Complete moving Keystone setup out of keystone_data.sh
* Move remaining role creation to create_keystone_accounts()
* Move glance creation to create_glance_accounts()
* Move nova/ec2/s3 creation to create_nova_accounts()
* Move ceilometer creation to create_ceilometer_accounts()
* Move tempest creation to create_tempest_accounts()
* Convert moved code to use OpenStackClient for setup
* files/keystone_data.sh is removed
Note that the SERVICE_TENANT and ADMIN_ROLE lookups in the other service
implementations are not necessary with OSC, all operations can be done
using names rather than requiring IDs.
Change-Id: I4283ca0036ae39fd44ed2eed834b69d78e4f8257
diff --git a/lib/ceilometer b/lib/ceilometer
index 04c1a34..b8305b1 100644
--- a/lib/ceilometer
+++ b/lib/ceilometer
@@ -69,6 +69,11 @@
# create_ceilometer_accounts() - Set up common required ceilometer accounts
+# Project User Roles
+# ------------------------------------------------------------------
+# SERVICE_TENANT_NAME ceilometer admin
+# SERVICE_TENANT_NAME ceilometer ResellerAdmin (if Swift is enabled)
+
create_ceilometer_accounts() {
SERVICE_TENANT=$(openstack project list | awk "/ $SERVICE_TENANT_NAME / { print \$2 }")
@@ -99,6 +104,13 @@
--adminurl "$CEILOMETER_SERVICE_PROTOCOL://$CEILOMETER_SERVICE_HOST:$CEILOMETER_SERVICE_PORT/" \
--internalurl "$CEILOMETER_SERVICE_PROTOCOL://$CEILOMETER_SERVICE_HOST:$CEILOMETER_SERVICE_PORT/"
fi
+ if is_service_enabled swift; then
+ # Ceilometer needs ResellerAdmin role to access swift account stats.
+ openstack role add \
+ --project $SERVICE_TENANT_NAME \
+ --user ceilometer \
+ ResellerAdmin
+ fi
fi
}
diff --git a/lib/glance b/lib/glance
index 8a4c21b..51e4399 100644
--- a/lib/glance
+++ b/lib/glance
@@ -159,6 +159,49 @@
cp -p $GLANCE_DIR/etc/schema-image.json $GLANCE_SCHEMA_JSON
}
+# create_glance_accounts() - Set up common required glance accounts
+
+# Project User Roles
+# ------------------------------------------------------------------
+# SERVICE_TENANT_NAME glance service
+# SERVICE_TENANT_NAME glance-swift ResellerAdmin (if Swift is enabled)
+
+function create_glance_accounts {
+ if is_service_enabled g-api; then
+ openstack user create \
+ --password "$SERVICE_PASSWORD" \
+ --project $SERVICE_TENANT_NAME \
+ glance
+ openstack role add \
+ --project $SERVICE_TENANT_NAME \
+ --user glance \
+ service
+ # required for swift access
+ if is_service_enabled s-proxy; then
+ openstack user create \
+ --password "$SERVICE_PASSWORD" \
+ --project $SERVICE_TENANT_NAME \
+ glance-swift
+ openstack role add \
+ --project $SERVICE_TENANT_NAME \
+ --user glance-swift \
+ ResellerAdmin
+ fi
+ if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
+ openstack service create \
+ --type image \
+ --description "Glance Image Service" \
+ glance
+ openstack endpoint create \
+ --region RegionOne \
+ --publicurl "http://$GLANCE_HOSTPORT" \
+ --adminurl "http://$GLANCE_HOSTPORT" \
+ --internalurl "http://$GLANCE_HOSTPORT" \
+ glance
+ fi
+ fi
+}
+
# create_glance_cache_dir() - Part of the init_glance() process
function create_glance_cache_dir {
# Create cache dir
diff --git a/lib/keystone b/lib/keystone
index c6856c9..b31cc57 100644
--- a/lib/keystone
+++ b/lib/keystone
@@ -266,9 +266,11 @@
# Tenant User Roles
# ------------------------------------------------------------------
-# service -- --
-# -- -- Member
# admin admin admin
+# service -- --
+# -- -- service
+# -- -- ResellerAdmin
+# -- -- Member
# demo admin admin
# demo demo Member, anotherrole
# invisible_to_admin demo Member
@@ -294,10 +296,17 @@
--project $ADMIN_TENANT \
--user $ADMIN_USER
- # service
- SERVICE_TENANT=$(openstack project create \
- $SERVICE_TENANT_NAME \
- | grep " id " | get_field 2)
+ # Create service project/role
+ openstack project create $SERVICE_TENANT_NAME
+
+ # Service role, so service users do not have to be admins
+ openstack role create service
+
+ # The ResellerAdmin role is used by Nova and Ceilometer so we need to keep it.
+ # The admin role in swift allows a user to act as an admin for their tenant,
+ # but ResellerAdmin is needed for a user to act as any tenant. The name of this
+ # role is also configurable in swift-proxy.conf
+ openstack role create ResellerAdmin
# The Member role is used by Horizon and Swift so we need to keep it:
MEMBER_ROLE=$(openstack role create \
diff --git a/lib/nova b/lib/nova
index 583a592..a7c4421 100644
--- a/lib/nova
+++ b/lib/nova
@@ -316,9 +316,10 @@
# create_nova_accounts() - Set up common required nova accounts
-# Tenant User Roles
+# Project User Roles
# ------------------------------------------------------------------
-# service nova admin, [ResellerAdmin (swift only)]
+# SERVICE_TENANT_NAME nova admin
+# SERVICE_TENANT_NAME nova ResellerAdmin (if Swift is enabled)
# Migrated from keystone_data.sh
create_nova_accounts() {
@@ -363,6 +364,48 @@
--internalurl "$NOVA_SERVICE_PROTOCOL://$NOVA_SERVICE_HOST:$NOVA_SERVICE_PORT/v3"
fi
fi
+
+ if is_service_enabled n-api; then
+ # Swift
+ if is_service_enabled swift; then
+ # Nova needs ResellerAdmin role to download images when accessing
+ # swift through the s3 api.
+ openstack role add \
+ --project $SERVICE_TENANT_NAME \
+ --user nova \
+ ResellerAdmin
+ fi
+
+ # EC2
+ if [[ "$KEYSTONE_CATALOG_BACKEND" = "sql" ]]; then
+ openstack service create \
+ --type ec2 \
+ --description "EC2 Compatibility Layer" \
+ ec2
+ openstack endpoint create \
+ --region RegionOne \
+ --publicurl "http://$SERVICE_HOST:8773/services/Cloud" \
+ --adminurl "http://$SERVICE_HOST:8773/services/Admin" \
+ --internalurl "http://$SERVICE_HOST:8773/services/Cloud" \
+ ec2
+ fi
+ fi
+
+ # S3
+ if is_service_enabled n-obj swift3; then
+ if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
+ openstack service create \
+ --type s3 \
+ --description "S3" \
+ s3
+ openstack endpoint create \
+ --region RegionOne \
+ --publicurl "http://$SERVICE_HOST:$S3_SERVICE_PORT" \
+ --adminurl "http://$SERVICE_HOST:$S3_SERVICE_PORT" \
+ --internalurl "http://$SERVICE_HOST:$S3_SERVICE_PORT" \
+ s3
+ fi
+ fi
}
# create_nova_conf() - Create a new nova.conf file
diff --git a/lib/tempest b/lib/tempest
index 16f8744..897efa8 100644
--- a/lib/tempest
+++ b/lib/tempest
@@ -358,6 +358,30 @@
$errexit
}
+# create_tempest_accounts() - Set up common required tempest accounts
+
+# Project User Roles
+# ------------------------------------------------------------------
+# alt_demo alt_demo Member
+
+# Migrated from keystone_data.sh
+function create_tempest_accounts {
+ if is_service_enabled tempest; then
+ # Tempest has some tests that validate various authorization checks
+ # between two regular users in separate tenants
+ openstack project create \
+ alt_demo
+ openstack user create \
+ --project alt_demo \
+ --password "$ADMIN_PASSWORD" \
+ alt_demo
+ openstack role add \
+ --project alt_demo \
+ --user alt_demo \
+ Member
+ fi
+}
+
# install_tempest() - Collect source and prepare
function install_tempest {
git_clone $TEMPEST_REPO $TEMPEST_DIR $TEMPEST_BRANCH