Add service account configuration
* Use username/password instead of service token for service auth to Keystone
* Updates files/glance-*-paste.ini and files/swift/proxy-server.conf
* keystone_data.sh creates 'service' tenant, 'nova' and 'glance' users
('swift' and 'quantum' if those services are enabled)
* Uses $SERVICE_PASSWORD for the service auth password. There is no default;
to default to $ADMIN_PASSWORD, place the assignment in localrc.
Fixes bug 942983
Change-Id: If78eed1b509a9c1e8441bb4cfa095da9052f9395
diff --git a/files/glance-api-paste.ini b/files/glance-api-paste.ini
index b8832ad..583b70a 100644
--- a/files/glance-api-paste.ini
+++ b/files/glance-api-paste.ini
@@ -30,6 +30,7 @@
[filter:authtoken]
paste.filter_factory = keystone.middleware.auth_token:filter_factory
+# FIXME(dtroyer): remove these service_* entries after auth_token is updated
service_host = %KEYSTONE_SERVICE_HOST%
service_port = %KEYSTONE_SERVICE_PORT%
service_protocol = %KEYSTONE_SERVICE_PROTOCOL%
@@ -37,7 +38,11 @@
auth_port = %KEYSTONE_AUTH_PORT%
auth_protocol = %KEYSTONE_AUTH_PROTOCOL%
auth_uri = %KEYSTONE_SERVICE_PROTOCOL%://%KEYSTONE_SERVICE_HOST%:%KEYSTONE_SERVICE_PORT%/
+# FIXME(dtroyer): remove admin_token after auth_token is updated
admin_token = %SERVICE_TOKEN%
+admin_tenant_name = %SERVICE_TENANT_NAME%
+admin_user = %SERVICE_USERNAME%
+admin_password = %SERVICE_PASSWORD%
[filter:auth-context]
paste.filter_factory = glance.common.wsgi:filter_factory
diff --git a/files/glance-registry-paste.ini b/files/glance-registry-paste.ini
index f4130ec..fe460d9 100644
--- a/files/glance-registry-paste.ini
+++ b/files/glance-registry-paste.ini
@@ -14,6 +14,7 @@
[filter:authtoken]
paste.filter_factory = keystone.middleware.auth_token:filter_factory
+# FIXME(dtroyer): remove these service_* entries after auth_token is updated
service_host = %KEYSTONE_SERVICE_HOST%
service_port = %KEYSTONE_SERVICE_PORT%
service_protocol = %KEYSTONE_SERVICE_PROTOCOL%
@@ -21,7 +22,11 @@
auth_port = %KEYSTONE_AUTH_PORT%
auth_protocol = %KEYSTONE_AUTH_PROTOCOL%
auth_uri = %KEYSTONE_SERVICE_PROTOCOL%://%KEYSTONE_SERVICE_HOST%:%KEYSTONE_SERVICE_PORT%/
+# FIXME(dtroyer): remove admin_token after auth_token is updated
admin_token = %SERVICE_TOKEN%
+admin_tenant_name = %SERVICE_TENANT_NAME%
+admin_user = %SERVICE_USERNAME%
+admin_password = %SERVICE_PASSWORD%
[filter:auth-context]
context_class = glance.registry.context.RequestContext
diff --git a/files/keystone_data.sh b/files/keystone_data.sh
index 3f4841f..e292811 100755
--- a/files/keystone_data.sh
+++ b/files/keystone_data.sh
@@ -17,6 +17,7 @@
fi
ADMIN_TENANT=`get_id keystone tenant-create --name=admin`
+SERVICE_TENANT=`get_id keystone tenant-create --name=$SERVICE_TENANT_NAME`
DEMO_TENANT=`get_id keystone tenant-create --name=demo`
INVIS_TENANT=`get_id keystone tenant-create --name=invisible_to_admin`
@@ -73,6 +74,14 @@
--name=nova \
--type=compute \
--description="Nova Compute Service"
+NOVA_USER=`get_id keystone user-create \
+ --name=nova \
+ --pass="$SERVICE_PASSWORD" \
+ --tenant_id $SERVICE_TENANT \
+ --email=nova@example.com`
+keystone user-role-add --tenant_id $SERVICE_TENANT \
+ --user $NOVA_USER \
+ --role $ADMIN_ROLE
keystone service-create \
--name=ec2 \
@@ -83,6 +92,14 @@
--name=glance \
--type=image \
--description="Glance Image Service"
+GLANCE_USER=`get_id keystone user-create \
+ --name=glance \
+ --pass="$SERVICE_PASSWORD" \
+ --tenant_id $SERVICE_TENANT \
+ --email=glance@example.com`
+keystone user-role-add --tenant_id $SERVICE_TENANT \
+ --user $GLANCE_USER \
+ --role $ADMIN_ROLE
keystone service-create \
--name=keystone \
@@ -101,12 +118,28 @@
--name=swift \
--type="object-store" \
--description="Swift Service"
+ SWIFT_USER=`get_id keystone user-create \
+ --name=swift \
+ --pass="$SERVICE_PASSWORD" \
+ --tenant_id $SERVICE_TENANT \
+ --email=swift@example.com`
+ keystone user-role-add --tenant_id $SERVICE_TENANT \
+ --user $SWIFT_USER \
+ --role $ADMIN_ROLE
fi
if [[ "$ENABLED_SERVICES" =~ "quantum" ]]; then
keystone service-create \
--name=quantum \
--type=network \
--description="Quantum Service"
+ QUANTUM_USER=`get_id keystone user-create \
+ --name=quantum \
+ --pass="$SERVICE_PASSWORD" \
+ --tenant_id $SERVICE_TENANT \
+ --email=quantum@example.com`
+ keystone user-role-add --tenant_id $SERVICE_TENANT \
+ --user $QUANTUM_USER \
+ --role $ADMIN_ROLE
fi
# create ec2 creds and parse the secret and access key returned
diff --git a/files/swift/proxy-server.conf b/files/swift/proxy-server.conf
index d6db117..e80c1d5 100644
--- a/files/swift/proxy-server.conf
+++ b/files/swift/proxy-server.conf
@@ -31,13 +31,18 @@
[filter:tokenauth]
paste.filter_factory = keystone.middleware.auth_token:filter_factory
+# FIXME(dtroyer): remove these service_* entries after auth_token is updated
service_port = %KEYSTONE_SERVICE_PORT%
service_host = %KEYSTONE_SERVICE_HOST%
auth_port = %KEYSTONE_AUTH_PORT%
auth_host = %KEYSTONE_AUTH_HOST%
auth_protocol = %KEYSTONE_AUTH_PROTOCOL%
auth_token = %SERVICE_TOKEN%
+# FIXME(dtroyer): remove admin_token after auth_token is updated
admin_token = %SERVICE_TOKEN%
+admin_tenant_name = %SERVICE_TENANT_NAME%
+admin_user = %SERVICE_USERNAME%
+admin_password = %SERVICE_PASSWORD%
cache = swift.cache
[filter:swift3]