ESSEX keystone_data.sh

#!/bin/bash # # Initial data for Keystone using python-keystoneclient # # Tenant               User      Roles # ------------------------------------------------------------------ # admin                admin     admin # service              glance    admin # service              nova      admin, [ResellerAdmin (swift only)] # service              quantum   admin        # if enabled # service              swift     admin        # if enabled # demo                 admin     admin # demo                 demo      Member, anotherrole # invisible_to_admin   demo      Member # # Variables set before calling this script: # SERVICE_TOKEN - aka admin_token in keystone.conf # SERVICE_ENDPOINT - local Keystone admin endpoint # SERVICE_TENANT_NAME - name of tenant containing service accounts # ENABLED_SERVICES - stack.sh's list of services to start # DEVSTACK_DIR - Top-level DevStack directory  #ADMIN_PASSWORD=${ADMIN_PASSWORD:-chenshake} ADMIN_PASSWORD=${ADMIN_PASSWORD:-$OS_PASSWORD} #SERVICE_PASSWORD=${SERVICE_PASSWORD:-$ADMIN_PASSWORD} #export SERVICE_TOKEN="chenshake" #export SERVICE_ENDPOINT="http://localhost:35357/v2.0" SERVICE_TENANT_NAME=${SERVICE_TENANT_NAME:-service} ENABLED_SERVICES="swift"  function get_id () {     echo `$@ | awk '/ id / { print $4 }'` }  # Tenants ADMIN_TENANT=$(get_id keystone tenant-create --name=admin) SERVICE_TENANT=$(get_id keystone tenant-create --name=$SERVICE_TENANT_NAME) #DEMO_TENANT=$(get_id keystone tenant-create --name=demo) #INVIS_TENANT=$(get_id keystone tenant-create --name=invisible_to_admin)   # Users ADMIN_USER=$(get_id keystone user-create --name=admin \                                          --pass="$ADMIN_PASSWORD" \                                          --email=admin@chenshake.com) #DEMO_USER=$(get_id keystone user-create --name=demo \ #                                        --pass="$ADMIN_PASSWORD" \ #                                        --email=demo@chenshake.com)   # Roles ADMIN_ROLE=$(get_id keystone role-create --name=admin) KEYSTONEADMIN_ROLE=$(get_id keystone role-create --name=KeystoneAdmin) KEYSTONESERVICE_ROLE=$(get_id keystone role-create --name=KeystoneServiceAdmin) # ANOTHER_ROLE demonstrates that an arbitrary role may be created and used # TODO(sleepsonthefloor): show how this can be used for rbac in the future! ANOTHER_ROLE=$(get_id keystone role-create --name=anotherrole)   # Add Roles to Users in Tenants keystone user-role-add --user $ADMIN_USER --role $ADMIN_ROLE --tenant_id $ADMIN_TENANT #keystone user-role-add --user $ADMIN_USER --role $ADMIN_ROLE --tenant_id $DEMO_TENANT #keystone user-role-add --user $DEMO_USER --role $ANOTHER_ROLE --tenant_id $DEMO_TENANT  # TODO(termie): these two might be dubious keystone user-role-add --user $ADMIN_USER --role $KEYSTONEADMIN_ROLE --tenant_id $ADMIN_TENANT keystone user-role-add --user $ADMIN_USER --role $KEYSTONESERVICE_ROLE --tenant_id $ADMIN_TENANT   # The Member role is used by Horizon and Swift so we need to keep it: MEMBER_ROLE=$(get_id keystone role-create --name=Member) #keystone user-role-add --user $DEMO_USER --role $MEMBER_ROLE --tenant_id $DEMO_TENANT #keystone user-role-add --user $DEMO_USER --role $MEMBER_ROLE --tenant_id $INVIS_TENANT   # Configure service users/roles NOVA_USER=$(get_id keystone user-create --name=nova \                                         --pass="$SERVICE_PASSWORD" \                                         --tenant_id $SERVICE_TENANT \                                         --email=nova@chenshake.com) keystone user-role-add --tenant_id $SERVICE_TENANT \                        --user $NOVA_USER \                        --role $ADMIN_ROLE  GLANCE_USER=$(get_id keystone user-create --name=glance \                                           --pass="$SERVICE_PASSWORD" \                                           --tenant_id $SERVICE_TENANT \                                           --email=glance@chenshake.com) keystone user-role-add --tenant_id $SERVICE_TENANT \                        --user $GLANCE_USER \                        --role $ADMIN_ROLE  if [[ "$ENABLED_SERVICES" =~ "swift" ]]; then     SWIFT_USER=$(get_id keystone user-create --name=swift \                                              --pass="$SERVICE_PASSWORD" \                                              --tenant_id $SERVICE_TENANT \                                              --email=swift@chenshake.com)     keystone user-role-add --tenant_id $SERVICE_TENANT \                            --user $SWIFT_USER \                            --role $ADMIN_ROLE     # Nova needs ResellerAdmin role to download images when accessing     # swift through the s3 api. The admin role in swift allows a user     # to act as an admin for their tenant, but ResellerAdmin is needed     # for a user to act as any tenant. The name of this role is also     # configurable in swift-proxy.conf     RESELLER_ROLE=$(get_id keystone role-create --name=ResellerAdmin)     keystone user-role-add --tenant_id $SERVICE_TENANT \                            --user $NOVA_USER \                            --role $RESELLER_ROLE fi  if [[ "$ENABLED_SERVICES" =~ "quantum" ]]; then     QUANTUM_USER=$(get_id keystone user-create --name=quantum \                                                --pass="$SERVICE_PASSWORD" \                                                --tenant_id $SERVICE_TENANT \                                                --email=quantum@chenshake.com)     keystone user-role-add --tenant_id $SERVICE_TENANT \                            --user $QUANTUM_USER \                            --role $ADMIN_ROLE fi