Use service role with glance service glance just used to admin role for token validation, the service role is sufficient for this. glance also needs an user with enough permission to use swift, so creating a dedictated service user for swift usage when s-proxy is enabled. Change-Id: I6df3905e5db35ea3421468ca1ee6d8de3271f8d1

commit: 85a85f87f814446dd2364eea1b6d976d50500203 [log] [tgz]
author: Attila Fazekas <afazekas@redhat.com> Tue Jan 21 11:13:55 2014 +0100
committer: Attila Fazekas <afazekas@redhat.com> Sun Feb 02 10:30:15 2014 +0100
tree: 0f49d5f948e1f974e2738c2799c27b046a2c1784
parent: 78ab80e5589a7df21a03f06f38c4bae3e79bf756 [diff]
diff --git a/files/keystone_data.sh b/files/keystone_data.sh
index d477c42..9a34c76 100755
--- a/files/keystone_data.sh
+++ b/files/keystone_data.sh

@@ -2,12 +2,14 @@
 #
 # Initial data for Keystone using python-keystoneclient
 #
-# Tenant               User       Roles
+# Tenant               User         Roles
 # ------------------------------------------------------------------
-# service              glance     admin
-# service              heat       service        # if enabled
+# service              glance       service
+# service              glance-swift ResellerAdmin
+# service              heat         service        # if enabled
+# service              ceilometer   admin          # if enabled
 # Tempest Only:
-# alt_demo             alt_demo  Member
+# alt_demo             alt_demo     Member
 #
 # Variables set before calling this script:
 # SERVICE_TOKEN - aka admin_token in keystone.conf
@@ -96,7 +98,19 @@
     keystone user-role-add \
         --tenant $SERVICE_TENANT_NAME \
         --user glance \
-        --role admin
+        --role service
+    # required for swift access
+    if [[ "$ENABLED_SERVICES" =~ "s-proxy" ]]; then
+        keystone user-create \
+            --name=glance-swift \
+            --pass="$SERVICE_PASSWORD" \
+            --tenant $SERVICE_TENANT_NAME \
+            --email=glance-swift@example.com
+        keystone user-role-add \
+            --tenant $SERVICE_TENANT_NAME \
+            --user glance-swift \
+            --role ResellerAdmin
+    fi
     if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
         keystone service-create \
             --name=glance \

diff --git a/lib/glance b/lib/glance
index 2d41ea4..00f499a 100644
--- a/lib/glance
+++ b/lib/glance

@@ -124,7 +124,7 @@
     if is_service_enabled s-proxy; then
         iniset $GLANCE_API_CONF DEFAULT default_store swift
         iniset $GLANCE_API_CONF DEFAULT swift_store_auth_address $KEYSTONE_SERVICE_PROTOCOL://$KEYSTONE_SERVICE_HOST:$KEYSTONE_SERVICE_PORT/v2.0/
-        iniset $GLANCE_API_CONF DEFAULT swift_store_user $SERVICE_TENANT_NAME:glance
+        iniset $GLANCE_API_CONF DEFAULT swift_store_user $SERVICE_TENANT_NAME:glance-swift
         iniset $GLANCE_API_CONF DEFAULT swift_store_key $SERVICE_PASSWORD
         iniset $GLANCE_API_CONF DEFAULT swift_store_create_container_on_put True
commit	85a85f87f814446dd2364eea1b6d976d50500203	[log] [tgz]
author	Attila Fazekas <afazekas@redhat.com>	Tue Jan 21 11:13:55 2014 +0100
committer	Attila Fazekas <afazekas@redhat.com>	Sun Feb 02 10:30:15 2014 +0100
tree	0f49d5f948e1f974e2738c2799c27b046a2c1784
parent	78ab80e5589a7df21a03f06f38c4bae3e79bf756 [diff]