Complete moving Keystone setup out of keystone_data.sh
* Move remaining role creation to create_keystone_accounts()
* Move glance creation to create_glance_accounts()
* Move nova/ec2/s3 creation to create_nova_accounts()
* Move ceilometer creation to create_ceilometer_accounts()
* Move tempest creation to create_tempest_accounts()
* Convert moved code to use OpenStackClient for setup
* files/keystone_data.sh is removed
Note that the SERVICE_TENANT and ADMIN_ROLE lookups in the other service
implementations are not necessary with OSC, all operations can be done
using names rather than requiring IDs.
Change-Id: I4283ca0036ae39fd44ed2eed834b69d78e4f8257
diff --git a/lib/keystone b/lib/keystone
index c6856c9..b31cc57 100644
--- a/lib/keystone
+++ b/lib/keystone
@@ -266,9 +266,11 @@
# Tenant User Roles
# ------------------------------------------------------------------
-# service -- --
-# -- -- Member
# admin admin admin
+# service -- --
+# -- -- service
+# -- -- ResellerAdmin
+# -- -- Member
# demo admin admin
# demo demo Member, anotherrole
# invisible_to_admin demo Member
@@ -294,10 +296,17 @@
--project $ADMIN_TENANT \
--user $ADMIN_USER
- # service
- SERVICE_TENANT=$(openstack project create \
- $SERVICE_TENANT_NAME \
- | grep " id " | get_field 2)
+ # Create service project/role
+ openstack project create $SERVICE_TENANT_NAME
+
+ # Service role, so service users do not have to be admins
+ openstack role create service
+
+ # The ResellerAdmin role is used by Nova and Ceilometer so we need to keep it.
+ # The admin role in swift allows a user to act as an admin for their tenant,
+ # but ResellerAdmin is needed for a user to act as any tenant. The name of this
+ # role is also configurable in swift-proxy.conf
+ openstack role create ResellerAdmin
# The Member role is used by Horizon and Swift so we need to keep it:
MEMBER_ROLE=$(openstack role create \