Cleanup keystone_data.sh
* Remove the compatibility code for older keystone client
* Reformat commands similar to keystone sample_data.sh
* Improve documentation
Change-Id: I2fc544555a1b936d28f11c3c4eaaf885b2cb6d17
diff --git a/files/keystone_data.sh b/files/keystone_data.sh
index e292811..958d2af 100755
--- a/files/keystone_data.sh
+++ b/files/keystone_data.sh
@@ -1,165 +1,149 @@
#!/bin/bash
-# Tenants
+#
+# Initial data for Keystone using python-keystoneclient
+#
+# A set of EC2-compatible credentials is created for both admin and demo
+# users and placed in $DEVSTACK_DIR/ec2rc.
+#
+# Tenant User Roles
+# -------------------------------------------------------
+# admin admin admin
+# service glance admin
+# service nova admin
+# service quantum admin # if enabled
+# service swift admin # if enabled
+# demo admin admin
+# demo demo Member,sysadmin,netadmin
+# invisible_to_admin demo Member
+#
+# Variables set before calling this script:
+# SERVICE_TOKEN - aka admin_token in keystone.conf
+# SERVICE_ENDPOINT - local Keystone admin endpoint
+# SERVICE_TENANT_NAME - name of tenant containing service accounts
+# ENABLED_SERVICES - stack.sh's list of services to start
+# DEVSTACK_DIR - Top-level DevStack directory
+
+ADMIN_PASSWORD=${ADMIN_PASSWORD:-secrete}
+SERVICE_PASSWORD=${SERVICE_PASSWORD:-$ADMIN_PASSWORD}
export SERVICE_TOKEN=$SERVICE_TOKEN
export SERVICE_ENDPOINT=$SERVICE_ENDPOINT
+SERVICE_TENANT_NAME=${SERVICE_TENANT_NAME:-service}
function get_id () {
- echo `$@ | grep ' id ' | awk '{print $4}'`
+ echo `$@ | awk '/ id / { print $4 }'`
}
-# Detect if the keystone cli binary has the command names changed
-# in https://review.openstack.org/4375
-# FIXME(dtroyer): Remove the keystone client command checking
-# after a suitable transition period. add-user-role
-# and ec2-create-credentials were renamed
-if keystone help | grep -q user-role-add; then
- KEYSTONE_COMMAND_4375=1
-fi
-
-ADMIN_TENANT=`get_id keystone tenant-create --name=admin`
-SERVICE_TENANT=`get_id keystone tenant-create --name=$SERVICE_TENANT_NAME`
-DEMO_TENANT=`get_id keystone tenant-create --name=demo`
-INVIS_TENANT=`get_id keystone tenant-create --name=invisible_to_admin`
+# Tenants
+ADMIN_TENANT=$(get_id keystone tenant-create --name=admin)
+SERVICE_TENANT=$(get_id keystone tenant-create --name=$SERVICE_TENANT_NAME)
+DEMO_TENANT=$(get_id keystone tenant-create --name=demo)
+INVIS_TENANT=$(get_id keystone tenant-create --name=invisible_to_admin)
# Users
-ADMIN_USER=`get_id keystone user-create \
- --name=admin \
- --pass="$ADMIN_PASSWORD" \
- --email=admin@example.com`
-DEMO_USER=`get_id keystone user-create \
- --name=demo \
- --pass="$ADMIN_PASSWORD" \
- --email=admin@example.com`
+ADMIN_USER=$(get_id keystone user-create --name=admin \
+ --pass="$ADMIN_PASSWORD" \
+ --email=admin@example.com)
+DEMO_USER=$(get_id keystone user-create --name=demo \
+ --pass="$ADMIN_PASSWORD" \
+ --email=demo@example.com)
# Roles
-ADMIN_ROLE=`get_id keystone role-create --name=admin`
-MEMBER_ROLE=`get_id keystone role-create --name=Member`
-KEYSTONEADMIN_ROLE=`get_id keystone role-create --name=KeystoneAdmin`
-KEYSTONESERVICE_ROLE=`get_id keystone role-create --name=KeystoneServiceAdmin`
-SYSADMIN_ROLE=`get_id keystone role-create --name=sysadmin`
-NETADMIN_ROLE=`get_id keystone role-create --name=netadmin`
+ADMIN_ROLE=$(get_id keystone role-create --name=admin)
+KEYSTONEADMIN_ROLE=$(get_id keystone role-create --name=KeystoneAdmin)
+KEYSTONESERVICE_ROLE=$(get_id keystone role-create --name=KeystoneServiceAdmin)
+SYSADMIN_ROLE=$(get_id keystone role-create --name=sysadmin)
+NETADMIN_ROLE=$(get_id keystone role-create --name=netadmin)
-if [[ -n "$KEYSTONE_COMMAND_4375" ]]; then
- # Add Roles to Users in Tenants
- keystone user-role-add --user $ADMIN_USER --role $ADMIN_ROLE --tenant_id $ADMIN_TENANT
- keystone user-role-add --user $DEMO_USER --role $MEMBER_ROLE --tenant_id $DEMO_TENANT
- keystone user-role-add --user $DEMO_USER --role $SYSADMIN_ROLE --tenant_id $DEMO_TENANT
- keystone user-role-add --user $DEMO_USER --role $NETADMIN_ROLE --tenant_id $DEMO_TENANT
- keystone user-role-add --user $DEMO_USER --role $MEMBER_ROLE --tenant_id $INVIS_TENANT
- keystone user-role-add --user $ADMIN_USER --role $ADMIN_ROLE --tenant_id $DEMO_TENANT
+# Add Roles to Users in Tenants
+keystone user-role-add --user $ADMIN_USER --role $ADMIN_ROLE --tenant_id $ADMIN_TENANT
+keystone user-role-add --user $ADMIN_USER --role $ADMIN_ROLE --tenant_id $DEMO_TENANT
+keystone user-role-add --user $DEMO_USER --role $SYSADMIN_ROLE --tenant_id $DEMO_TENANT
+keystone user-role-add --user $DEMO_USER --role $NETADMIN_ROLE --tenant_id $DEMO_TENANT
- # TODO(termie): these two might be dubious
- keystone user-role-add --user $ADMIN_USER --role $KEYSTONEADMIN_ROLE --tenant_id $ADMIN_TENANT
- keystone user-role-add --user $ADMIN_USER --role $KEYSTONESERVICE_ROLE --tenant_id $ADMIN_TENANT
-else
- ### compat
- # Add Roles to Users in Tenants
- keystone add-user-role $ADMIN_USER $ADMIN_ROLE $ADMIN_TENANT
- keystone add-user-role $DEMO_USER $MEMBER_ROLE $DEMO_TENANT
- keystone add-user-role $DEMO_USER $SYSADMIN_ROLE $DEMO_TENANT
- keystone add-user-role $DEMO_USER $NETADMIN_ROLE $DEMO_TENANT
- keystone add-user-role $DEMO_USER $MEMBER_ROLE $INVIS_TENANT
- keystone add-user-role $ADMIN_USER $ADMIN_ROLE $DEMO_TENANT
+# TODO(termie): these two might be dubious
+keystone user-role-add --user $ADMIN_USER --role $KEYSTONEADMIN_ROLE --tenant_id $ADMIN_TENANT
+keystone user-role-add --user $ADMIN_USER --role $KEYSTONESERVICE_ROLE --tenant_id $ADMIN_TENANT
- # TODO(termie): these two might be dubious
- keystone add-user-role $ADMIN_USER $KEYSTONEADMIN_ROLE $ADMIN_TENANT
- keystone add-user-role $ADMIN_USER $KEYSTONESERVICE_ROLE $ADMIN_TENANT
- ###
-fi
+
+# The Member role is used by Horizon and Swift so we need to keep it:
+MEMBER_ROLE=$(get_id keystone role-create --name=Member)
+keystone user-role-add --user $DEMO_USER --role $MEMBER_ROLE --tenant_id $DEMO_TENANT
+keystone user-role-add --user $DEMO_USER --role $MEMBER_ROLE --tenant_id $INVIS_TENANT
+
# Services
-keystone service-create \
- --name=nova \
- --type=compute \
- --description="Nova Compute Service"
-NOVA_USER=`get_id keystone user-create \
- --name=nova \
- --pass="$SERVICE_PASSWORD" \
- --tenant_id $SERVICE_TENANT \
- --email=nova@example.com`
+keystone service-create --name=keystone \
+ --type=identity \
+ --description="Keystone Identity Service"
+
+keystone service-create --name=nova \
+ --type=compute \
+ --description="Nova Compute Service"
+NOVA_USER=$(get_id keystone user-create --name=nova \
+ --pass="$SERVICE_PASSWORD" \
+ --tenant_id $SERVICE_TENANT \
+ --email=nova@example.com)
keystone user-role-add --tenant_id $SERVICE_TENANT \
- --user $NOVA_USER \
- --role $ADMIN_ROLE
+ --user $NOVA_USER \
+ --role $ADMIN_ROLE
-keystone service-create \
- --name=ec2 \
- --type=ec2 \
- --description="EC2 Compatibility Layer"
+keystone service-create --name=ec2 \
+ --type=ec2 \
+ --description="EC2 Compatibility Layer"
-keystone service-create \
- --name=glance \
- --type=image \
- --description="Glance Image Service"
-GLANCE_USER=`get_id keystone user-create \
- --name=glance \
- --pass="$SERVICE_PASSWORD" \
- --tenant_id $SERVICE_TENANT \
- --email=glance@example.com`
+keystone service-create --name=glance \
+ --type=image \
+ --description="Glance Image Service"
+GLANCE_USER=$(get_id keystone user-create --name=glance \
+ --pass="$SERVICE_PASSWORD" \
+ --tenant_id $SERVICE_TENANT \
+ --email=glance@example.com)
keystone user-role-add --tenant_id $SERVICE_TENANT \
- --user $GLANCE_USER \
- --role $ADMIN_ROLE
-
-keystone service-create \
- --name=keystone \
- --type=identity \
- --description="Keystone Identity Service"
+ --user $GLANCE_USER \
+ --role $ADMIN_ROLE
if [[ "$ENABLED_SERVICES" =~ "n-vol" ]]; then
- keystone service-create \
- --name="nova-volume" \
- --type=volume \
- --description="Nova Volume Service"
+ keystone service-create --name="nova-volume" \
+ --type=volume \
+ --description="Nova Volume Service"
fi
if [[ "$ENABLED_SERVICES" =~ "swift" ]]; then
- keystone service-create \
- --name=swift \
- --type="object-store" \
- --description="Swift Service"
- SWIFT_USER=`get_id keystone user-create \
- --name=swift \
- --pass="$SERVICE_PASSWORD" \
- --tenant_id $SERVICE_TENANT \
- --email=swift@example.com`
+ keystone service-create --name=swift \
+ --type="object-store" \
+ --description="Swift Service"
+ SWIFT_USER=$(get_id keystone user-create --name=swift \
+ --pass="$SERVICE_PASSWORD" \
+ --tenant_id $SERVICE_TENANT \
+ --email=swift@example.com)
keystone user-role-add --tenant_id $SERVICE_TENANT \
- --user $SWIFT_USER \
- --role $ADMIN_ROLE
+ --user $SWIFT_USER \
+ --role $ADMIN_ROLE
fi
+
if [[ "$ENABLED_SERVICES" =~ "quantum" ]]; then
- keystone service-create \
- --name=quantum \
- --type=network \
- --description="Quantum Service"
- QUANTUM_USER=`get_id keystone user-create \
- --name=quantum \
- --pass="$SERVICE_PASSWORD" \
- --tenant_id $SERVICE_TENANT \
- --email=quantum@example.com`
+ keystone service-create --name=quantum \
+ --type=network \
+ --description="Quantum Service"
+ QUANTUM_USER=$(get_id keystone user-create --name=quantum \
+ --pass="$SERVICE_PASSWORD" \
+ --tenant_id $SERVICE_TENANT \
+ --email=quantum@example.com)
keystone user-role-add --tenant_id $SERVICE_TENANT \
- --user $QUANTUM_USER \
- --role $ADMIN_ROLE
+ --user $QUANTUM_USER \
+ --role $ADMIN_ROLE
fi
# create ec2 creds and parse the secret and access key returned
-if [[ -n "$KEYSTONE_COMMAND_4375" ]]; then
- RESULT=`keystone ec2-credentials-create --tenant_id=$ADMIN_TENANT --user=$ADMIN_USER`
-else
- RESULT=`keystone ec2-create-credentials --tenant_id=$ADMIN_TENANT --user_id=$ADMIN_USER`
-fi
- echo `$@ | grep id | awk '{print $4}'`
-ADMIN_ACCESS=`echo "$RESULT" | grep access | awk '{print $4}'`
-ADMIN_SECRET=`echo "$RESULT" | grep secret | awk '{print $4}'`
+RESULT=$(keystone ec2-credentials-create --tenant_id=$ADMIN_TENANT --user=$ADMIN_USER)
+ADMIN_ACCESS=$(echo "$RESULT" | awk '/ access / { print $4 }')
+ADMIN_SECRET=$(echo "$RESULT" | awk '/ secret / { print $4 }')
-
-if [[ -n "$KEYSTONE_COMMAND_4375" ]]; then
- RESULT=`keystone ec2-credentials-create --tenant_id=$DEMO_TENANT --user=$DEMO_USER`
-else
- RESULT=`keystone ec2-create-credentials --tenant_id=$DEMO_TENANT --user_id=$DEMO_USER`
-fi
-DEMO_ACCESS=`echo "$RESULT" | grep access | awk '{print $4}'`
-DEMO_SECRET=`echo "$RESULT" | grep secret | awk '{print $4}'`
+RESULT=$(keystone ec2-credentials-create --tenant_id=$DEMO_TENANT --user=$DEMO_USER)
+DEMO_ACCESS=$(echo "$RESULT" | awk '/ access / { print $4 }')
+DEMO_SECRET=$(echo "$RESULT" | awk '/ secret / { print $4 }')
# write the secret and access to ec2rc
cat > $DEVSTACK_DIR/ec2rc <<EOF