Move keystone account creation out of keystone_data.sh
keystone_data.sh is getting unwieldly and increasingly needs
configuration information for services. Also need the ability
to manipulate HOST/IP information for hosts to handle service
HA/proxy configurations.
Begin moving the creation of service account information into
the service lib files, starting with the common accounts and
keystone itself.
Change-Id: Ie259f7b71983c4f4a2e33ab9c8a8e2b00238ba38
diff --git a/files/keystone_data.sh b/files/keystone_data.sh
index 20749bc..c8e68dd 100755
--- a/files/keystone_data.sh
+++ b/files/keystone_data.sh
@@ -4,7 +4,6 @@
#
# Tenant User Roles
# ------------------------------------------------------------------
-# admin admin admin
# service glance admin
# service nova admin, [ResellerAdmin (swift only)]
# service quantum admin # if enabled
@@ -12,9 +11,6 @@
# service cinder admin # if enabled
# service heat admin # if enabled
# service ceilometer admin # if enabled
-# demo admin admin
-# demo demo Member, anotherrole
-# invisible_to_admin demo Member
# Tempest Only:
# alt_demo alt_demo Member
#
@@ -40,53 +36,14 @@
echo `"$@" | awk '/ id / { print $4 }'`
}
-
-# Tenants
-# -------
-
-ADMIN_TENANT=$(get_id keystone tenant-create --name=admin)
-SERVICE_TENANT=$(get_id keystone tenant-create --name=$SERVICE_TENANT_NAME)
-DEMO_TENANT=$(get_id keystone tenant-create --name=demo)
-INVIS_TENANT=$(get_id keystone tenant-create --name=invisible_to_admin)
-
-
-# Users
-# -----
-
-ADMIN_USER=$(get_id keystone user-create --name=admin \
- --pass="$ADMIN_PASSWORD" \
- --email=admin@example.com)
-DEMO_USER=$(get_id keystone user-create --name=demo \
- --pass="$ADMIN_PASSWORD" \
- --email=demo@example.com)
+# Lookups
+SERVICE_TENANT=$(keystone tenant-list | awk "/ $SERVICE_TENANT_NAME / { print \$2 }")
+ADMIN_ROLE=$(keystone role-list | awk "/ admin / { print \$2 }")
# Roles
# -----
-ADMIN_ROLE=$(get_id keystone role-create --name=admin)
-KEYSTONEADMIN_ROLE=$(get_id keystone role-create --name=KeystoneAdmin)
-KEYSTONESERVICE_ROLE=$(get_id keystone role-create --name=KeystoneServiceAdmin)
-# ANOTHER_ROLE demonstrates that an arbitrary role may be created and used
-# TODO(sleepsonthefloor): show how this can be used for rbac in the future!
-ANOTHER_ROLE=$(get_id keystone role-create --name=anotherrole)
-
-
-# Add Roles to Users in Tenants
-keystone user-role-add --user_id $ADMIN_USER --role_id $ADMIN_ROLE --tenant_id $ADMIN_TENANT
-keystone user-role-add --user_id $ADMIN_USER --role_id $ADMIN_ROLE --tenant_id $DEMO_TENANT
-keystone user-role-add --user_id $DEMO_USER --role_id $ANOTHER_ROLE --tenant_id $DEMO_TENANT
-
-# TODO(termie): these two might be dubious
-keystone user-role-add --user_id $ADMIN_USER --role_id $KEYSTONEADMIN_ROLE --tenant_id $ADMIN_TENANT
-keystone user-role-add --user_id $ADMIN_USER --role_id $KEYSTONESERVICE_ROLE --tenant_id $ADMIN_TENANT
-
-
-# The Member role is used by Horizon and Swift so we need to keep it:
-MEMBER_ROLE=$(get_id keystone role-create --name=Member)
-keystone user-role-add --user_id $DEMO_USER --role_id $MEMBER_ROLE --tenant_id $DEMO_TENANT
-keystone user-role-add --user_id $DEMO_USER --role_id $MEMBER_ROLE --tenant_id $INVIS_TENANT
-
# The ResellerAdmin role is used by Nova and Ceilometer so we need to keep it.
# The admin role in swift allows a user to act as an admin for their tenant,
# but ResellerAdmin is needed for a user to act as any tenant. The name of this
@@ -96,20 +53,6 @@
# Services
# --------
-# Keystone
-if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
- KEYSTONE_SERVICE=$(get_id keystone service-create \
- --name=keystone \
- --type=identity \
- --description="Keystone Identity Service")
- keystone endpoint-create \
- --region RegionOne \
- --service_id $KEYSTONE_SERVICE \
- --publicurl "http://$SERVICE_HOST:\$(public_port)s/v2.0" \
- --adminurl "http://$SERVICE_HOST:\$(admin_port)s/v2.0" \
- --internalurl "http://$SERVICE_HOST:\$(public_port)s/v2.0"
-fi
-
# Nova
if [[ "$ENABLED_SERVICES" =~ "n-api" ]]; then
NOVA_USER=$(get_id keystone user-create \
diff --git a/lib/keystone b/lib/keystone
index ae89056..f6a6d66 100644
--- a/lib/keystone
+++ b/lib/keystone
@@ -15,6 +15,7 @@
# configure_keystone
# init_keystone
# start_keystone
+# create_keystone_accounts
# stop_keystone
# cleanup_keystone
@@ -45,7 +46,6 @@
KEYSTONE_TOKEN_FORMAT=${KEYSTONE_TOKEN_FORMAT:-PKI}
# Set Keystone interface configuration
-KEYSTONE_API_PORT=${KEYSTONE_API_PORT:-5000}
KEYSTONE_AUTH_HOST=${KEYSTONE_AUTH_HOST:-$SERVICE_HOST}
KEYSTONE_AUTH_PORT=${KEYSTONE_AUTH_PORT:-35357}
KEYSTONE_AUTH_PROTOCOL=${KEYSTONE_AUTH_PROTOCOL:-http}
@@ -144,6 +144,100 @@
}
+# create_keystone_accounts() - Sets up common required keystone accounts
+
+# Tenant User Roles
+# ------------------------------------------------------------------
+# service -- --
+# -- -- Member
+# admin admin admin
+# demo admin admin
+# demo demo Member, anotherrole
+# invisible_to_admin demo Member
+
+# Migrated from keystone_data.sh
+create_keystone_accounts() {
+
+ # admin
+ ADMIN_TENANT=$(keystone tenant-create \
+ --name admin \
+ | grep " id " | get_field 2)
+ ADMIN_USER=$(keystone user-create \
+ --name admin \
+ --pass "$ADMIN_PASSWORD" \
+ --email admin@example.com \
+ | grep " id " | get_field 2)
+ ADMIN_ROLE=$(keystone role-create \
+ --name admin \
+ | grep " id " | get_field 2)
+ keystone user-role-add \
+ --user_id $ADMIN_USER \
+ --role_id $ADMIN_ROLE \
+ --tenant_id $ADMIN_TENANT
+
+ # service
+ SERVICE_TENANT=$(keystone tenant-create \
+ --name $SERVICE_TENANT_NAME \
+ | grep " id " | get_field 2)
+
+ # The Member role is used by Horizon and Swift so we need to keep it:
+ MEMBER_ROLE=$(keystone role-create --name=Member | grep " id " | get_field 2)
+ # ANOTHER_ROLE demonstrates that an arbitrary role may be created and used
+ # TODO(sleepsonthefloor): show how this can be used for rbac in the future!
+ ANOTHER_ROLE=$(keystone role-create --name=anotherrole | grep " id " | get_field 2)
+
+ # invisible tenant - admin can't see this one
+ INVIS_TENANT=$(keystone tenant-create --name=invisible_to_admin | grep " id " | get_field 2)
+
+ # demo
+ DEMO_TENANT=$(keystone tenant-create \
+ --name=demo \
+ | grep " id " | get_field 2)
+ DEMO_USER=$(keystone user-create \
+ --name demo \
+ --pass "$ADMIN_PASSWORD" \
+ --email demo@example.com \
+ | grep " id " | get_field 2)
+ keystone user-role-add --user_id $DEMO_USER --role_id $MEMBER_ROLE --tenant_id $DEMO_TENANT
+ keystone user-role-add --user_id $ADMIN_USER --role_id $ADMIN_ROLE --tenant_id $DEMO_TENANT
+ keystone user-role-add --user_id $DEMO_USER --role_id $ANOTHER_ROLE --tenant_id $DEMO_TENANT
+ keystone user-role-add --user_id $DEMO_USER --role_id $MEMBER_ROLE --tenant_id $INVIS_TENANT
+
+ # Keystone
+ if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
+ KEYSTONE_SERVICE=$(keystone service-create \
+ --name keystone \
+ --type identity \
+ --description "Keystone Identity Service" \
+ | grep " id " | get_field 2)
+ keystone endpoint-create \
+ --region RegionOne \
+ --service_id $KEYSTONE_SERVICE \
+ --publicurl "$KEYSTONE_SERVICE_PROTOCOL://$KEYSTONE_SERVICE_HOST:\$(public_port)s/v2.0" \
+ --adminurl "$KEYSTONE_AUTH_PROTOCOL://$KEYSTONE_AUTH_HOST:\$(admin_port)s/v2.0" \
+ --internalurl "$KEYSTONE_SERVICE_PROTOCOL://$KEYSTONE_SERVICE_HOST:\$(public_port)s/v2.0"
+ fi
+
+ # TODO(dtroyer): This is part of a series of changes...remove these when
+ # complete if they are really unused
+# KEYSTONEADMIN_ROLE=$(keystone role-create \
+# --name KeystoneAdmin \
+# | grep " id " | get_field 2)
+# KEYSTONESERVICE_ROLE=$(keystone role-create \
+# --name KeystoneServiceAdmin \
+# | grep " id " | get_field 2)
+
+ # TODO(termie): these two might be dubious
+# keystone user-role-add \
+# --user_id $ADMIN_USER \
+# --role_id $KEYSTONEADMIN_ROLE \
+# --tenant_id $ADMIN_TENANT
+# keystone user-role-add \
+# --user_id $ADMIN_USER \
+# --role_id $KEYSTONESERVICE_ROLE \
+# --tenant_id $ADMIN_TENANT
+}
+
# init_keystone() - Initialize databases, etc.
function init_keystone() {
# (Re)create keystone database
@@ -176,6 +270,11 @@
function start_keystone() {
# Start Keystone in a screen window
screen_it key "cd $KEYSTONE_DIR && $KEYSTONE_DIR/bin/keystone-all --config-file $KEYSTONE_CONF $KEYSTONE_LOG_CONFIG -d --debug"
+ echo "Waiting for keystone to start..."
+ if ! timeout $SERVICE_TIMEOUT sh -c "while ! http_proxy= curl -s $KEYSTONE_AUTH_PROTOCOL://$SERVICE_HOST:$KEYSTONE_SERVICE_PORT/v2.0/ >/dev/null; do sleep 1; done"; then
+ echo "keystone did not start"
+ exit 1
+ fi
}
# stop_keystone() - Stop running processes
diff --git a/stack.sh b/stack.sh
index 8e8c519..5ab0f8e 100755
--- a/stack.sh
+++ b/stack.sh
@@ -953,15 +953,16 @@
configure_keystone
init_keystone
start_keystone
- echo "Waiting for keystone to start..."
- if ! timeout $SERVICE_TIMEOUT sh -c "while ! http_proxy= curl -s $KEYSTONE_AUTH_PROTOCOL://$SERVICE_HOST:$KEYSTONE_API_PORT/v2.0/ >/dev/null; do sleep 1; done"; then
- echo "keystone did not start"
- exit 1
- fi
- # ``keystone_data.sh`` creates services, admin and demo users, and roles.
+ # Set up a temporary admin URI for Keystone
SERVICE_ENDPOINT=$KEYSTONE_AUTH_PROTOCOL://$KEYSTONE_AUTH_HOST:$KEYSTONE_AUTH_PORT/v2.0
+ # Do the keystone-specific bits from keystone_data.sh
+ export OS_SERVICE_TOKEN=$SERVICE_TOKEN
+ export OS_SERVICE_ENDPOINT=$SERVICE_ENDPOINT
+ create_keystone_accounts
+
+ # ``keystone_data.sh`` creates services, admin and demo users, and roles.
ADMIN_PASSWORD=$ADMIN_PASSWORD SERVICE_TENANT_NAME=$SERVICE_TENANT_NAME SERVICE_PASSWORD=$SERVICE_PASSWORD \
SERVICE_TOKEN=$SERVICE_TOKEN SERVICE_ENDPOINT=$SERVICE_ENDPOINT SERVICE_HOST=$SERVICE_HOST \
S3_SERVICE_PORT=$S3_SERVICE_PORT KEYSTONE_CATALOG_BACKEND=$KEYSTONE_CATALOG_BACKEND \
@@ -974,6 +975,7 @@
export OS_TENANT_NAME=admin
export OS_USERNAME=admin
export OS_PASSWORD=$ADMIN_PASSWORD
+ unset OS_SERVICE_TOKEN OS_SERVICE_ENDPOINT
fi
@@ -1750,7 +1752,7 @@
# If Keystone is present you can point ``nova`` cli to this server
if is_service_enabled key; then
- echo "Keystone is serving at $KEYSTONE_AUTH_PROTOCOL://$SERVICE_HOST:$KEYSTONE_API_PORT/v2.0/"
+ echo "Keystone is serving at $KEYSTONE_AUTH_PROTOCOL://$SERVICE_HOST:$KEYSTONE_SERVICE_PORT/v2.0/"
echo "Examples on using novaclient command line is in exercise.sh"
echo "The default users are: admin and demo"
echo "The password: $ADMIN_PASSWORD"