Allow putting service users in a seperate domain
Make it possible to construct the service users in their own seperate
domain. Changing this away from Default will not work for everyone yet,
though it does work for basic service interaction however enabling it
will allow us to start testing and hopefully gating that services aren't
relying on v2 only concepts.
Change-Id: I7e73df5dd1caabf355783da2bc0f3007ade92fba
diff --git a/functions-common b/functions-common
index 0806681..71dda76 100644
--- a/functions-common
+++ b/functions-common
@@ -840,27 +840,49 @@
echo $role_id
}
+# Returns the domain parts of a function call if present
+# Usage: _get_domain_args [<user_domain> <project_domain>]
+function _get_domain_args {
+ local domain
+ domain=""
+
+ if [[ -n "$1" ]]; then
+ domain="$domain --user-domain $1"
+ fi
+ if [[ -n "$2" ]]; then
+ domain="$domain --project-domain $2"
+ fi
+
+ echo $domain
+}
+
# Gets or adds user role to project
-# Usage: get_or_add_user_project_role <role> <user> <project>
+# Usage: get_or_add_user_project_role <role> <user> <project> [<user_domain> <project_domain>]
function get_or_add_user_project_role {
local user_role_id
+
+ domain_args=$(_get_domain_args $4 $5)
+
# Gets user role id
user_role_id=$(openstack role list \
--user $2 \
--column "ID" \
--project $3 \
--column "Name" \
+ $domain_args \
| grep " $1 " | get_field 1)
if [[ -z "$user_role_id" ]]; then
# Adds role to user and get it
openstack role add $1 \
--user $2 \
- --project $3
+ --project $3 \
+ $domain_args
user_role_id=$(openstack role list \
--user $2 \
--column "ID" \
--project $3 \
--column "Name" \
+ $domain_args \
| grep " $1 " | get_field 1)
fi
echo $user_role_id
diff --git a/lib/glance b/lib/glance
index 3743e16..f2a6db6 100644
--- a/lib/glance
+++ b/lib/glance
@@ -173,8 +173,8 @@
iniset $GLANCE_SWIFT_STORE_CONF ref1 key $SERVICE_PASSWORD
iniset $GLANCE_SWIFT_STORE_CONF ref1 auth_address $KEYSTONE_SERVICE_URI/v3
- iniset $GLANCE_SWIFT_STORE_CONF ref1 user_domain_id default
- iniset $GLANCE_SWIFT_STORE_CONF ref1 project_domain_id default
+ iniset $GLANCE_SWIFT_STORE_CONF ref1 user_domain_name $SERVICE_DOMAIN_NAME
+ iniset $GLANCE_SWIFT_STORE_CONF ref1 project_domain_name $SERVICE_DOMAIN_NAME
iniset $GLANCE_SWIFT_STORE_CONF ref1 auth_version 3
# commenting is not strictly necessary but it's confusing to have bad values in conf
@@ -288,11 +288,7 @@
# required for swift access
if is_service_enabled s-proxy; then
-
- local glance_swift_user
- glance_swift_user=$(get_or_create_user "glance-swift" \
- "$SERVICE_PASSWORD" "default" "glance-swift@example.com")
- get_or_add_user_project_role "ResellerAdmin" $glance_swift_user $SERVICE_PROJECT_NAME
+ create_service_user "glance-swift" "ResellerAdmin"
fi
get_or_create_service "glance" "image" "Glance Image Service"
diff --git a/lib/keystone b/lib/keystone
index b5c107c..cd07b78 100644
--- a/lib/keystone
+++ b/lib/keystone
@@ -106,7 +106,9 @@
# Bind hosts
KEYSTONE_ADMIN_BIND_HOST=${KEYSTONE_ADMIN_BIND_HOST:-$KEYSTONE_SERVICE_HOST}
+
# Set the project for service accounts in Keystone
+SERVICE_DOMAIN_NAME=${SERVICE_DOMAIN_NAME:-Default}
SERVICE_PROJECT_NAME=${SERVICE_PROJECT_NAME:-service}
SERVICE_TENANT_NAME=${SERVICE_PROJECT_NAME:-service}
@@ -370,6 +372,7 @@
get_or_add_user_domain_role $admin_role $admin_user default
# Create service project/role
+ get_or_create_domain "$SERVICE_DOMAIN_NAME"
get_or_create_project "$SERVICE_PROJECT_NAME" default
# Service role, so service users do not have to be admins
@@ -442,9 +445,8 @@
function create_service_user {
local role=${2:-service}
- local user
- user=$(get_or_create_user "$1" "$SERVICE_PASSWORD" default)
- get_or_add_user_project_role "$role" "$user" "$SERVICE_PROJECT_NAME"
+ get_or_create_user "$1" "$SERVICE_PASSWORD" "$SERVICE_DOMAIN_NAME"
+ get_or_add_user_project_role "$role" "$1" "$SERVICE_PROJECT_NAME" "$SERVICE_DOMAIN_NAME" "$SERVICE_DOMAIN_NAME"
}
# Configure the service to use the auth token middleware.
@@ -464,9 +466,9 @@
iniset $conf_file $section auth_url $KEYSTONE_AUTH_URI
iniset $conf_file $section username $admin_user
iniset $conf_file $section password $SERVICE_PASSWORD
- iniset $conf_file $section user_domain_id default
+ iniset $conf_file $section user_domain_name "$SERVICE_DOMAIN_NAME"
iniset $conf_file $section project_name $SERVICE_PROJECT_NAME
- iniset $conf_file $section project_domain_id default
+ iniset $conf_file $section project_domain_name "$SERVICE_DOMAIN_NAME"
iniset $conf_file $section auth_uri $KEYSTONE_SERVICE_URI
iniset $conf_file $section cafile $SSL_BUNDLE_FILE
diff --git a/lib/neutron-legacy b/lib/neutron-legacy
index 084a356..aaba894 100644
--- a/lib/neutron-legacy
+++ b/lib/neutron-legacy
@@ -491,9 +491,9 @@
iniset $NOVA_CONF neutron auth_url "$KEYSTONE_SERVICE_PROTOCOL://$KEYSTONE_SERVICE_HOST:$KEYSTONE_AUTH_PORT/v3"
iniset $NOVA_CONF neutron username "$Q_ADMIN_USERNAME"
iniset $NOVA_CONF neutron password "$SERVICE_PASSWORD"
- iniset $NOVA_CONF neutron user_domain_name "Default"
+ iniset $NOVA_CONF neutron user_domain_name "$SERVICE_DOMAIN_NAME"
iniset $NOVA_CONF neutron project_name "$SERVICE_PROJECT_NAME"
- iniset $NOVA_CONF neutron project_domain_name "Default"
+ iniset $NOVA_CONF neutron project_domain_name "$SERVICE_DOMAIN_NAME"
iniset $NOVA_CONF neutron auth_strategy "$Q_AUTH_STRATEGY"
iniset $NOVA_CONF neutron region_name "$REGION_NAME"
iniset $NOVA_CONF neutron url "${Q_PROTOCOL}://$Q_HOST:$Q_PORT"
diff --git a/lib/nova b/lib/nova
index 8823e1d..15dae68 100644
--- a/lib/nova
+++ b/lib/nova
@@ -439,7 +439,7 @@
if is_service_enabled swift; then
# Nova needs ResellerAdmin role to download images when accessing
# swift through the s3 api.
- get_or_add_user_project_role ResellerAdmin nova $SERVICE_PROJECT_NAME
+ get_or_add_user_project_role ResellerAdmin nova $SERVICE_PROJECT_NAME $SERVICE_DOMAIN_NAME $SERVICE_DOMAIN_NAME
fi
fi
diff --git a/lib/swift b/lib/swift
index f47608c..8cb94ef 100644
--- a/lib/swift
+++ b/lib/swift
@@ -846,7 +846,9 @@
# note we are using swift credentials!
OS_USERNAME=swift \
OS_PASSWORD=$SERVICE_PASSWORD \
+ OS_USER_DOMAIN_NAME=$SERVICE_DOMAIN_NAME \
OS_PROJECT_NAME=$SERVICE_PROJECT_NAME \
+ OS_PROJECT_DOMAIN_NAME=$SERVICE_DOMAIN_NAME \
openstack object store account \
set --property "Temp-URL-Key=$SWIFT_TEMPURL_KEY"
}