update create_heat_accounts, don't use os_url and os_token
Currently, the function create_heat_accounts uses the OS_URL and
OS_TOKEN environment variables. This is a bad choice for several
reasons, most importantly we are sending the "ADMIN_TOKEN" value
as a header. There is also no reason to not use a standard admin
user to create these resources.
Change-Id: I70b41d69917b9e53ad09c2c61e022ef09a50acfd
diff --git a/functions-common b/functions-common
index 1b01eef..b15c3d7 100644
--- a/functions-common
+++ b/functions-common
@@ -866,6 +866,32 @@
echo $user_role_id
}
+# Gets or adds user role to domain
+# Usage: get_or_add_user_domain_role <role> <user> <domain>
+function get_or_add_user_domain_role {
+ local user_role_id
+ # Gets user role id
+ user_role_id=$(openstack role list \
+ --user $2 \
+ --column "ID" \
+ --domain $3 \
+ --column "Name" \
+ | grep " $1 " | get_field 1)
+ if [[ -z "$user_role_id" ]]; then
+ # Adds role to user and get it
+ openstack role add $1 \
+ --user $2 \
+ --domain $3
+ user_role_id=$(openstack role list \
+ --user $2 \
+ --column "ID" \
+ --domain $3 \
+ --column "Name" \
+ | grep " $1 " | get_field 1)
+ fi
+ echo $user_role_id
+}
+
# Gets or adds group role to project
# Usage: get_or_add_group_project_role <role> <group> <project>
function get_or_add_group_project_role {
diff --git a/lib/heat b/lib/heat
index fdcf5bc..ff196f4 100644
--- a/lib/heat
+++ b/lib/heat
@@ -402,28 +402,13 @@
fi
if [[ "$HEAT_STACK_DOMAIN" == "True" ]]; then
- # Note we have to pass token/endpoint here because the current endpoint and
- # version negotiation in OSC means just --os-identity-api-version=3 won't work
- D_ID=$(openstack --os-token $OS_TOKEN --os-url=$KEYSTONE_SERVICE_URI_V3 \
- --os-identity-api-version=3 domain list | grep ' heat ' | get_field 1)
-
- if [[ -z "$D_ID" ]]; then
- D_ID=$(openstack --os-token $OS_TOKEN --os-url=$KEYSTONE_SERVICE_URI_V3 \
- --os-identity-api-version=3 domain create heat \
- --description "Owns users and projects created by heat" \
- | grep ' id ' | get_field 2)
- iniset $HEAT_CONF DEFAULT stack_user_domain_id ${D_ID}
-
- openstack --os-token $OS_TOKEN --os-url=$KEYSTONE_SERVICE_URI_V3 \
- --os-identity-api-version=3 user create --password $SERVICE_PASSWORD \
- --domain $D_ID heat_domain_admin \
- --description "Manages users and projects created by heat"
- openstack --os-token $OS_TOKEN --os-url=$KEYSTONE_SERVICE_URI_V3 \
- --os-identity-api-version=3 role add \
- --user heat_domain_admin --domain ${D_ID} admin
- iniset $HEAT_CONF DEFAULT stack_domain_admin heat_domain_admin
- iniset $HEAT_CONF DEFAULT stack_domain_admin_password $SERVICE_PASSWORD
- fi
+ # domain -> heat and user -> heat_domain_admin
+ domain_id=$(get_or_create_domain heat 'Owns users and projects created by heat')
+ iniset $HEAT_CONF DEFAULT stack_user_domain_id ${domain_id}
+ get_or_create_user heat_domain_admin $SERVICE_PASSWORD heat
+ get_or_add_user_domain_role admin heat_domain_admin heat
+ iniset $HEAT_CONF DEFAULT stack_domain_admin heat_domain_admin
+ iniset $HEAT_CONF DEFAULT stack_domain_admin_password $SERVICE_PASSWORD
fi
}