Gitiles
Code Review Sign In
spfactory.storpool.com / devstack / f4d5780d644d7107c5e47969b02d5085f67aab95 / . / files / keystone_data.sh
blob: ba14a47f8f00c8b34dfdf9b59124ac58ebed5b53 [file] [log] [blame]
Jesse Andrews73e27b82011-09-12 17:55:00 -0700[diff] [blame]1#!/bin/bash
Dean Troyerb7d1fbb2012-03-02 08:43:09 -0600[diff] [blame]2#
3# Initial data for Keystone using python-keystoneclient
4#
Dean Troyerb7d1fbb2012-03-02 08:43:09 -0600[diff] [blame]5# Tenant User Roles
Chmouel Boudjnah77b0e1d2012-02-29 16:55:43 +0000[diff] [blame]6# ------------------------------------------------------------------
Dean Troyerb7d1fbb2012-03-02 08:43:09 -0600[diff] [blame]7# admin admin admin
8# service glance admin
Chmouel Boudjnah77b0e1d2012-02-29 16:55:43 +0000[diff] [blame]9# service nova admin, [ResellerAdmin (swift only)]
Dean Troyerb7d1fbb2012-03-02 08:43:09 -0600[diff] [blame]10# service quantum admin # if enabled
11# service swift admin # if enabled
Dean Troyer67787e62012-05-02 11:48:15 -0500[diff] [blame]12# service cinder admin # if enabled
Dean Troyerb7d1fbb2012-03-02 08:43:09 -0600[diff] [blame]13# demo admin admin
Chmouel Boudjnah77b0e1d2012-02-29 16:55:43 +0000[diff] [blame]14# demo demo Member, anotherrole
Dean Troyerb7d1fbb2012-03-02 08:43:09 -0600[diff] [blame]15# invisible_to_admin demo Member
Jay Pipesb297d2d2012-05-10 11:21:22 -0400[diff] [blame]16# Tempest Only:
17# alt_demo alt_demo Member
Dean Troyerb7d1fbb2012-03-02 08:43:09 -0600[diff] [blame]18#
19# Variables set before calling this script:
20# SERVICE_TOKEN - aka admin_token in keystone.conf
21# SERVICE_ENDPOINT - local Keystone admin endpoint
22# SERVICE_TENANT_NAME - name of tenant containing service accounts
Dean Troyer3f7c06f2012-04-03 17:19:36 -0500[diff] [blame]23# SERVICE_HOST - host used for endpoint creation
Dean Troyerb7d1fbb2012-03-02 08:43:09 -0600[diff] [blame]24# ENABLED_SERVICES - stack.sh's list of services to start
25# DEVSTACK_DIR - Top-level DevStack directory
Dean Troyer3f7c06f2012-04-03 17:19:36 -0500[diff] [blame]26# KEYSTONE_CATALOG_BACKEND - used to determine service catalog creation
27
28# Defaults
29# --------
Dean Troyerb7d1fbb2012-03-02 08:43:09 -0600[diff] [blame]30
31ADMIN_PASSWORD=${ADMIN_PASSWORD:-secrete}
32SERVICE_PASSWORD=${SERVICE_PASSWORD:-$ADMIN_PASSWORD}
Vishvananda Ishayad1f52432012-02-09 03:50:57 +0000[diff] [blame]33export SERVICE_TOKEN=$SERVICE_TOKEN
34export SERVICE_ENDPOINT=$SERVICE_ENDPOINT
Dean Troyerb7d1fbb2012-03-02 08:43:09 -0600[diff] [blame]35SERVICE_TENANT_NAME=${SERVICE_TENANT_NAME:-service}
Vishvananda Ishayad1f52432012-02-09 03:50:57 +0000[diff] [blame]36
37function get_id () {
Dean Troyer3f7c06f2012-04-03 17:19:36 -0500[diff] [blame]38 echo `"$@" | awk '/ id / { print $4 }'`
Vishvananda Ishayad1f52432012-02-09 03:50:57 +0000[diff] [blame]39}
40
Dean Troyer3f7c06f2012-04-03 17:19:36 -0500[diff] [blame]41
Dean Troyerb7d1fbb2012-03-02 08:43:09 -0600[diff] [blame]42# Tenants
Dean Troyer3f7c06f2012-04-03 17:19:36 -0500[diff] [blame]43# -------
44
Dean Troyerb7d1fbb2012-03-02 08:43:09 -0600[diff] [blame]45ADMIN_TENANT=$(get_id keystone tenant-create --name=admin)
46SERVICE_TENANT=$(get_id keystone tenant-create --name=$SERVICE_TENANT_NAME)
47DEMO_TENANT=$(get_id keystone tenant-create --name=demo)
48INVIS_TENANT=$(get_id keystone tenant-create --name=invisible_to_admin)
termiea96a4182012-01-09 22:13:29 -0800[diff] [blame]49
Jesse Andrews73e27b82011-09-12 17:55:00 -0700[diff] [blame]50
51# Users
Dean Troyer3f7c06f2012-04-03 17:19:36 -0500[diff] [blame]52# -----
53
Dean Troyerb7d1fbb2012-03-02 08:43:09 -0600[diff] [blame]54ADMIN_USER=$(get_id keystone user-create --name=admin \
55 --pass="$ADMIN_PASSWORD" \
56 --email=admin@example.com)
57DEMO_USER=$(get_id keystone user-create --name=demo \
58 --pass="$ADMIN_PASSWORD" \
59 --email=demo@example.com)
Jesse Andrews73e27b82011-09-12 17:55:00 -0700[diff] [blame]60
Dean Troyer0bd24102012-03-08 00:33:54 -0600[diff] [blame]61
Jesse Andrews73e27b82011-09-12 17:55:00 -0700[diff] [blame]62# Roles
Dean Troyer3f7c06f2012-04-03 17:19:36 -0500[diff] [blame]63# -----
64
Dean Troyerb7d1fbb2012-03-02 08:43:09 -0600[diff] [blame]65ADMIN_ROLE=$(get_id keystone role-create --name=admin)
66KEYSTONEADMIN_ROLE=$(get_id keystone role-create --name=KeystoneAdmin)
67KEYSTONESERVICE_ROLE=$(get_id keystone role-create --name=KeystoneServiceAdmin)
Anthony Youngae604982012-03-12 17:12:00 -0700[diff] [blame]68# ANOTHER_ROLE demonstrates that an arbitrary role may be created and used
69# TODO(sleepsonthefloor): show how this can be used for rbac in the future!
70ANOTHER_ROLE=$(get_id keystone role-create --name=anotherrole)
termiea96a4182012-01-09 22:13:29 -0800[diff] [blame]71
72
Dean Troyerb7d1fbb2012-03-02 08:43:09 -0600[diff] [blame]73# Add Roles to Users in Tenants
Everett Toewsa143e732012-05-08 22:13:08 +0000[diff] [blame]74keystone user-role-add --user_id $ADMIN_USER --role_id $ADMIN_ROLE --tenant_id $ADMIN_TENANT
75keystone user-role-add --user_id $ADMIN_USER --role_id $ADMIN_ROLE --tenant_id $DEMO_TENANT
76keystone user-role-add --user_id $DEMO_USER --role_id $ANOTHER_ROLE --tenant_id $DEMO_TENANT
termiea96a4182012-01-09 22:13:29 -0800[diff] [blame]77
Dean Troyerb7d1fbb2012-03-02 08:43:09 -0600[diff] [blame]78# TODO(termie): these two might be dubious
Everett Toewsa143e732012-05-08 22:13:08 +0000[diff] [blame]79keystone user-role-add --user_id $ADMIN_USER --role_id $KEYSTONEADMIN_ROLE --tenant_id $ADMIN_TENANT
80keystone user-role-add --user_id $ADMIN_USER --role_id $KEYSTONESERVICE_ROLE --tenant_id $ADMIN_TENANT
Dean Troyerf4565c42012-02-23 11:21:10 -0600[diff] [blame]81
Dean Troyerb7d1fbb2012-03-02 08:43:09 -0600[diff] [blame]82
83# The Member role is used by Horizon and Swift so we need to keep it:
84MEMBER_ROLE=$(get_id keystone role-create --name=Member)
Everett Toewsa143e732012-05-08 22:13:08 +0000[diff] [blame]85keystone user-role-add --user_id $DEMO_USER --role_id $MEMBER_ROLE --tenant_id $DEMO_TENANT
86keystone user-role-add --user_id $DEMO_USER --role_id $MEMBER_ROLE --tenant_id $INVIS_TENANT
Dean Troyerb7d1fbb2012-03-02 08:43:09 -0600[diff] [blame]87
Jesse Andrews73e27b82011-09-12 17:55:00 -0700[diff] [blame]88
Dean Troyer3f7c06f2012-04-03 17:19:36 -0500[diff] [blame]89# Services
90# --------
termiea96a4182012-01-09 22:13:29 -0800[diff] [blame]91
Dean Troyer3f7c06f2012-04-03 17:19:36 -0500[diff] [blame]92# Keystone
93if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
94 KEYSTONE_SERVICE=$(get_id keystone service-create \
95 --name=keystone \
96 --type=identity \
97 --description="Keystone Identity Service")
98 keystone endpoint-create \
99 --region RegionOne \
100 --service_id $KEYSTONE_SERVICE \
101 --publicurl "http://$SERVICE_HOST:\$(public_port)s/v2.0" \
102 --adminurl "http://$SERVICE_HOST:\$(admin_port)s/v2.0" \
103 --internalurl "http://$SERVICE_HOST:\$(admin_port)s/v2.0"
104fi
Vishvananda Ishaya5f9473e2012-02-24 01:57:07 +0000[diff] [blame]105
Dean Troyer3f7c06f2012-04-03 17:19:36 -0500[diff] [blame]106# Nova
107if [[ "$ENABLED_SERVICES" =~ "n-cpu" ]]; then
108 NOVA_USER=$(get_id keystone user-create \
109 --name=nova \
110 --pass="$SERVICE_PASSWORD" \
111 --tenant_id $SERVICE_TENANT \
112 --email=nova@example.com)
113 keystone user-role-add \
114 --tenant_id $SERVICE_TENANT \
115 --user_id $NOVA_USER \
116 --role_id $ADMIN_ROLE
117 if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
118 NOVA_SERVICE=$(get_id keystone service-create \
119 --name=nova \
120 --type=compute \
121 --description="Nova Compute Service")
122 keystone endpoint-create \
123 --region RegionOne \
124 --service_id $NOVA_SERVICE \
125 --publicurl "http://$SERVICE_HOST:\$(compute_port)s/v1.1/\$(tenant_id)s" \
126 --adminurl "http://$SERVICE_HOST:\$(compute_port)s/v1.1/\$(tenant_id)s" \
127 --internalurl "http://$SERVICE_HOST:\$(compute_port)s/v1.1/\$(tenant_id)s"
128 fi
Chmouel Boudjnah77b0e1d2012-02-29 16:55:43 +0000[diff] [blame]129 # Nova needs ResellerAdmin role to download images when accessing
130 # swift through the s3 api. The admin role in swift allows a user
131 # to act as an admin for their tenant, but ResellerAdmin is needed
132 # for a user to act as any tenant. The name of this role is also
133 # configurable in swift-proxy.conf
134 RESELLER_ROLE=$(get_id keystone role-create --name=ResellerAdmin)
Dean Troyer3f7c06f2012-04-03 17:19:36 -0500[diff] [blame]135 keystone user-role-add \
136 --tenant_id $SERVICE_TENANT \
137 --user_id $NOVA_USER \
138 --role_id $RESELLER_ROLE
Jesse Andrews9c7c9082011-11-23 10:10:53 -0800[diff] [blame]139fi
Dean Troyerb7d1fbb2012-03-02 08:43:09 -0600[diff] [blame]140
Dean Troyer3f7c06f2012-04-03 17:19:36 -0500[diff] [blame]141# Volume
142if [[ "$ENABLED_SERVICES" =~ "n-vol" ]]; then
143 if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
144 VOLUME_SERVICE=$(get_id keystone service-create \
145 --name=volume \
146 --type=volume \
147 --description="Volume Service")
148 keystone endpoint-create \
149 --region RegionOne \
150 --service_id $VOLUME_SERVICE \
151 --publicurl "http://$SERVICE_HOST:8776/v1/\$(tenant_id)s" \
152 --adminurl "http://$SERVICE_HOST:8776/v1/\$(tenant_id)s" \
153 --internalurl "http://$SERVICE_HOST:8776/v1/\$(tenant_id)s"
154 fi
155fi
156
157# Glance
158if [[ "$ENABLED_SERVICES" =~ "g-api" ]]; then
159 GLANCE_USER=$(get_id keystone user-create \
160 --name=glance \
161 --pass="$SERVICE_PASSWORD" \
162 --tenant_id $SERVICE_TENANT \
163 --email=glance@example.com)
164 keystone user-role-add \
165 --tenant_id $SERVICE_TENANT \
166 --user_id $GLANCE_USER \
167 --role_id $ADMIN_ROLE
168 if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
169 GLANCE_SERVICE=$(get_id keystone service-create \
170 --name=glance \
171 --type=image \
172 --description="Glance Image Service")
173 keystone endpoint-create \
174 --region RegionOne \
175 --service_id $GLANCE_SERVICE \
176 --publicurl "http://$SERVICE_HOST:9292/v1" \
177 --adminurl "http://$SERVICE_HOST:9292/v1" \
178 --internalurl "http://$SERVICE_HOST:9292/v1"
179 fi
180fi
181
182# Swift
183if [[ "$ENABLED_SERVICES" =~ "swift" ]]; then
184 SWIFT_USER=$(get_id keystone user-create \
185 --name=swift \
186 --pass="$SERVICE_PASSWORD" \
187 --tenant_id $SERVICE_TENANT \
188 --email=swift@example.com)
189 keystone user-role-add \
190 --tenant_id $SERVICE_TENANT \
191 --user_id $SWIFT_USER \
192 --role_id $ADMIN_ROLE
193 if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
194 SWIFT_SERVICE=$(get_id keystone service-create \
195 --name=swift \
196 --type="object-store" \
197 --description="Swift Service")
198 keystone endpoint-create \
199 --region RegionOne \
200 --service_id $SWIFT_SERVICE \
201 --publicurl "http://$SERVICE_HOST:8080/v1/AUTH_\$(tenant_id)s" \
202 --adminurl "http://$SERVICE_HOST:8080/v1" \
203 --internalurl "http://$SERVICE_HOST:8080/v1/AUTH_\$(tenant_id)s"
204 fi
205fi
206
207if [[ "$ENABLED_SERVICES" =~ "q-svc" ]]; then
208 QUANTUM_USER=$(get_id keystone user-create \
209 --name=quantum \
210 --pass="$SERVICE_PASSWORD" \
211 --tenant_id $SERVICE_TENANT \
212 --email=quantum@example.com)
213 keystone user-role-add \
214 --tenant_id $SERVICE_TENANT \
215 --user_id $QUANTUM_USER \
216 --role_id $ADMIN_ROLE
217 if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
218 QUANTUM_SERVICE=$(get_id keystone service-create \
219 --name=quantum \
220 --type=network \
221 --description="Quantum Service")
222 keystone endpoint-create \
223 --region RegionOne \
224 --service_id $QUANTUM_SERVICE \
225 --publicurl "http://$SERVICE_HOST:9696/" \
226 --adminurl "http://$SERVICE_HOST:9696/" \
227 --internalurl "http://$SERVICE_HOST:9696/"
228 fi
229fi
230
231# EC2
232if [[ "$ENABLED_SERVICES" =~ "n-api" ]]; then
233 if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
234 EC2_SERVICE=$(get_id keystone service-create \
235 --name=ec2 \
236 --type=ec2 \
237 --description="EC2 Compatibility Layer")
238 keystone endpoint-create \
239 --region RegionOne \
240 --service_id $EC2_SERVICE \
241 --publicurl "http://$SERVICE_HOST:8773/services/Cloud" \
242 --adminurl "http://$SERVICE_HOST:8773/services/Admin" \
243 --internalurl "http://$SERVICE_HOST:8773/services/Cloud"
244 fi
245fi
246
247# S3
248if [[ "$ENABLED_SERVICES" =~ "n-obj" || "$ENABLED_SERVICES" =~ "swift" ]]; then
249 if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
250 S3_SERVICE=$(get_id keystone service-create \
251 --name=s3 \
252 --type=s3 \
253 --description="S3")
254 keystone endpoint-create \
255 --region RegionOne \
256 --service_id $S3_SERVICE \
257 --publicurl "http://$SERVICE_HOST:$S3_SERVICE_PORT" \
258 --adminurl "http://$SERVICE_HOST:$S3_SERVICE_PORT" \
259 --internalurl "http://$SERVICE_HOST:$S3_SERVICE_PORT"
260 fi
Gabriel Hurleya3a496f2012-02-13 12:29:23 -0800[diff] [blame]261fi
Jay Pipesb297d2d2012-05-10 11:21:22 -0400[diff] [blame]262
263if [[ "$ENABLED_SERVICES" =~ "tempest" ]]; then
264 # Tempest has some tests that validate various authorization checks
265 # between two regular users in separate tenants
Dean Troyer3f7c06f2012-04-03 17:19:36 -0500[diff] [blame]266 ALT_DEMO_TENANT=$(get_id keystone tenant-create \
267 --name=alt_demo)
268 ALT_DEMO_USER=$(get_id keystone user-create \
269 --name=alt_demo \
270 --pass="$ADMIN_PASSWORD" \
271 --email=alt_demo@example.com)
272 keystone user-role-add \
273 --tenant_id $ALT_DEMO_TENANT \
274 --user_id $ALT_DEMO_USER \
275 --role_id $MEMBER_ROLE
Jay Pipesb297d2d2012-05-10 11:21:22 -0400[diff] [blame]276fi
Dean Troyer67787e62012-05-02 11:48:15 -0500[diff] [blame]277
278if [[ "$ENABLED_SERVICES" =~ "cinder" ]]; then
279 CINDER_USER=$(get_id keystone user-create --name=cinder \
280 --pass="$SERVICE_PASSWORD" \
281 --tenant_id $SERVICE_TENANT \
282 --email=cinder@example.com)
283 keystone user-role-add --tenant_id $SERVICE_TENANT \
284 --user_id $CINDER_USER \
285 --role_id $ADMIN_ROLE
Anthony Young1cdf5fa2012-07-03 13:57:39 -0700[diff] [blame]286 if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
287 CINDER_SERVICE=$(get_id keystone service-create \
288 --name=cinder \
289 --type=volume \
290 --description="Cinder Service")
291 keystone endpoint-create \
292 --region RegionOne \
293 --service_id $CINDER_SERVICE \
294 --publicurl "http://$SERVICE_HOST:8776/v1/\$(tenant_id)s" \
295 --adminurl "http://$SERVICE_HOST:8776/v1/\$(tenant_id)s" \
296 --internalurl "http://$SERVICE_HOST:8776/v1/\$(tenant_id)s"
297 fi
Dean Troyer67787e62012-05-02 11:48:15 -0500[diff] [blame]298fi