE_HOST:8773/services/Cloud"
- fi
-fi
-
-# S3
-if [[ "$ENABLED_SERVICES" =~ "n-obj" || "$ENABLED_SERVICES" =~ "swift3" ]]; then
- if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
- keystone service-create \
- --name=s3 \
- --type=s3 \
- --description="S3"
- keystone endpoint-create \
- --region RegionOne \
- --service s3 \
- --publicurl "http://$SERVICE_HOST:$S3_SERVICE_PORT" \
- --adminurl "http://$SERVICE_HOST:$S3_SERVICE_PORT" \
- --internalurl "http://$SERVICE_HOST:$S3_SERVICE_PORT"
- fi
-fi
-
-if [[ "$ENABLED_SERVICES" =~ "tempest" ]]; then
- # Tempest has some tests that validate various authorization checks
- # between two regular users in separate tenants
- keystone tenant-create \
- --name=alt_demo
- keystone user-create \
- --name=alt_demo \
- --pass="$ADMIN_PASSWORD" \
- --email=alt_demo@example.com
- keystone user-role-add \
- --tenant alt_demo \
- --user alt_demo \
- --role Member
-fi
diff --git a/lib/ceilometer b/lib/ceilometer
index 04c1a34..b8305b1 100644
--- a/lib/ceilometer
+++ b/lib/ceilometer
@@ -69,6 +69,11 @@
# create_ceilometer_accounts() - Set up common required ceilometer accounts
+# Project User Roles
+# ------------------------------------------------------------------
+# SERVICE_TENANT_NAME ceilometer admin
+# SERVICE_TENANT_NAME ceilometer ResellerAdmin (if Swift is enabled)
+
create_ceilometer_accounts() {
SERVICE_TENANT=$(openstack project list | awk "/ $SERVICE_TENANT_NAME / { print \$2 }")
@@ -99,6 +104,13 @@
--adminurl "$CEILOMETER_SERVICE_PROTOCOL://$CEILOMETER_SERVICE_HOST:$CEILOMETER_SERVICE_PORT/" \
--internalurl "$CEILOMETER_SERVICE_PROTOCOL://$CEILOMETER_SERVICE_HOST:$CEILOMETER_SERVICE_PORT/"
fi
+ if is_service_enabled swift; then
+ # Ceilometer needs ResellerAdmin role to access swift account stats.
+ openstack role add \
+ --project $SERVICE_TENANT_NAME \
+ --user ceilometer \
+ ResellerAdmin
+ fi
fi
}
diff --git a/lib/glance b/lib/glance
index 8a4c21b..51e4399 100644
--- a/lib/glance
+++ b/lib/glance
@@ -159,6 +159,49 @@
cp -p $GLANCE_DIR/etc/schema-image.json $GLANCE_SCHEMA_JSON
}
+# create_glance_accounts() - Set up common required glance accounts
+
+# Project User Roles
+# ------------------------------------------------------------------
+# SERVICE_TENANT_NAME glance service
+# SERVICE_TENANT_NAME glance-swift ResellerAdmin (if Swift is enabled)
+
+function create_glance_accounts {
+ if is_service_enabled g-api; then
+ openstack user create \
+ --password "$SERVICE_PASSWORD" \
+ --project $SERVICE_TENANT_NAME \
+ glance
+ openstack role add \
+ --project $SERVICE_TENANT_NAME \
+ --user glance \
+ service
+ # required for swift access
+ if is_service_enabled s-proxy; then
+ openstack user create \
+ --password "$SERVICE_PASSWORD" \
+ --project $SERVICE_TENANT_NAME \
+ glance-swift
+ openstack role add \
+ --project $SERVICE_TENANT_NAME \
+ --user glance-swift \
+ ResellerAdmin
+ fi
+ if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
+ openstack service create \
+ --type image \
+ --description "Glance Image Service" \
+ glance
+ openstack endpoint create \
+ --region RegionOne \
+ --publicurl "http://$GLANCE_HOSTPORT" \
+ --adminurl "http://$GLANCE_HOSTPORT" \
+ --internalurl "http://$GLANCE_HOSTPORT" \
+ glance
+ fi
+ fi
+}
+
# create_glance_cache_dir() - Part of the init_glance() process
function create_glance_cache_dir {
# Create cache dir
diff --git a/lib/keystone b/lib/keystone
index c6856c9..b31cc57 100644
--- a/lib/keystone
+++ b/lib/keystone
@@ -266,9 +266,11 @@
# Tenant User Roles
# ------------------------------------------------------------------
-# service -- --
-# -- -- Member
# admin admin admin
+# service -- --
+# -- -- service
+# -- -- ResellerAdmin
+# -- -- Member
# demo admin admin
# demo demo Member, anotherrole
# invisible_to_admin demo Member
@@ -294,10 +296,17 @@
--project $ADMIN_TENANT \
--user $ADMIN_USER
- # service
- SERVICE_TENANT=$(openstack project create \
- $SERVICE_TENANT_NAME \
- | grep " id " | get_field 2)
+ # Create service project/role
+ openstack project create $SERVICE_TENANT_NAME
+
+ # Service role, so service users do not have to be admins
+ openstack role create service
+
+ # The ResellerAdmin role is used by Nova and Ceilometer so we need to keep it.
+ # The admin role in swift allows a user to act as an admin for their tenant,
+ # but ResellerAdmin is needed for a user to act as any tenant. The name of this
+ # role is also configurable in swift-proxy.conf
+ openstack role create ResellerAdmin
# The Member role is used by Horizon and Swift so we need to keep it:
MEMBER_ROLE=$(openstack role create \
diff --git a/lib/nova b/lib/nova
index 583a592..a7c4421 100644
--- a/lib/nova
+++ b/lib/nova
@@ -316,9 +316,10 @@
# create_nova_accounts() - Set up common required nova accounts
-# Tenant User Roles
+# Project User Roles
# ------------------------------------------------------------------
-# service nova admin, [ResellerAdmin (swift only)]
+# SERVICE_TENANT_NAME nova admin
+# SERVICE_TENANT_NAME nova ResellerAdmin (if Swift is enabled)
# Migrated from keystone_data.sh
create_nova_accounts() {
@@ -363,6 +364,48 @@
--internalurl "$NOVA_SERVICE_PROTOCOL://$NOVA_SERVICE_HOST:$NOVA_SERVICE_PORT/v3"
fi
fi
+
+ if is_service_enabled n-api; then
+ # Swift
+ if is_service_enabled swift; then
+ # Nova needs ResellerAdmin role to download images when accessing
+ # swift through the s3 api.
+ openstack role add \
+ --project $SERVICE_TENANT_NAME \
+ --user nova \
+ ResellerAdmin
+ fi
+
+ # EC2
+ if [[ "$KEYSTONE_CATALOG_BACKEND" = "sql" ]]; then
+ openstack service create \
+ --type ec2 \
+ --description "EC2 Compatibility Layer" \
+ ec2
+ openstack endpoint create \
+ --region RegionOne \
+ --publicurl "http://$SERVICE_HOST:8773/services/Cloud" \
+ --adminurl "http://$SERVICE_HOST:8773/services/Admin" \
+ --internalurl "http://$SERVICE_HOST:8773/services/Cloud" \
+ ec2
+ fi
+ fi
+
+ # S3
+ if is_service_enabled n-obj swift3; then
+ if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
+ openstack service create \
+ --type s3 \
+ --description "S3" \
+ s3
+ openstack endpoint create \
+ --region RegionOne \
+ --publicurl "http://$SERVICE_HOST:$S3_SERVICE_PORT" \
+ --adminurl "http://$SERVICE_HOST:$S3_SERVICE_PORT" \
+ --internalurl "http://$SERVICE_HOST:$S3_SERVICE_PORT" \
+ s3
+ fi
+ fi
}
# create_nova_conf() - Create a new nova.conf file
diff --git a/lib/tempest b/lib/tempest
index 16f8744..897efa8 100644
--- a/lib/tempest
+++ b/lib/tempest
@@ -358,6 +358,30 @@
$errexit
}
+# create_tempest_accounts() - Set up common required tempest accounts
+
+# Project User Roles
+# ------------------------------------------------------------------
+# alt_demo alt_demo Member
+
+# Migrated from keystone_data.sh
+function create_tempest_accounts {
+ if is_service_enabled tempest; then
+ # Tempest has some tests that validate various authorization checks
+ # between two regular users in separate tenants
+ openstack project create \
+ alt_demo
+ openstack user create \
+ --project alt_demo \
+ --password "$ADMIN_PASSWORD" \
+ alt_demo
+ openstack role add \
+ --project alt_demo \
+ --user alt_demo \
+ Member
+ fi
+}
+
# install_tempest() - Collect source and prepare
function install_tempest {
git_clone $TEMPEST_REPO $TEMPEST_DIR $TEMPEST_BRANCH
diff --git a/stack.sh b/stack.sh
index c990a1c..f8973ee 100755
--- a/stack.sh
+++ b/stack.sh
@@ -907,14 +907,13 @@
SERVICE_ENDPOINT=http://$KEYSTONE_AUTH_HOST:$KEYSTONE_AUTH_PORT_INT/v2.0
fi
- # Do the keystone-specific bits from keystone_data.sh
- export OS_SERVICE_TOKEN=$SERVICE_TOKEN
- export OS_SERVICE_ENDPOINT=$SERVICE_ENDPOINT
- # Add temporarily to make openstackclient work
+ # Setup OpenStackclient token-flow auth
export OS_TOKEN=$SERVICE_TOKEN
export OS_URL=$SERVICE_ENDPOINT
+
create_keystone_accounts
create_nova_accounts
+ create_glance_accounts
create_cinder_accounts
create_neutron_accounts
@@ -922,7 +921,7 @@
create_ceilometer_accounts
fi
- if is_service_enabled swift || is_service_enabled s-proxy; then
+ if is_service_enabled swift; then
create_swift_accounts
fi
@@ -930,20 +929,14 @@
create_heat_accounts
fi
- # ``keystone_data.sh`` creates services, admin and demo users, and roles.
- ADMIN_PASSWORD=$ADMIN_PASSWORD SERVICE_TENANT_NAME=$SERVICE_TENANT_NAME SERVICE_PASSWORD=$SERVICE_PASSWORD \
- SERVICE_TOKEN=$SERVICE_TOKEN SERVICE_ENDPOINT=$SERVICE_ENDPOINT SERVICE_HOST=$SERVICE_HOST \
- S3_SERVICE_PORT=$S3_SERVICE_PORT KEYSTONE_CATALOG_BACKEND=$KEYSTONE_CATALOG_BACKEND \
- DEVSTACK_DIR=$TOP_DIR ENABLED_SERVICES=$ENABLED_SERVICES \
- bash -x $FILES/keystone_data.sh
-
- # Set up auth creds now that keystone is bootstrapped
+ # Begone token-flow auth
unset OS_TOKEN OS_URL
+
+ # Set up password-flow auth creds now that keystone is bootstrapped
export OS_AUTH_URL=$SERVICE_ENDPOINT
export OS_TENANT_NAME=admin
export OS_USERNAME=admin
export OS_PASSWORD=$ADMIN_PASSWORD
- unset OS_SERVICE_TOKEN OS_SERVICE_ENDPOINT
fi