From d61b4adadf19a1d28db831727c597031fd22bad6 Mon Sep 17 00:00:00 2001
From: Colleen Murphy <colleen@gazlene.net>
Date: Thu, 3 Mar 2016 14:10:31 -0800
Subject: [PATCH] Add roles for CI users

Without this patch, puppet does not idempotently create the openstackci
and openstackjenkins users. Puppet will create the openstackci and
openstackjenkins users, but won't assign them any kind of membership in
the openstackci and openstackjenkins projects. Then on the second
puppet run, puppet tries to check the users' passwords by issuing an
'openstack token issue' command. Without a role, the users can't
authenticate and receive a 401. Puppet then reports that it 'changed
password' because the password check failed.

The name of the role, 'user', is not significant.

The strange syntax of the keystone_user_role resource is explained in
the keystone module[1].

[1] http://git.openstack.org/cgit/openstack/puppet-keystone/tree/examples/user_project_user_role_composite_namevar.pp

Change-Id: I4fb94722ccafb80cdbefa9500b2124a82ddd57cf
---
 .../manifests/infracloud/controller.pp                | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/modules/openstack_project/manifests/infracloud/controller.pp b/modules/openstack_project/manifests/infracloud/controller.pp
index ed7552b964..d95ed3e243 100644
--- a/modules/openstack_project/manifests/infracloud/controller.pp
+++ b/modules/openstack_project/manifests/infracloud/controller.pp
@@ -85,6 +85,17 @@ class openstack_project::infracloud::controller (
     password => $openstackjenkins_password,
     require  => Keystone_tenant['openstackjenkins'],
   }
+
+  keystone_role { 'user': ensure => present }
+
+  keystone_user_role { 'openstackci::infra@openstackci::infra':
+    roles => 'user',
+  }
+
+  keystone_user_role { 'openstackjenkins::infra@openstackjenkins::infra':
+    roles => 'user',
+  }
+
   realize (
     User::Virtual::Localuser['colleen'],
     User::Virtual::Localuser['rcarrillocruz'],