aufi · September 13, 2016 08:52
diff --git a/keystonev3_overcloud.sh b/keystonev3_overcloud.sh
 #!/usr/bin/env bash
 #
 # Modified from https://gist.github.com/mcornea/68fa6b75dfc6c7f870c8a2d936752f9a
 #
 # Description: create two domains with admin and non-admin users for keystone v3 OSP setup
 #
 # Requirements: deployed OSP with 1 controller, existing keystone v3 endpoint
 #               https://bugzilla.redhat.com/show_bug.cgi?id=1228542#c13
 #

 set -ex

 UCRC='/home/stack/stackrc'
 OCRC='/home/stack/overcloudrc'
 OC_PASSWORD=$(grep OS_PASSWORD $OCRC | awk -F '=' {'print $2'})
 HOSTAUTH=$(grep OS_AUTH_URL $OCRC | grep -oP '[0-9.]+' | head -1)
 source $UCRC
 CTRLIP=$(nova list | awk '/controller-0/ {print $12}' | grep -oP '[0-9.]+')

 ADMIN_TOKEN=$(\
 curl http://$HOSTAUTH:5000/v3/auth/tokens \
    -s \
     -i \
      -H "Content-Type: application/json" \
       -d '
    {
        "auth": {
             "identity": {
                  "methods": [
                       "password"
                   ],
                    "password": {
                         "user": {
                              "domain": {
                                   "name": "Default"
                                },
                                "name": "admin",
                                "password": "'${OC_PASSWORD}'"
                          }
                     }
               },
               "scope": {
                       "project": {
                            "domain": {
                                 "name": "Default"
                             },
                        "name": "admin"
                         }
               }
           }
      }' | grep ^X-Subject-Token: | awk {'print $2'} | tr -d '\r' )

 ID_ADMIN_DOMAIN=$(\
 curl http://$HOSTAUTH:5000/v3/domains \
  -s  \
  -H "X-Auth-Token: $ADMIN_TOKEN" \
  -H "Content-Type: application/json"  -d '{   "domain": { "enabled": true,   "name": "admin_domain" }}'  | jq .domain.id | tr -d '"' )

 ID_CLOUD_ADMIN=$(\
 curl http://$HOSTAUTH:5000/v3/users   -s   -H "X-Auth-Token: $ADMIN_TOKEN" -H "Content-Type: application/json" -d "{
       \"user\": {
           \"description\": \"Cloud administrator\",
           \"domain_id\": \"$ID_ADMIN_DOMAIN\",
           \"enabled\": true,
           \"name\": \"cloud_admin\",
           \"password\": \"password\"
       }
 }" | jq .user.id | tr -d '"' )

 ADMIN_ROLE_ID=$(\
 curl http://$HOSTAUTH:5000/v3/roles?name=admin \
    -s \
    -H "X-Auth-Token: $ADMIN_TOKEN" \
 | jq .roles[0].id | tr -d '"' )

 curl -X PUT http://$HOSTAUTH:5000/v3/domains/${ID_ADMIN_DOMAIN}/users/${ID_CLOUD_ADMIN}/roles/${ADMIN_ROLE_ID} \
    -s \
    -i \
    -H "X-Auth-Token: $ADMIN_TOKEN" \
    -H "Content-Type: application/json"

 curl http://$HOSTAUTH:5000/v3/domains/${ID_ADMIN_DOMAIN}/users/${ID_CLOUD_ADMIN}/roles \
    -s \
    -H "X-Auth-Token: $ADMIN_TOKEN" | jq .roles

 CLOUD_ADMIN_TOKEN=$(\
 curl http://$HOSTAUTH:5000/v3/auth/tokens  -s  -i -H "Content-Type: application/json"  -d '
 {
    "auth": {
        "identity": {
            "methods": [
                "password"
            ],
            "password": {
                "user": {
                    "domain": {
                         "name": "admin_domain"
                     },
                     "name": "cloud_admin",
                     "password": "password"
                 }
            }
        },
        "scope": {
             "domain": {
                 "name": "admin_domain"
             }
        }
    }
 }' | grep ^X-Subject-Token: | awk '{print $2}' | tr -d '\r' )

 ID_DOM1=$(\
 curl http://$HOSTAUTH:5000/v3/domains \
 -s \
 -H "X-Auth-Token: $CLOUD_ADMIN_TOKEN" \
 -H "Content-Type: application/json" \
 -d '{
    "domain": {
         "enabled": true,
         "name": "dom1"
     }
 }' | jq .domain.id | tr -d '"')

 ID_DOM2=$(\
 curl http://$HOSTAUTH:5000/v3/domains \
 -s \
 -H "X-Auth-Token: $CLOUD_ADMIN_TOKEN" \
 -H "Content-Type: application/json" \
 -d '{
    "domain": {
         "enabled": true,
         "name": "dom2"
     }
 }' | jq .domain.id | tr -d '"')

 ID_ADM1=$(\
 curl http://$HOSTAUTH:5000/v3/users \
 -s \
 -H "X-Auth-Token: $CLOUD_ADMIN_TOKEN" \
 -H "Content-Type: application/json" \
 -d "{
    \"user\": {
        \"description\": \"Administrator of domain dom1\",
        \"domain_id\": \"$ID_DOM1\",
        \"enabled\": true,
        \"name\": \"adm1\",
        \"password\": \"password\"
    }
 }" | jq .user.id | tr -d '"')

 ID_USR1=$(\
 curl http://$HOSTAUTH:5000/v3/users \
 -s \
 -H "X-Auth-Token: $CLOUD_ADMIN_TOKEN" \
 -H "Content-Type: application/json" \
 -d "{
    \"user\": {
        \"description\": \"User of domain dom1\",
        \"domain_id\": \"$ID_DOM1\",
        \"enabled\": true,
        \"name\": \"usr1\",
        \"password\": \"password\"
    }
 }" | jq .user.id | tr -d '"')

 ID_ADM2=$(\
 curl http://$HOSTAUTH:5000/v3/users \
 -s \
 -H "X-Auth-Token: $CLOUD_ADMIN_TOKEN" \
 -H "Content-Type: application/json" \
 -d "{
    \"user\": {
        \"description\": \"Administrator of domain dom2\",
        \"domain_id\": \"$ID_DOM2\",
        \"enabled\": true,
        \"name\": \"adm2\",
        \"password\": \"password\"
    }
 }" | jq .user.id | tr -d '"')

 ID_USR2=$(\
 curl http://$HOSTAUTH:5000/v3/users \
 -s \
 -H "X-Auth-Token: $CLOUD_ADMIN_TOKEN" \
 -H "Content-Type: application/json" \
 -d "{
    \"user\": {
        \"description\": \"User of domain dom2\",
        \"domain_id\": \"$ID_DOM2\",
        \"enabled\": true,
        \"name\": \"usr2\",
        \"password\": \"password\"
    }
 }" | jq .user.id | tr -d '"')

 curl -X PUT http://$HOSTAUTH:5000/v3/domains/${ID_DOM1}/users/${ID_ADM1}/roles/${ADMIN_ROLE_ID} \
    -s \
    -i \
    -H "X-Auth-Token: $CLOUD_ADMIN_TOKEN" \
    -H "Content-Type: application/json"

 curl -X PUT http://$HOSTAUTH:5000/v3/domains/${ID_DOM2}/users/${ID_ADM2}/roles/${ADMIN_ROLE_ID} \
    -s \
    -i \
    -H "X-Auth-Token: $CLOUD_ADMIN_TOKEN" \
    -H "Content-Type: application/json"

 curl http://$HOSTAUTH:5000/v3/domains/${ID_DOM1}/users/${ID_ADM1}/roles \
    -s \
    -H "X-Auth-Token: $CLOUD_ADMIN_TOKEN" | jq .roles

 curl http://$HOSTAUTH:5000/v3/domains/${ID_DOM1}/users/${ID_USR1}/roles \
    -s \
    -H "X-Auth-Token: $CLOUD_ADMIN_TOKEN" | jq .roles

 curl http://$HOSTAUTH:5000/v3/domains/${ID_DOM2}/users/${ID_ADM2}/roles \
    -s \
    -H "X-Auth-Token: $CLOUD_ADMIN_TOKEN" | jq .roles

 curl http://$HOSTAUTH:5000/v3/domains/${ID_DOM2}/users/${ID_USR2}/roles \
    -s \
    -H "X-Auth-Token: $CLOUD_ADMIN_TOKEN" | jq .roles

 echo ADMIN_TOKEN=$ADMIN_TOKEN
 echo ID_ADMIN_DOMAIN=$ID_ADMIN_DOMAIN
 echo ID_CLOUD_ADMIN=$ID_CLOUD_ADMIN
 echo ADMIN_ROLE_ID=$ADMIN_ROLE_ID
 echo CLOUD_ADMIN_TOKEN=$CLOUD_ADMIN_TOKEN
 echo ID_DOM1=$ID_DOM1
 echo ID_ADM1=$ID_ADM1
 echo ID_USR1=$ID_USR1
 echo ID_ADM2=$ID_ADM2
 echo ID_USR2=$ID_USR2

 ssh -o StrictHostKeyChecking=no -l heat-admin $CTRLIP "curl -O https://raw.githubusercontent.com/openstack/keystone/master/etc/policy.v3cloudsample.json; sed s/admin_domain_id/${ID_ADMIN_DOMAIN}/ < policy.v3cloudsample.json > policy.json-v3"

 ssh -o StrictHostKeyChecking=no -l heat-admin $CTRLIP "sudo cp /etc/keystone/policy.json /etc/keystone/policy.json-v2; sudo cp /home/heat-admin/policy.json-v3 /etc/keystone/policy.json; sudo chown keystone /etc/keystone/policy.json"

 ssh -o StrictHostKeyChecking=no -l heat-admin $CTRLIP "sudo systemctl restart httpd"

 # TODO manually
 # keystone service-create --name keystonev3 --type identityv3 --description "Keystone Identity Service v3"  
 # keystone endpoint-create --region regionOne --service keystonev3 --publicurl "http://10.0.0.4:5000/v3" --adminurl "http://192.0.2.6:35357/v3" --internalurl "http://172.16.2.4:5000/v3"
 # see https://bugzilla.redhat.com/show_bug.cgi?id=1329635#c13
	#!/usr/bin/env bash
	#
	# Modified from https://gist.github.com/mcornea/68fa6b75dfc6c7f870c8a2d936752f9a
	#
	# Description: create two domains with admin and non-admin users for keystone v3 OSP setup
	#
	# Requirements: deployed OSP with 1 controller, existing keystone v3 endpoint
	# https://bugzilla.redhat.com/show_bug.cgi?id=1228542#c13
	#

	set -ex

	UCRC='/home/stack/stackrc'
	OCRC='/home/stack/overcloudrc'
	OC_PASSWORD=$(grep OS_PASSWORD $OCRC \| awk -F '=' {'print $2'})
	HOSTAUTH=$(grep OS_AUTH_URL $OCRC \| grep -oP '[0-9.]+' \| head -1)
	source $UCRC
	CTRLIP=$(nova list \| awk '/controller-0/ {print $12}' \| grep -oP '[0-9.]+')

	ADMIN_TOKEN=$(\
	curl http://$HOSTAUTH:5000/v3/auth/tokens \
	-s \
	-i \
	-H "Content-Type: application/json" \
	-d '
	{
	"auth": {
	"identity": {
	"methods": [
	"password"
	],
	"password": {
	"user": {
	"domain": {
	"name": "Default"
	},
	"name": "admin",
	"password": "'${OC_PASSWORD}'"
	}
	}
	},
	"scope": {
	"project": {
	"domain": {
	"name": "Default"
	},
	"name": "admin"
	}
	}
	}
	}' \| grep ^X-Subject-Token: \| awk {'print $2'} \| tr -d '\r' )

	ID_ADMIN_DOMAIN=$(\
	curl http://$HOSTAUTH:5000/v3/domains \
	-s \
	-H "X-Auth-Token: $ADMIN_TOKEN" \
	-H "Content-Type: application/json" -d '{ "domain": { "enabled": true, "name": "admin_domain" }}' \| jq .domain.id \| tr -d '"' )

	ID_CLOUD_ADMIN=$(\
	curl http://$HOSTAUTH:5000/v3/users -s -H "X-Auth-Token: $ADMIN_TOKEN" -H "Content-Type: application/json" -d "{
	\"user\": {
	\"description\": \"Cloud administrator\",
	\"domain_id\": \"$ID_ADMIN_DOMAIN\",
	\"enabled\": true,
	\"name\": \"cloud_admin\",
	\"password\": \"password\"
	}
	}" \| jq .user.id \| tr -d '"' )

	ADMIN_ROLE_ID=$(\
	curl http://$HOSTAUTH:5000/v3/roles?name=admin \
	-s \
	-H "X-Auth-Token: $ADMIN_TOKEN" \
	\| jq .roles[0].id \| tr -d '"' )

	curl -X PUT http://$HOSTAUTH:5000/v3/domains/${ID_ADMIN_DOMAIN}/users/${ID_CLOUD_ADMIN}/roles/${ADMIN_ROLE_ID} \
	-s \
	-i \
	-H "X-Auth-Token: $ADMIN_TOKEN" \
	-H "Content-Type: application/json"

	curl http://$HOSTAUTH:5000/v3/domains/${ID_ADMIN_DOMAIN}/users/${ID_CLOUD_ADMIN}/roles \
	-s \
	-H "X-Auth-Token: $ADMIN_TOKEN" \| jq .roles

	CLOUD_ADMIN_TOKEN=$(\
	curl http://$HOSTAUTH:5000/v3/auth/tokens -s -i -H "Content-Type: application/json" -d '
	{
	"auth": {
	"identity": {
	"methods": [
	"password"
	],
	"password": {
	"user": {
	"domain": {
	"name": "admin_domain"
	},
	"name": "cloud_admin",
	"password": "password"
	}
	}
	},
	"scope": {
	"domain": {
	"name": "admin_domain"
	}
	}
	}
	}' \| grep ^X-Subject-Token: \| awk '{print $2}' \| tr -d '\r' )

	ID_DOM1=$(\
	curl http://$HOSTAUTH:5000/v3/domains \
	-s \
	-H "X-Auth-Token: $CLOUD_ADMIN_TOKEN" \
	-H "Content-Type: application/json" \
	-d '{
	"domain": {
	"enabled": true,
	"name": "dom1"
	}
	}' \| jq .domain.id \| tr -d '"')

	ID_DOM2=$(\
	curl http://$HOSTAUTH:5000/v3/domains \
	-s \
	-H "X-Auth-Token: $CLOUD_ADMIN_TOKEN" \
	-H "Content-Type: application/json" \
	-d '{
	"domain": {
	"enabled": true,
	"name": "dom2"
	}
	}' \| jq .domain.id \| tr -d '"')

	ID_ADM1=$(\
	curl http://$HOSTAUTH:5000/v3/users \
	-s \
	-H "X-Auth-Token: $CLOUD_ADMIN_TOKEN" \
	-H "Content-Type: application/json" \
	-d "{
	\"user\": {
	\"description\": \"Administrator of domain dom1\",
	\"domain_id\": \"$ID_DOM1\",
	\"enabled\": true,
	\"name\": \"adm1\",
	\"password\": \"password\"
	}
	}" \| jq .user.id \| tr -d '"')

	ID_USR1=$(\
	curl http://$HOSTAUTH:5000/v3/users \
	-s \
	-H "X-Auth-Token: $CLOUD_ADMIN_TOKEN" \
	-H "Content-Type: application/json" \
	-d "{
	\"user\": {
	\"description\": \"User of domain dom1\",
	\"domain_id\": \"$ID_DOM1\",
	\"enabled\": true,
	\"name\": \"usr1\",
	\"password\": \"password\"
	}
	}" \| jq .user.id \| tr -d '"')

	ID_ADM2=$(\
	curl http://$HOSTAUTH:5000/v3/users \
	-s \
	-H "X-Auth-Token: $CLOUD_ADMIN_TOKEN" \
	-H "Content-Type: application/json" \
	-d "{
	\"user\": {
	\"description\": \"Administrator of domain dom2\",
	\"domain_id\": \"$ID_DOM2\",
	\"enabled\": true,
	\"name\": \"adm2\",
	\"password\": \"password\"
	}
	}" \| jq .user.id \| tr -d '"')

	ID_USR2=$(\
	curl http://$HOSTAUTH:5000/v3/users \
	-s \
	-H "X-Auth-Token: $CLOUD_ADMIN_TOKEN" \
	-H "Content-Type: application/json" \
	-d "{
	\"user\": {
	\"description\": \"User of domain dom2\",
	\"domain_id\": \"$ID_DOM2\",
	\"enabled\": true,
	\"name\": \"usr2\",
	\"password\": \"password\"
	}
	}" \| jq .user.id \| tr -d '"')

	curl -X PUT http://$HOSTAUTH:5000/v3/domains/${ID_DOM1}/users/${ID_ADM1}/roles/${ADMIN_ROLE_ID} \
	-s \
	-i \
	-H "X-Auth-Token: $CLOUD_ADMIN_TOKEN" \
	-H "Content-Type: application/json"

	curl -X PUT http://$HOSTAUTH:5000/v3/domains/${ID_DOM2}/users/${ID_ADM2}/roles/${ADMIN_ROLE_ID} \
	-s \
	-i \
	-H "X-Auth-Token: $CLOUD_ADMIN_TOKEN" \
	-H "Content-Type: application/json"

	curl http://$HOSTAUTH:5000/v3/domains/${ID_DOM1}/users/${ID_ADM1}/roles \
	-s \
	-H "X-Auth-Token: $CLOUD_ADMIN_TOKEN" \| jq .roles

	curl http://$HOSTAUTH:5000/v3/domains/${ID_DOM1}/users/${ID_USR1}/roles \
	-s \
	-H "X-Auth-Token: $CLOUD_ADMIN_TOKEN" \| jq .roles

	curl http://$HOSTAUTH:5000/v3/domains/${ID_DOM2}/users/${ID_ADM2}/roles \
	-s \
	-H "X-Auth-Token: $CLOUD_ADMIN_TOKEN" \| jq .roles

	curl http://$HOSTAUTH:5000/v3/domains/${ID_DOM2}/users/${ID_USR2}/roles \
	-s \
	-H "X-Auth-Token: $CLOUD_ADMIN_TOKEN" \| jq .roles

	echo ADMIN_TOKEN=$ADMIN_TOKEN
	echo ID_ADMIN_DOMAIN=$ID_ADMIN_DOMAIN
	echo ID_CLOUD_ADMIN=$ID_CLOUD_ADMIN
	echo ADMIN_ROLE_ID=$ADMIN_ROLE_ID
	echo CLOUD_ADMIN_TOKEN=$CLOUD_ADMIN_TOKEN
	echo ID_DOM1=$ID_DOM1
	echo ID_ADM1=$ID_ADM1
	echo ID_USR1=$ID_USR1
	echo ID_ADM2=$ID_ADM2
	echo ID_USR2=$ID_USR2

	ssh -o StrictHostKeyChecking=no -l heat-admin $CTRLIP "curl -O https://raw.githubusercontent.com/openstack/keystone/master/etc/policy.v3cloudsample.json; sed s/admin_domain_id/${ID_ADMIN_DOMAIN}/ < policy.v3cloudsample.json > policy.json-v3"

	ssh -o StrictHostKeyChecking=no -l heat-admin $CTRLIP "sudo cp /etc/keystone/policy.json /etc/keystone/policy.json-v2; sudo cp /home/heat-admin/policy.json-v3 /etc/keystone/policy.json; sudo chown keystone /etc/keystone/policy.json"

	ssh -o StrictHostKeyChecking=no -l heat-admin $CTRLIP "sudo systemctl restart httpd"

	# TODO manually
	# keystone service-create --name keystonev3 --type identityv3 --description "Keystone Identity Service v3"
	# keystone endpoint-create --region regionOne --service keystonev3 --publicurl "http://10.0.0.4:5000/v3" --adminurl "http://192.0.2.6:35357/v3" --internalurl "http://172.16.2.4:5000/v3"
	# see https://bugzilla.redhat.com/show_bug.cgi?id=1329635#c13