Update role_assignment to use proxy
Updating role_assignment module to use the new openstacksdk Change-Id: I09258e18d50acb57501ea1b47d9422dad857607e
This commit is contained in:
parent
9272146cf7
commit
8d5195fdf2
@ -94,6 +94,7 @@
|
||||
port
|
||||
project
|
||||
recordset
|
||||
role_assignment
|
||||
security_group
|
||||
subnet_pool
|
||||
user
|
||||
|
47
ci/roles/role_assignment/tasks/main.yml
Normal file
47
ci/roles/role_assignment/tasks/main.yml
Normal file
@ -0,0 +1,47 @@
|
||||
---
|
||||
- name: Create project
|
||||
openstack.cloud.project:
|
||||
cloud: "{{ cloud }}"
|
||||
state: present
|
||||
name: ansible_project
|
||||
description: dummy description
|
||||
domain_id: default
|
||||
enabled: True
|
||||
register: project
|
||||
|
||||
- name: Grant an admin role on the user admin in the project ansible_project
|
||||
openstack.cloud.role_assignment:
|
||||
cloud: "{{ cloud }}"
|
||||
domain: default
|
||||
project: ansible_project
|
||||
role: admin
|
||||
user: admin
|
||||
|
||||
- name: Grant an admin role on the user admin in the project ansible_project again
|
||||
openstack.cloud.role_assignment:
|
||||
cloud: "{{ cloud }}"
|
||||
domain: default
|
||||
project: ansible_project
|
||||
role: admin
|
||||
user: admin
|
||||
register: grant_again
|
||||
|
||||
- name: Ensure grant again doesn't change anything
|
||||
assert:
|
||||
that:
|
||||
- not grant_again.changed
|
||||
|
||||
- name: Revoke the admin role on the user admin in the project ansible_project
|
||||
openstack.cloud.role_assignment:
|
||||
cloud: "{{ cloud }}"
|
||||
domain: default
|
||||
project: ansible_project
|
||||
role: admin
|
||||
state: absent
|
||||
user: admin
|
||||
|
||||
- name: Delete project
|
||||
openstack.cloud.project:
|
||||
cloud: "{{ cloud }}"
|
||||
state: absent
|
||||
name: ansible_project
|
@ -51,6 +51,7 @@
|
||||
- { role: port, tags: port }
|
||||
- { role: project, tags: project }
|
||||
- { role: recordset, tags: recordset }
|
||||
- { role: role_assignment, tags: role_assignment }
|
||||
- { role: router, tags: router }
|
||||
- { role: security_group, tags: security_group }
|
||||
- { role: server, tags: server }
|
||||
|
@ -130,47 +130,33 @@ class IdentityRoleAssignmentModule(OpenStackModule):
|
||||
state = self.params.get('state')
|
||||
|
||||
filters = {}
|
||||
find_filters = {}
|
||||
domain_id = None
|
||||
|
||||
r = self.conn.get_role(role)
|
||||
r = self.conn.identity.find_role(role)
|
||||
if r is None:
|
||||
self.fail_json(msg="Role %s is not valid" % role)
|
||||
filters['role'] = r['id']
|
||||
|
||||
if domain:
|
||||
d = self.conn.get_domain(name_or_id=domain)
|
||||
d = self.conn.identity.find_domain(domain)
|
||||
if d is None:
|
||||
self.fail_json(msg="Domain %s is not valid" % domain)
|
||||
filters['domain'] = d['id']
|
||||
domain_id = d['id']
|
||||
find_filters['domain_id'] = domain_id
|
||||
if user:
|
||||
if domain:
|
||||
u = self.conn.get_user(user, domain_id=filters['domain'])
|
||||
else:
|
||||
u = self.conn.get_user(user)
|
||||
|
||||
u = self.conn.identity.find_user(user, **find_filters)
|
||||
if u is None:
|
||||
self.fail_json(msg="User %s is not valid" % user)
|
||||
filters['user'] = u['id']
|
||||
|
||||
if group:
|
||||
if domain:
|
||||
g = self.conn.get_group(group, domain_id=filters['domain'])
|
||||
else:
|
||||
g = self.conn.get_group(group)
|
||||
g = self.conn.identity.find_group(group, **find_filters)
|
||||
if g is None:
|
||||
self.fail_json(msg="Group %s is not valid" % group)
|
||||
filters['group'] = g['id']
|
||||
if project:
|
||||
if domain:
|
||||
p = self.conn.get_project(project, domain_id=filters['domain'])
|
||||
# OpenStack won't allow us to use both a domain and project as
|
||||
# filter. Once we identified the project (using the domain as
|
||||
# a filter criteria), we need to remove the domain itself from
|
||||
# the filters list.
|
||||
domain_id = filters.pop('domain')
|
||||
else:
|
||||
p = self.conn.get_project(project)
|
||||
|
||||
p = self.conn.identity.find_project(project, **find_filters)
|
||||
if p is None:
|
||||
self.fail_json(msg="Project %s is not valid" % project)
|
||||
filters['project'] = p['id']
|
||||
@ -179,6 +165,9 @@ class IdentityRoleAssignmentModule(OpenStackModule):
|
||||
# fail if the system role name is not valid
|
||||
filters['system'] = system
|
||||
|
||||
# Keeping the self.conn.list_role_assignments because it calls directly
|
||||
# the identity.role_assignments and there are some logics for the
|
||||
# filters that won't worth rewrite here.
|
||||
assignment = self.conn.list_role_assignments(filters=filters)
|
||||
|
||||
if self.ansible.check_mode:
|
||||
@ -186,6 +175,9 @@ class IdentityRoleAssignmentModule(OpenStackModule):
|
||||
|
||||
changed = False
|
||||
|
||||
# Both grant_role and revoke_role calls directly the proxy layer, and
|
||||
# has some logic that won't worth to rewrite here so keeping it is a
|
||||
# good idea
|
||||
if state == 'present':
|
||||
if not assignment:
|
||||
kwargs = self._build_kwargs(user, group, project, domain_id, system)
|
||||
|
Loading…
Reference in New Issue
Block a user