Merge "Use service role with glance service"
diff --git a/files/keystone_data.sh b/files/keystone_data.sh
index d477c42..9a34c76 100755
--- a/files/keystone_data.sh
+++ b/files/keystone_data.sh
@@ -2,12 +2,14 @@
#
# Initial data for Keystone using python-keystoneclient
#
-# Tenant User Roles
+# Tenant User Roles
# ------------------------------------------------------------------
-# service glance admin
-# service heat service # if enabled
+# service glance service
+# service glance-swift ResellerAdmin
+# service heat service # if enabled
+# service ceilometer admin # if enabled
# Tempest Only:
-# alt_demo alt_demo Member
+# alt_demo alt_demo Member
#
# Variables set before calling this script:
# SERVICE_TOKEN - aka admin_token in keystone.conf
@@ -96,7 +98,19 @@
keystone user-role-add \
--tenant $SERVICE_TENANT_NAME \
--user glance \
- --role admin
+ --role service
+ # required for swift access
+ if [[ "$ENABLED_SERVICES" =~ "s-proxy" ]]; then
+ keystone user-create \
+ --name=glance-swift \
+ --pass="$SERVICE_PASSWORD" \
+ --tenant $SERVICE_TENANT_NAME \
+ --email=glance-swift@example.com
+ keystone user-role-add \
+ --tenant $SERVICE_TENANT_NAME \
+ --user glance-swift \
+ --role ResellerAdmin
+ fi
if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
keystone service-create \
--name=glance \
diff --git a/lib/glance b/lib/glance
index 2d41ea4..00f499a 100644
--- a/lib/glance
+++ b/lib/glance
@@ -124,7 +124,7 @@
if is_service_enabled s-proxy; then
iniset $GLANCE_API_CONF DEFAULT default_store swift
iniset $GLANCE_API_CONF DEFAULT swift_store_auth_address $KEYSTONE_SERVICE_PROTOCOL://$KEYSTONE_SERVICE_HOST:$KEYSTONE_SERVICE_PORT/v2.0/
- iniset $GLANCE_API_CONF DEFAULT swift_store_user $SERVICE_TENANT_NAME:glance
+ iniset $GLANCE_API_CONF DEFAULT swift_store_user $SERVICE_TENANT_NAME:glance-swift
iniset $GLANCE_API_CONF DEFAULT swift_store_key $SERVICE_PASSWORD
iniset $GLANCE_API_CONF DEFAULT swift_store_create_container_on_put True