Merge "Add support for system role in role assignment"

2022-03-08 19:35:48 +00:00 · 2022-03-08 19:35:48 +00:00 · 08bbadedb0
parent 3c7a8f39a2 aa22867536
commit 08bbadedb0
1 changed files with 17 additions and 3 deletions
--- a/plugins/modules/role_assignment.py
+++ b/plugins/modules/role_assignment.py
@ -37,6 +37,12 @@ options:
        - Name or ID of the domain to scope the role association to. Valid only
          with keystone version 3, and required if I(project) is not specified.
     type: str
+   system:
+     description:
+        - Name of system to scope the role association to. Valid only with
+          keystone version 3, and required if I(project) and I(domain)
+          are not specified.
+     type: str
   state:
     description:
       - Should the roles be present or absent on the user.
@ -82,6 +88,7 @@ class IdentityRoleAssignmentModule(OpenStackModule):
        group=dict(required=False),
        project=dict(required=False),
        domain=dict(required=False),
+        system=dict(required=False),
        state=dict(default='present', choices=['absent', 'present']),
    )

@ -99,7 +106,7 @@ class IdentityRoleAssignmentModule(OpenStackModule):
            return True
        return False

-    def _build_kwargs(self, user, group, project, domain):
+    def _build_kwargs(self, user, group, project, domain, system):
        kwargs = {}
        if user:
            kwargs['user'] = user
@ -109,6 +116,8 @@ class IdentityRoleAssignmentModule(OpenStackModule):
            kwargs['project'] = project
        if domain:
            kwargs['domain'] = domain
+        if system:
+            kwargs['system'] = system
        return kwargs

    def run(self):
@ -117,6 +126,7 @@ class IdentityRoleAssignmentModule(OpenStackModule):
        group = self.params.get('group')
        project = self.params.get('project')
        domain = self.params.get('domain')
+        system = self.params.get('system')
        state = self.params.get('state')

        filters = {}
@ -164,6 +174,10 @@ class IdentityRoleAssignmentModule(OpenStackModule):
            if p is None:
                self.fail_json(msg="Project %s is not valid" % project)
            filters['project'] = p['id']
+        if system:
+            # the system role name is the argument. list_role_assignments will
+            # fail if the system role name is not valid
+            filters['system'] = system

        assignment = self.conn.list_role_assignments(filters=filters)

@ -174,13 +188,13 @@ class IdentityRoleAssignmentModule(OpenStackModule):

        if state == 'present':
            if not assignment:
-                kwargs = self._build_kwargs(user, group, project, domain_id)
+                kwargs = self._build_kwargs(user, group, project, domain_id, system)
                self.conn.grant_role(role, **kwargs)
                changed = True

        elif state == 'absent':
            if assignment:
-                kwargs = self._build_kwargs(user, group, project, domain_id)
+                kwargs = self._build_kwargs(user, group, project, domain_id, system)
                self.conn.revoke_role(role, **kwargs)
                changed = True