Merge "Fix Q_PLUGIN_EXTRA_CONF_PATH usage comment"
diff --git a/doc/source/configuration.rst b/doc/source/configuration.rst
index ce7755d..1f5797c 100644
--- a/doc/source/configuration.rst
+++ b/doc/source/configuration.rst
@@ -742,6 +742,16 @@
KEYSTONE_SERVICE_HOST=<KEYSTONE_IP_ADDRESS_FROM_REGION_ONE>
KEYSTONE_AUTH_HOST=<KEYSTONE_IP_ADDRESS_FROM_REGION_ONE>
REGION_NAME=RegionTwo
+ KEYSTONE_REGION_NAME=RegionOne
+
+In the devstack for RegionOne, we set REGION_NAME as RegionOne, so region of
+the services started in this devstack are registered as RegionOne. In devstack
+for RegionTwo, similarly, we set REGION_NAME as RegionTwo since we want
+services started in this devstack to be registered in RegionTwo. But Keystone
+service is started and registered in RegionOne, not RegionTwo, so we use
+KEYSTONE_REGION_NAME to specify the region of Keystone service.
+KEYSTONE_REGION_NAME has a default value the same as REGION_NAME thus we omit
+it in the configuration of RegionOne.
Disabling Identity API v2
+++++++++++++++++++++++++
diff --git a/functions-common b/functions-common
index 0806681..71dda76 100644
--- a/functions-common
+++ b/functions-common
@@ -840,27 +840,49 @@
echo $role_id
}
+# Returns the domain parts of a function call if present
+# Usage: _get_domain_args [<user_domain> <project_domain>]
+function _get_domain_args {
+ local domain
+ domain=""
+
+ if [[ -n "$1" ]]; then
+ domain="$domain --user-domain $1"
+ fi
+ if [[ -n "$2" ]]; then
+ domain="$domain --project-domain $2"
+ fi
+
+ echo $domain
+}
+
# Gets or adds user role to project
-# Usage: get_or_add_user_project_role <role> <user> <project>
+# Usage: get_or_add_user_project_role <role> <user> <project> [<user_domain> <project_domain>]
function get_or_add_user_project_role {
local user_role_id
+
+ domain_args=$(_get_domain_args $4 $5)
+
# Gets user role id
user_role_id=$(openstack role list \
--user $2 \
--column "ID" \
--project $3 \
--column "Name" \
+ $domain_args \
| grep " $1 " | get_field 1)
if [[ -z "$user_role_id" ]]; then
# Adds role to user and get it
openstack role add $1 \
--user $2 \
- --project $3
+ --project $3 \
+ $domain_args
user_role_id=$(openstack role list \
--user $2 \
--column "ID" \
--project $3 \
--column "Name" \
+ $domain_args \
| grep " $1 " | get_field 1)
fi
echo $user_role_id
diff --git a/lib/glance b/lib/glance
index 3743e16..f2a6db6 100644
--- a/lib/glance
+++ b/lib/glance
@@ -173,8 +173,8 @@
iniset $GLANCE_SWIFT_STORE_CONF ref1 key $SERVICE_PASSWORD
iniset $GLANCE_SWIFT_STORE_CONF ref1 auth_address $KEYSTONE_SERVICE_URI/v3
- iniset $GLANCE_SWIFT_STORE_CONF ref1 user_domain_id default
- iniset $GLANCE_SWIFT_STORE_CONF ref1 project_domain_id default
+ iniset $GLANCE_SWIFT_STORE_CONF ref1 user_domain_name $SERVICE_DOMAIN_NAME
+ iniset $GLANCE_SWIFT_STORE_CONF ref1 project_domain_name $SERVICE_DOMAIN_NAME
iniset $GLANCE_SWIFT_STORE_CONF ref1 auth_version 3
# commenting is not strictly necessary but it's confusing to have bad values in conf
@@ -288,11 +288,7 @@
# required for swift access
if is_service_enabled s-proxy; then
-
- local glance_swift_user
- glance_swift_user=$(get_or_create_user "glance-swift" \
- "$SERVICE_PASSWORD" "default" "glance-swift@example.com")
- get_or_add_user_project_role "ResellerAdmin" $glance_swift_user $SERVICE_PROJECT_NAME
+ create_service_user "glance-swift" "ResellerAdmin"
fi
get_or_create_service "glance" "image" "Glance Image Service"
diff --git a/lib/keystone b/lib/keystone
index b5c107c..542bd05 100644
--- a/lib/keystone
+++ b/lib/keystone
@@ -106,8 +106,13 @@
# Bind hosts
KEYSTONE_ADMIN_BIND_HOST=${KEYSTONE_ADMIN_BIND_HOST:-$KEYSTONE_SERVICE_HOST}
+
# Set the project for service accounts in Keystone
+SERVICE_DOMAIN_NAME=${SERVICE_DOMAIN_NAME:-Default}
SERVICE_PROJECT_NAME=${SERVICE_PROJECT_NAME:-service}
+
+# Note 2016-03 : SERVICE_TENANT_NAME is kept for backwards
+# compatibility; we should be using SERVICE_PROJECT_NAME now
SERVICE_TENANT_NAME=${SERVICE_PROJECT_NAME:-service}
# if we are running with SSL use https protocols
@@ -370,6 +375,7 @@
get_or_add_user_domain_role $admin_role $admin_user default
# Create service project/role
+ get_or_create_domain "$SERVICE_DOMAIN_NAME"
get_or_create_project "$SERVICE_PROJECT_NAME" default
# Service role, so service users do not have to be admins
@@ -442,9 +448,8 @@
function create_service_user {
local role=${2:-service}
- local user
- user=$(get_or_create_user "$1" "$SERVICE_PASSWORD" default)
- get_or_add_user_project_role "$role" "$user" "$SERVICE_PROJECT_NAME"
+ get_or_create_user "$1" "$SERVICE_PASSWORD" "$SERVICE_DOMAIN_NAME"
+ get_or_add_user_project_role "$role" "$1" "$SERVICE_PROJECT_NAME" "$SERVICE_DOMAIN_NAME" "$SERVICE_DOMAIN_NAME"
}
# Configure the service to use the auth token middleware.
@@ -464,9 +469,9 @@
iniset $conf_file $section auth_url $KEYSTONE_AUTH_URI
iniset $conf_file $section username $admin_user
iniset $conf_file $section password $SERVICE_PASSWORD
- iniset $conf_file $section user_domain_id default
+ iniset $conf_file $section user_domain_name "$SERVICE_DOMAIN_NAME"
iniset $conf_file $section project_name $SERVICE_PROJECT_NAME
- iniset $conf_file $section project_domain_id default
+ iniset $conf_file $section project_domain_name "$SERVICE_DOMAIN_NAME"
iniset $conf_file $section auth_uri $KEYSTONE_SERVICE_URI
iniset $conf_file $section cafile $SSL_BUNDLE_FILE
diff --git a/lib/neutron-legacy b/lib/neutron-legacy
index 76adb28..f0592e2 100644
--- a/lib/neutron-legacy
+++ b/lib/neutron-legacy
@@ -387,7 +387,7 @@
local cfg_file
local opts="--config-file $NEUTRON_CONF --config-file /$Q_PLUGIN_CONF_FILE"
for cfg_file in ${Q_PLUGIN_EXTRA_CONF_FILES[@]}; do
- opts+=" --config-file /$cfg_file"
+ opts+=" --config-file $cfg_file"
done
echo "$opts"
}
@@ -491,9 +491,9 @@
iniset $NOVA_CONF neutron auth_url "$KEYSTONE_SERVICE_PROTOCOL://$KEYSTONE_SERVICE_HOST:$KEYSTONE_AUTH_PORT/v3"
iniset $NOVA_CONF neutron username "$Q_ADMIN_USERNAME"
iniset $NOVA_CONF neutron password "$SERVICE_PASSWORD"
- iniset $NOVA_CONF neutron user_domain_name "Default"
+ iniset $NOVA_CONF neutron user_domain_name "$SERVICE_DOMAIN_NAME"
iniset $NOVA_CONF neutron project_name "$SERVICE_PROJECT_NAME"
- iniset $NOVA_CONF neutron project_domain_name "Default"
+ iniset $NOVA_CONF neutron project_domain_name "$SERVICE_DOMAIN_NAME"
iniset $NOVA_CONF neutron auth_strategy "$Q_AUTH_STRATEGY"
iniset $NOVA_CONF neutron region_name "$REGION_NAME"
iniset $NOVA_CONF neutron url "${Q_PROTOCOL}://$Q_HOST:$Q_PORT"
diff --git a/lib/nova b/lib/nova
index 7c22910..818ecc4 100644
--- a/lib/nova
+++ b/lib/nova
@@ -439,7 +439,7 @@
if is_service_enabled swift; then
# Nova needs ResellerAdmin role to download images when accessing
# swift through the s3 api.
- get_or_add_user_project_role ResellerAdmin nova $SERVICE_PROJECT_NAME
+ get_or_add_user_project_role ResellerAdmin nova $SERVICE_PROJECT_NAME $SERVICE_DOMAIN_NAME $SERVICE_DOMAIN_NAME
fi
fi
diff --git a/lib/swift b/lib/swift
index f47608c..8cb94ef 100644
--- a/lib/swift
+++ b/lib/swift
@@ -846,7 +846,9 @@
# note we are using swift credentials!
OS_USERNAME=swift \
OS_PASSWORD=$SERVICE_PASSWORD \
+ OS_USER_DOMAIN_NAME=$SERVICE_DOMAIN_NAME \
OS_PROJECT_NAME=$SERVICE_PROJECT_NAME \
+ OS_PROJECT_DOMAIN_NAME=$SERVICE_DOMAIN_NAME \
openstack object store account \
set --property "Temp-URL-Key=$SWIFT_TEMPURL_KEY"
}
diff --git a/lib/tempest b/lib/tempest
index 0fc5815..46dc1f8 100644
--- a/lib/tempest
+++ b/lib/tempest
@@ -383,6 +383,11 @@
# Orchestration Tests
if is_service_enabled heat; then
+ # Though this is not needed by heat, some tempest tests explicitly
+ # try to set this role. Removing them from the tempest tests breaks
+ # some non-devstack CIs.
+ get_or_create_role "heat_stack_owner"
+
if [[ ! -z "$HEAT_CFN_IMAGE_URL" ]]; then
iniset $TEMPEST_CONFIG orchestration image_ref $(basename "${HEAT_CFN_IMAGE_URL%.*}")
fi
@@ -396,7 +401,7 @@
iniset $TEMPEST_CONFIG orchestration instance_type "m1.heat"
fi
iniset $TEMPEST_CONFIG orchestration build_timeout 900
- iniset $TEMPEST_CONFIG orchestration stack_owner_role "_member_"
+ iniset $TEMPEST_CONFIG orchestration stack_owner_role "heat_stack_owner"
fi
# Scenario
diff --git a/stack.sh b/stack.sh
index 739d939..3de9af2 100755
--- a/stack.sh
+++ b/stack.sh
@@ -1020,7 +1020,7 @@
export OS_PASSWORD=$ADMIN_PASSWORD
export OS_PROJECT_NAME=admin
export OS_PROJECT_DOMAIN_ID=default
-export OS_REGION_NAME=$REGION_NAME
+export OS_REGION_NAME=$KEYSTONE_REGION_NAME
EOF
diff --git a/stackrc b/stackrc
index 17d6047..8858788 100644
--- a/stackrc
+++ b/stackrc
@@ -42,6 +42,12 @@
# Specify region name Region
REGION_NAME=${REGION_NAME:-RegionOne}
+# Specify name of region where identity service endpoint is registered.
+# When deploying multiple DevStack instances in different regions with shared
+# Keystone, set KEYSTONE_REGION_NAME to the region where Keystone is running
+# for DevStack instances which do not host Keystone.
+KEYSTONE_REGION_NAME=${KEYSTONE_REGION_NAME:-$REGION_NAME}
+
# Specify which services to launch. These generally correspond to
# screen tabs. To change the default list, use the ``enable_service`` and
# ``disable_service`` functions in ``local.conf``.