alistairncoles/swift-keystone-setup.sh Secret

## swift-keystone-setup.sh
#!/bin/bash

usage="<prog> <identity endpoint> [os-password] --remove"
#
# identity endpoint should include /v3 at end of url
# e.g. <prog> http://hostname:5000/v3 ADMIN
#
# hostname could be standalone keystone service or devstack keystone service

# Note: we are using password auth for keystone admin here - previously token
# been just fine but I couldn't get that to auth 'create' commands.
# Following pattern of stack.sh which flips to password auth once initial
# keystone bootstrap is done.

DEFAULT_DOMAIN_NAME=default
TEST_DOMAIN=test-domain
USER_PREFIX=tester
PROJECT_PREFIX=test

OS_PASSWORD="admin"
OS_URL=$1
shift
OS_PASSWORD=$1
if [ -z $1 ]; then
    OS_PASSWORD="admin"
fi
shift
REMOVE=$1

ADMIN_USERNAME=admin
ADMIN_PROJECT_NAME=admin

echo "Using keystone admin credentials: {user: $ADMIN_USERNAME, password: $OS_PASSWORD, project: $ADMIN_PROJECT_NAME}"

# Note
# may need to use token flow auth
# http://docs.openstack.org/developer/python-openstackclient/authentication.html
# openstack --os-url http://localhost:5000/v3 --os-identity-api-version 3  --os-token ADMIN

# common base command
OS_CMD="openstack --os-auth-url $OS_URL --os-identity-api-version 3 --os-username $ADMIN_USERNAME --os-project-name $ADMIN_PROJECT_NAME --os-password $OS_PASSWORD --os-user-domain-name $DEFAULT_DOMAIN_NAME --os-project-domain-name $DEFAULT_DOMAIN_NAME"

# create_account <user_name> <password> <project_name> <role_name> <domain_name>
function create_account {
    local user_name=$1
    local password=$2
    local project_name=$3
    local role_name=$4
    local domain_name=$5

    local project_id=$($OS_CMD project create $project_name --domain $domain_name --or-show -f value -c id)
    if [ -z $project_id ]; then
	exit 1
    fi
    echo "Created project $project_name with id $project_id"
    local user_id=$($OS_CMD user create $user_name --password $password --domain $domain_name --or-show -f value -c id)
    if [ -z $user_id ]; then
	exit 1
    fi
    echo "Created user $user_name with id $user_id"

    $($OS_CMD role add --user $user_id --project $project_id $role_name)
    if [ $? -ne 0 ]; then
	exit 1
    fi
    echo "Assigned role $role_name to user $user_name on project $project_name"
}

# create_account <user_name> <password> <project_name> <role_name> <domain_name>
function remove_account {
    local user_name=$1
    local project_name=$2
    local role_name=$3
    local domain_name=$4

    if [ "$role_name" != "NONE" ]; then
	$($OS_CMD role remove --user $user_name --project $project_name $role_name)
	echo "Removed role $role_name from user $user_name on project $project_name"
    fi

    $($OS_CMD project delete $project_name --domain $domain_name)
    echo "Deleted project $project_name in domain $domain_name"
    $($OS_CMD user delete $user_name --domain $domain_name)
    echo "Deleted user $user_name in domain $domain_name"
}

# not pretending this is elegant
if [ "$REMOVE" == "--remove" ]; then
    remove_account ${USER_PREFIX} ${PROJECT_PREFIX} admin $DEFAULT_DOMAIN_NAME
    remove_account ${USER_PREFIX}2 ${PROJECT_PREFIX}2 admin $DEFAULT_DOMAIN_NAME
    remove_account ${USER_PREFIX}3 ${PROJECT_PREFIX} not_admin_role $DEFAULT_DOMAIN_NAME
    remove_account ${USER_PREFIX}4 ${PROJECT_PREFIX}4 admin $TEST_DOMAIN
    remove_account ${USER_PREFIX}5 ${PROJECT_PREFIX}5 swiftservice $DEFAULT_DOMAIN_NAME
    $($OS_CMD role delete swiftservice)
else

# create a non-admin role for the third account to use
    role_id=$($OS_CMD role create not_admin_role --or-show -f value -c id)
    if [ -z $role_id ]; then
	exit 1
    fi
    echo "Created role swiftservice with id $role_id"

# create the 'standard' swift accounts
    create_account ${USER_PREFIX} testing ${PROJECT_PREFIX} admin $DEFAULT_DOMAIN_NAME
    create_account ${USER_PREFIX}2 testing2 ${PROJECT_PREFIX}2 admin $DEFAULT_DOMAIN_NAME
# no mistake, third user is in first project, but not admin...
    create_account ${USER_PREFIX}3 testing3 ${PROJECT_PREFIX} not_admin_role  $DEFAULT_DOMAIN_NAME
# fourth user is in a different domain
    $OS_CMD domain create --enable $TEST_DOMAIN
    create_account ${USER_PREFIX}4 testing4 ${PROJECT_PREFIX}4 admin $TEST_DOMAIN

# create the 'special service role' (avoiding 'service' which is already used in devstack)
    role_id=$($OS_CMD role create swiftservice --or-show -f value -c id)
    if [ -z $role_id ]; then
	exit 1
    fi
    echo "Created role swiftservice with id $role_id"

#create the 'service account' which only has role swiftservice
    create_account ${USER_PREFIX}5 testing5 ${PROJECT_PREFIX}5 swiftservice $DEFAULT_DOMAIN_NAME
fi
	#!/bin/bash

	usage="<prog> <identity endpoint> [os-password] --remove"
	#
	# identity endpoint should include /v3 at end of url
	# e.g. <prog> http://hostname:5000/v3 ADMIN
	#
	# hostname could be standalone keystone service or devstack keystone service

	# Note: we are using password auth for keystone admin here - previously token
	# been just fine but I couldn't get that to auth 'create' commands.
	# Following pattern of stack.sh which flips to password auth once initial
	# keystone bootstrap is done.

	DEFAULT_DOMAIN_NAME=default
	TEST_DOMAIN=test-domain
	USER_PREFIX=tester
	PROJECT_PREFIX=test

	OS_PASSWORD="admin"
	OS_URL=$1
	shift
	OS_PASSWORD=$1
	if [ -z $1 ]; then
	OS_PASSWORD="admin"
	fi
	shift
	REMOVE=$1

	ADMIN_USERNAME=admin
	ADMIN_PROJECT_NAME=admin

	echo "Using keystone admin credentials: {user: $ADMIN_USERNAME, password: $OS_PASSWORD, project: $ADMIN_PROJECT_NAME}"

	# Note
	# may need to use token flow auth
	# http://docs.openstack.org/developer/python-openstackclient/authentication.html
	# openstack --os-url http://localhost:5000/v3 --os-identity-api-version 3 --os-token ADMIN

	# common base command
	OS_CMD="openstack --os-auth-url $OS_URL --os-identity-api-version 3 --os-username $ADMIN_USERNAME --os-project-name $ADMIN_PROJECT_NAME --os-password $OS_PASSWORD --os-user-domain-name $DEFAULT_DOMAIN_NAME --os-project-domain-name $DEFAULT_DOMAIN_NAME"

	# create_account <user_name> <password> <project_name> <role_name> <domain_name>
	function create_account {
	local user_name=$1
	local password=$2
	local project_name=$3
	local role_name=$4
	local domain_name=$5

	local project_id=$($OS_CMD project create $project_name --domain $domain_name --or-show -f value -c id)
	if [ -z $project_id ]; then
	exit 1
	fi
	echo "Created project $project_name with id $project_id"
	local user_id=$($OS_CMD user create $user_name --password $password --domain $domain_name --or-show -f value -c id)
	if [ -z $user_id ]; then
	exit 1
	fi
	echo "Created user $user_name with id $user_id"

	$($OS_CMD role add --user $user_id --project $project_id $role_name)
	if [ $? -ne 0 ]; then
	exit 1
	fi
	echo "Assigned role $role_name to user $user_name on project $project_name"
	}

	# create_account <user_name> <password> <project_name> <role_name> <domain_name>
	function remove_account {
	local user_name=$1
	local project_name=$2
	local role_name=$3
	local domain_name=$4

	if [ "$role_name" != "NONE" ]; then
	$($OS_CMD role remove --user $user_name --project $project_name $role_name)
	echo "Removed role $role_name from user $user_name on project $project_name"
	fi

	$($OS_CMD project delete $project_name --domain $domain_name)
	echo "Deleted project $project_name in domain $domain_name"
	$($OS_CMD user delete $user_name --domain $domain_name)
	echo "Deleted user $user_name in domain $domain_name"
	}

	# not pretending this is elegant
	if [ "$REMOVE" == "--remove" ]; then
	remove_account ${USER_PREFIX} ${PROJECT_PREFIX} admin $DEFAULT_DOMAIN_NAME
	remove_account ${USER_PREFIX}2 ${PROJECT_PREFIX}2 admin $DEFAULT_DOMAIN_NAME
	remove_account ${USER_PREFIX}3 ${PROJECT_PREFIX} not_admin_role $DEFAULT_DOMAIN_NAME
	remove_account ${USER_PREFIX}4 ${PROJECT_PREFIX}4 admin $TEST_DOMAIN
	remove_account ${USER_PREFIX}5 ${PROJECT_PREFIX}5 swiftservice $DEFAULT_DOMAIN_NAME
	$($OS_CMD role delete swiftservice)
	else

	# create a non-admin role for the third account to use
	role_id=$($OS_CMD role create not_admin_role --or-show -f value -c id)
	if [ -z $role_id ]; then
	exit 1
	fi
	echo "Created role swiftservice with id $role_id"

	# create the 'standard' swift accounts
	create_account ${USER_PREFIX} testing ${PROJECT_PREFIX} admin $DEFAULT_DOMAIN_NAME
	create_account ${USER_PREFIX}2 testing2 ${PROJECT_PREFIX}2 admin $DEFAULT_DOMAIN_NAME
	# no mistake, third user is in first project, but not admin...
	create_account ${USER_PREFIX}3 testing3 ${PROJECT_PREFIX} not_admin_role $DEFAULT_DOMAIN_NAME
	# fourth user is in a different domain
	$OS_CMD domain create --enable $TEST_DOMAIN
	create_account ${USER_PREFIX}4 testing4 ${PROJECT_PREFIX}4 admin $TEST_DOMAIN

	# create the 'special service role' (avoiding 'service' which is already used in devstack)
	role_id=$($OS_CMD role create swiftservice --or-show -f value -c id)
	if [ -z $role_id ]; then
	exit 1
	fi
	echo "Created role swiftservice with id $role_id"

	#create the 'service account' which only has role swiftservice
	create_account ${USER_PREFIX}5 testing5 ${PROJECT_PREFIX}5 swiftservice $DEFAULT_DOMAIN_NAME
	fi