Always add the service role to service users
When creating a service user we allow the user to be created with a
different role. Currently in auth_token middleware we want to check that
the service token is specified with the service role so we should always
add the service role and optionally add additional roles.
Change-Id: Ie954a679674b4795079b539ebc8d4d2dcbd7dacc
diff --git a/lib/keystone b/lib/keystone
index fd1d1d4..a8de3ef 100644
--- a/lib/keystone
+++ b/lib/keystone
@@ -445,14 +445,16 @@
#
# create_service_user <name> [role]
#
-# The role defaults to the service role. It is allowed to be provided as optional as historically
+# We always add the service role, other roles are also allowed to be added as historically
# a lot of projects have configured themselves with the admin or other role here if they are
# using this user for other purposes beyond simply auth_token middleware.
function create_service_user {
- local role=${2:-service}
-
get_or_create_user "$1" "$SERVICE_PASSWORD" "$SERVICE_DOMAIN_NAME"
- get_or_add_user_project_role "$role" "$1" "$SERVICE_PROJECT_NAME" "$SERVICE_DOMAIN_NAME" "$SERVICE_DOMAIN_NAME"
+ get_or_add_user_project_role service "$1" "$SERVICE_PROJECT_NAME" "$SERVICE_DOMAIN_NAME" "$SERVICE_DOMAIN_NAME"
+
+ if [[ -n "$2" ]]; then
+ get_or_add_user_project_role "$2" "$1" "$SERVICE_PROJECT_NAME" "$SERVICE_DOMAIN_NAME" "$SERVICE_DOMAIN_NAME"
+ fi
}
# Configure the service to use the auth token middleware.