Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/bin/bash
- #
- # Initial data for Keystone using python-keystoneclient
- #
- # Tenant User Roles
- # ------------------------------------------------------------------
- # admin admin admin
- # service glance admin
- # service nova admin, [ResellerAdmin (swift only)]
- # service quantum admin # if enabled
- # service swift admin # if enabled
- # demo admin admin
- # demo demo Member, anotherrole
- # invisible_to_admin demo Member
- #
- # Variables set before calling this script:
- # SERVICE_TOKEN - aka admin_token in keystone.conf
- # SERVICE_ENDPOINT - local Keystone admin endpoint
- # SERVICE_TENANT_NAME - name of tenant containing service accounts
- # ENABLED_SERVICES - stack.sh's list of services to start
- # DEVSTACK_DIR - Top-level DevStack directory
- ADMIN_PASSWORD="secretword"
- SERVICE_PASSWORD=${SERVICE_PASSWORD:-$ADMIN_PASSWORD}
- export SERVICE_TOKEN="11223344"
- export SERVICE_ENDPOINT="http://localhost:35357/v2.0"
- SERVICE_TENANT_NAME=${SERVICE_TENANT_NAME:-service}
- function get_id( ){
- echo `$@ | awk '/ id / { print $4 }'`
- }
- # Tenants
- ADMIN_TENANT=$(get_id keystone tenant-create --name=admin)
- SERVICE_TENANT=$(get_id keystone tenant-create --name=$SERVICE_TENANT_NAME)
- DEMO_TENANT=$(get_id keystone tenant-create --name=demo)
- INVIS_TENANT=$(get_id keystone tenant-create --name=invisible_to_admin)
- # Users
- ADMIN_USER=$(get_id keystone user-create --name=admin \
- --pass="$ADMIN_PASSWORD" \
- --email=admin@hastexo.com)
- DEMO_USER=$(get_id keystone user-create --name=demo \
- --pass="$ADMIN_PASSWORD" \
- --email=demo@hastexo.com)
- # Roles
- ADMIN_ROLE=$(get_id keystone role-create --name=admin)
- KEYSTONEADMIN_ROLE=$(get_id keystone role-create --name=KeystoneAdmin)
- KEYSTONESERVICE_ROLE=$(get_id keystone role-create --name=KeystoneServiceAdmin)
- # ANOTHER_ROLE demonstrates that an arbitrary role may be created and used
- # TODO(sleepsonthefloor): show how this can be used for rbac in the future!
- ANOTHER_ROLE=$(get_id keystone role-create --name=anotherrole)
- # Add Roles to Users in Tenants
- keystone user-role-add --user $ADMIN_USER --role $ADMIN_ROLE --tenant_id $ADMIN_TENANT
- keystone user-role-add --user $ADMIN_USER --role $ADMIN_ROLE --tenant_id $DEMO_TENANT
- keystone user-role-add --user $DEMO_USER --role $ANOTHER_ROLE --tenant_id $DEMO_TENANT
- # TODO(termie): these two might be dubious
- keystone user-role-add --user $ADMIN_USER --role $KEYSTONEADMIN_ROLE --tenant_id $ADMIN_TENANT
- keystone user-role-add --user $ADMIN_USER --role $KEYSTONESERVICE_ROLE --tenant_id $ADMIN_TENANT
- # The Member role is used by Horizon and Swift so we need to keep it:
- MEMBER_ROLE=$(get_id keystone role-create --name=Member)
- keystone user-role-add --user $DEMO_USER --role $MEMBER_ROLE --tenant_id $DEMO_TENANT
- keystone user-role-add --user $DEMO_USER --role $MEMBER_ROLE --tenant_id $INVIS_TENANT
- # Configure service users/roles
- NOVA_USER=$(get_id keystone user-create --name=nova \
- --pass="$SERVICE_PASSWORD" \
- --tenant_id $SERVICE_TENANT \
- --email=nova@hastexo.com)
- keystone user-role-add --tenant_id $SERVICE_TENANT \
- --user $NOVA_USER \
- --role $ADMIN_ROLE
- GLANCE_USER=$(get_id keystone user-create --name=glance \
- --pass="$SERVICE_PASSWORD" \
- --tenant_id $SERVICE_TENANT \
- --email=glance@hastexo.com)
- keystone user-role-add --tenant_id $SERVICE_TENANT \
- --user $GLANCE_USER \
- --role $ADMIN_ROLE
- if [[ "$ENABLED_SERVICES" =~ "swift" ]]; then
- SWIFT_USER=$(get_id keystone user-create --name=swift \
- --pass="$SERVICE_PASSWORD" \
- --tenant_id $SERVICE_TENANT \
- --email=swift@hastexo.com)
- keystone user-role-add --tenant_id $SERVICE_TENANT \
- --user $SWIFT_USER \
- --role $ADMIN_ROLE
- # Nova needs ResellerAdmin role to download images when accessing
- # swift through the s3 api. The admin role in swift allows a user
- # to act as an admin for their tenant, but ResellerAdmin is needed
- # for a user to act as any tenant. The name of this role is also
- # configurable in swift-proxy.conf
- RESELLER_ROLE=$(get_id keystone role-create --name=ResellerAdmin)
- keystone user-role-add --tenant_id $SERVICE_TENANT \
- --user $NOVA_USER \
- --role $RESELLER_ROLE
- fi
- if [[ "$ENABLED_SERVICES" =~ "quantum" ]]; then
- QUANTUM_USER=$(get_id keystone user-create --name=quantum \
- --pass="$SERVICE_PASSWORD" \
- --tenant_id $SERVICE_TENANT \
- --email=quantum@hastexo.com)
- keystone user-role-add --tenant_id $SERVICE_TENANT \
- --user $QUANTUM_USER \
- --role $ADMIN_ROLE
- fi
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement