API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Mar 27th, 2012
128
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 5.46 KB | None | 0 0
raw download clone embed print report
  1. #!/bin/bash
  2. #
  3. # Initial data for Keystone using python-keystoneclient
  4. #
  5. # Tenant User Roles
  6. # ------------------------------------------------------------------
  7. # admin admin admin
  8. # service glance admin
  9. # service nova admin, [ResellerAdmin (swift only)]
  10. # service quantum admin # if enabled
  11. # service swift admin # if enabled
  12. # demo admin admin
  13. # demo demo Member, anotherrole
  14. # invisible_to_admin demo Member
  15. #
  16. # Variables set before calling this script:
  17. # SERVICE_TOKEN - aka admin_token in keystone.conf
  18. # SERVICE_ENDPOINT - local Keystone admin endpoint
  19. # SERVICE_TENANT_NAME - name of tenant containing service accounts
  20. # ENABLED_SERVICES - stack.sh's list of services to start
  21. # DEVSTACK_DIR - Top-level DevStack directory
  22.  
  23. ADMIN_PASSWORD="secretword"
  24. SERVICE_PASSWORD=${SERVICE_PASSWORD:-$ADMIN_PASSWORD}
  25. export SERVICE_TOKEN="11223344"
  26. export SERVICE_ENDPOINT="http://localhost:35357/v2.0"
  27. SERVICE_TENANT_NAME=${SERVICE_TENANT_NAME:-service}
  28.  
  29. function get_id( ){
  30. echo `$@ | awk '/ id / { print $4 }'`
  31. }
  32.  
  33. # Tenants
  34. ADMIN_TENANT=$(get_id keystone tenant-create --name=admin)
  35. SERVICE_TENANT=$(get_id keystone tenant-create --name=$SERVICE_TENANT_NAME)
  36. DEMO_TENANT=$(get_id keystone tenant-create --name=demo)
  37. INVIS_TENANT=$(get_id keystone tenant-create --name=invisible_to_admin)
  38.  
  39.  
  40. # Users
  41. ADMIN_USER=$(get_id keystone user-create --name=admin \
  42. --pass="$ADMIN_PASSWORD" \
  43. [email protected])
  44. DEMO_USER=$(get_id keystone user-create --name=demo \
  45. --pass="$ADMIN_PASSWORD" \
  46. [email protected])
  47.  
  48.  
  49. # Roles
  50. ADMIN_ROLE=$(get_id keystone role-create --name=admin)
  51. KEYSTONEADMIN_ROLE=$(get_id keystone role-create --name=KeystoneAdmin)
  52. KEYSTONESERVICE_ROLE=$(get_id keystone role-create --name=KeystoneServiceAdmin)
  53. # ANOTHER_ROLE demonstrates that an arbitrary role may be created and used
  54. # TODO(sleepsonthefloor): show how this can be used for rbac in the future!
  55. ANOTHER_ROLE=$(get_id keystone role-create --name=anotherrole)
  56.  
  57.  
  58. # Add Roles to Users in Tenants
  59. keystone user-role-add --user $ADMIN_USER --role $ADMIN_ROLE --tenant_id $ADMIN_TENANT
  60. keystone user-role-add --user $ADMIN_USER --role $ADMIN_ROLE --tenant_id $DEMO_TENANT
  61. keystone user-role-add --user $DEMO_USER --role $ANOTHER_ROLE --tenant_id $DEMO_TENANT
  62.  
  63. # TODO(termie): these two might be dubious
  64. keystone user-role-add --user $ADMIN_USER --role $KEYSTONEADMIN_ROLE --tenant_id $ADMIN_TENANT
  65. keystone user-role-add --user $ADMIN_USER --role $KEYSTONESERVICE_ROLE --tenant_id $ADMIN_TENANT
  66.  
  67.  
  68. # The Member role is used by Horizon and Swift so we need to keep it:
  69. MEMBER_ROLE=$(get_id keystone role-create --name=Member)
  70. keystone user-role-add --user $DEMO_USER --role $MEMBER_ROLE --tenant_id $DEMO_TENANT
  71. keystone user-role-add --user $DEMO_USER --role $MEMBER_ROLE --tenant_id $INVIS_TENANT
  72.  
  73.  
  74. # Configure service users/roles
  75. NOVA_USER=$(get_id keystone user-create --name=nova \
  76. --pass="$SERVICE_PASSWORD" \
  77. --tenant_id $SERVICE_TENANT \
  78. [email protected])
  79. keystone user-role-add --tenant_id $SERVICE_TENANT \
  80. --user $NOVA_USER \
  81. --role $ADMIN_ROLE
  82.  
  83. GLANCE_USER=$(get_id keystone user-create --name=glance \
  84. --pass="$SERVICE_PASSWORD" \
  85. --tenant_id $SERVICE_TENANT \
  86. [email protected])
  87. keystone user-role-add --tenant_id $SERVICE_TENANT \
  88. --user $GLANCE_USER \
  89. --role $ADMIN_ROLE
  90.  
  91. if [[ "$ENABLED_SERVICES" =~ "swift" ]]; then
  92. SWIFT_USER=$(get_id keystone user-create --name=swift \
  93. --pass="$SERVICE_PASSWORD" \
  94. --tenant_id $SERVICE_TENANT \
  95. [email protected])
  96. keystone user-role-add --tenant_id $SERVICE_TENANT \
  97. --user $SWIFT_USER \
  98. --role $ADMIN_ROLE
  99. # Nova needs ResellerAdmin role to download images when accessing
  100. # swift through the s3 api. The admin role in swift allows a user
  101. # to act as an admin for their tenant, but ResellerAdmin is needed
  102. # for a user to act as any tenant. The name of this role is also
  103. # configurable in swift-proxy.conf
  104. RESELLER_ROLE=$(get_id keystone role-create --name=ResellerAdmin)
  105. keystone user-role-add --tenant_id $SERVICE_TENANT \
  106. --user $NOVA_USER \
  107. --role $RESELLER_ROLE
  108. fi
  109.  
  110. if [[ "$ENABLED_SERVICES" =~ "quantum" ]]; then
  111. QUANTUM_USER=$(get_id keystone user-create --name=quantum \
  112. --pass="$SERVICE_PASSWORD" \
  113. --tenant_id $SERVICE_TENANT \
  114. [email protected])
  115. keystone user-role-add --tenant_id $SERVICE_TENANT \
  116. --user $QUANTUM_USER \
  117. --role $ADMIN_ROLE
  118. fi
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!