Created
December 2, 2013 11:11
-
-
Save mathslinux/7748065 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
# | |
# Initial data for Keystone using python-keystoneclient | |
# | |
# Tenant User Roles | |
# ------------------------------------------------------------------ | |
# admin admin admin | |
# service glance admin | |
# service nova admin, [ResellerAdmin (swift only)] | |
# service quantum admin # if enabled | |
# service swift admin # if enabled | |
# demo admin admin | |
# demo demo Member, anotherrole | |
# invisible_to_admin demo Member | |
# | |
# Variables set before calling this script: | |
# SERVICE_TOKEN - aka admin_token in keystone.conf | |
# SERVICE_ENDPOINT - local Keystone admin endpoint | |
# SERVICE_TENANT_NAME - name of tenant containing service accounts | |
# ENABLED_SERVICES - stack.sh's list of services to start | |
# DEVSTACK_DIR - Top-level DevStack directory | |
ADMIN_PASSWORD=${ADMIN_PASSWORD:-geniux} | |
SERVICE_PASSWORD=${SERVICE_PASSWORD:-$ADMIN_PASSWORD} | |
export SERVICE_TOKEN="geniux" | |
export SERVICE_ENDPOINT="http://localhost:35357/v2.0" | |
SERVICE_TENANT_NAME=${SERVICE_TENANT_NAME:-service} | |
ENABLED_SERVICES="swift" | |
function get_id () { | |
echo `$@ | awk '/ id / { print $4 }'` | |
} | |
# Tenants | |
ADMIN_TENANT=$(get_id keystone tenant-create --name=admin) | |
SERVICE_TENANT=$(get_id keystone tenant-create --name=$SERVICE_TENANT_NAME) | |
DEMO_TENANT=$(get_id keystone tenant-create --name=demo) | |
INVIS_TENANT=$(get_id keystone tenant-create --name=invisible_to_admin) | |
# Users | |
ADMIN_USER=$(get_id keystone user-create --name=admin \ | |
--pass="$ADMIN_PASSWORD" \ | |
--email=admin@hastexo.com) | |
DEMO_USER=$(get_id keystone user-create --name=demo \ | |
--pass="$ADMIN_PASSWORD" \ | |
--email=demo@hastexo.com) | |
# Roles | |
ADMIN_ROLE=$(get_id keystone role-create --name=admin) | |
KEYSTONEADMIN_ROLE=$(get_id keystone role-create --name=KeystoneAdmin) | |
KEYSTONESERVICE_ROLE=$(get_id keystone role-create --name=KeystoneServiceAdmin) | |
# ANOTHER_ROLE demonstrates that an arbitrary role may be created and used | |
# TODO(sleepsonthefloor): show how this can be used for rbac in the future! | |
ANOTHER_ROLE=$(get_id keystone role-create --name=anotherrole) | |
# Add Roles to Users in Tenants | |
keystone user-role-add --user $ADMIN_USER --role $ADMIN_ROLE --tenant_id $ADMIN_TENANT | |
keystone user-role-add --user $ADMIN_USER --role $ADMIN_ROLE --tenant_id $DEMO_TENANT | |
keystone user-role-add --user $DEMO_USER --role $ANOTHER_ROLE --tenant_id $DEMO_TENANT | |
# TODO(termie): these two might be dubious | |
keystone user-role-add --user $ADMIN_USER --role $KEYSTONEADMIN_ROLE --tenant_id $ADMIN_TENANT | |
keystone user-role-add --user $ADMIN_USER --role $KEYSTONESERVICE_ROLE --tenant_id $ADMIN_TENANT | |
# The Member role is used by Horizon and Swift so we need to keep it: | |
MEMBER_ROLE=$(get_id keystone role-create --name=Member) | |
keystone user-role-add --user $DEMO_USER --role $MEMBER_ROLE --tenant_id $DEMO_TENANT | |
keystone user-role-add --user $DEMO_USER --role $MEMBER_ROLE --tenant_id $INVIS_TENANT | |
# Configure service users/roles | |
NOVA_USER=$(get_id keystone user-create --name=nova \ | |
--pass="$SERVICE_PASSWORD" \ | |
--tenant_id $SERVICE_TENANT \ | |
--email=nova@hastexo.com) | |
keystone user-role-add --tenant_id $SERVICE_TENANT \ | |
--user $NOVA_USER \ | |
--role $ADMIN_ROLE | |
GLANCE_USER=$(get_id keystone user-create --name=glance \ | |
--pass="$SERVICE_PASSWORD" \ | |
--tenant_id $SERVICE_TENANT \ | |
--email=glance@hastexo.com) | |
keystone user-role-add --tenant_id $SERVICE_TENANT \ | |
--user $GLANCE_USER \ | |
--role $ADMIN_ROLE | |
if [[ "$ENABLED_SERVICES" =~ "swift" ]]; then | |
SWIFT_USER=$(get_id keystone user-create --name=swift \ | |
--pass="$SERVICE_PASSWORD" \ | |
--tenant_id $SERVICE_TENANT \ | |
--email=swift@hastexo.com) | |
keystone user-role-add --tenant_id $SERVICE_TENANT \ | |
--user $SWIFT_USER \ | |
--role $ADMIN_ROLE | |
# Nova needs ResellerAdmin role to download images when accessing | |
# swift through the s3 api. The admin role in swift allows a user | |
# to act as an admin for their tenant, but ResellerAdmin is needed | |
# for a user to act as any tenant. The name of this role is also | |
# configurable in swift-proxy.conf | |
RESELLER_ROLE=$(get_id keystone role-create --name=ResellerAdmin) | |
keystone user-role-add --tenant_id $SERVICE_TENANT \ | |
--user $NOVA_USER \ | |
--role $RESELLER_ROLE | |
fi | |
if [[ "$ENABLED_SERVICES" =~ "quantum" ]]; then | |
QUANTUM_USER=$(get_id keystone user-create --name=quantum \ | |
--pass="$SERVICE_PASSWORD" \ | |
--tenant_id $SERVICE_TENANT \ | |
--email=quantum@hastexo.com) | |
keystone user-role-add --tenant_id $SERVICE_TENANT \ | |
--user $QUANTUM_USER \ | |
--role $ADMIN_ROLE | |
fi |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment