openstack/ansible-collections-openstack
Code Issues Proposed changes

Update role_assignment to use proxy

Browse Source 
Updating role_assignment module to use the new openstacksdk

Change-Id: I09258e18d50acb57501ea1b47d9422dad857607e
This commit is contained in:
Arx Cruz 2022-05-30 11:46:14 +02:00
parent 9272146cf7
commit 8d5195fdf2
4 changed files with 63 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.zuul.yaml
View File

@ -94,6 +94,7 @@
port port
project project
recordset recordset
role_assignment
security_group security_group
subnet_pool subnet_pool
user user

47
ci/roles/role_assignment/tasks/main.yml Normal file
View File

@ -0,0 +1,47 @@
---
- name: Create project
openstack.cloud.project:
cloud: "{{ cloud }}"
state: present
name: ansible_project
description: dummy description
domain_id: default
enabled: True
register: project
- name: Grant an admin role on the user admin in the project ansible_project
openstack.cloud.role_assignment:
cloud: "{{ cloud }}"
domain: default
project: ansible_project
role: admin
user: admin
- name: Grant an admin role on the user admin in the project ansible_project again
openstack.cloud.role_assignment:
cloud: "{{ cloud }}"
domain: default
project: ansible_project
role: admin
user: admin
register: grant_again
- name: Ensure grant again doesn't change anything
assert:
that:
- not grant_again.changed
- name: Revoke the admin role on the user admin in the project ansible_project
openstack.cloud.role_assignment:
cloud: "{{ cloud }}"
domain: default
project: ansible_project
role: admin
state: absent
user: admin
- name: Delete project
openstack.cloud.project:
cloud: "{{ cloud }}"
state: absent
name: ansible_project

1
ci/run-collection.yml
View File

@ -51,6 +51,7 @@
- { role: port, tags: port } - { role: port, tags: port }
- { role: project, tags: project } - { role: project, tags: project }
- { role: recordset, tags: recordset } - { role: recordset, tags: recordset }
- { role: role_assignment, tags: role_assignment }
- { role: router, tags: router } - { role: router, tags: router }
- { role: security_group, tags: security_group } - { role: security_group, tags: security_group }
- { role: server, tags: server } - { role: server, tags: server }

36
plugins/modules/role_assignment.py
View File

@ -130,47 +130,33 @@ class IdentityRoleAssignmentModule(OpenStackModule):
state = self.params.get('state') state = self.params.get('state')
filters = {} filters = {}
find_filters = {}
domain_id = None domain_id = None
r = self.conn.get_role(role) r = self.conn.identity.find_role(role)
if r is None: if r is None:
self.fail_json(msg="Role %s is not valid" % role) self.fail_json(msg="Role %s is not valid" % role)
filters['role'] = r['id'] filters['role'] = r['id']
if domain: if domain:
d = self.conn.get_domain(name_or_id=domain) d = self.conn.identity.find_domain(domain)
if d is None: if d is None:
self.fail_json(msg="Domain %s is not valid" % domain) self.fail_json(msg="Domain %s is not valid" % domain)
filters['domain'] = d['id']
domain_id = d['id'] domain_id = d['id']
find_filters['domain_id'] = domain_id
if user: if user:
if domain: u = self.conn.identity.find_user(user, **find_filters)
u = self.conn.get_user(user, domain_id=filters['domain'])
else:
u = self.conn.get_user(user)
if u is None: if u is None:
self.fail_json(msg="User %s is not valid" % user) self.fail_json(msg="User %s is not valid" % user)
filters['user'] = u['id'] filters['user'] = u['id']
if group: if group:
if domain: g = self.conn.identity.find_group(group, **find_filters)
g = self.conn.get_group(group, domain_id=filters['domain'])
else:
g = self.conn.get_group(group)
if g is None: if g is None:
self.fail_json(msg="Group %s is not valid" % group) self.fail_json(msg="Group %s is not valid" % group)
filters['group'] = g['id'] filters['group'] = g['id']
if project: if project:
if domain: p = self.conn.identity.find_project(project, **find_filters)
p = self.conn.get_project(project, domain_id=filters['domain'])
# OpenStack won't allow us to use both a domain and project as
# filter. Once we identified the project (using the domain as
# a filter criteria), we need to remove the domain itself from
# the filters list.
domain_id = filters.pop('domain')
else:
p = self.conn.get_project(project)
if p is None: if p is None:
self.fail_json(msg="Project %s is not valid" % project) self.fail_json(msg="Project %s is not valid" % project)
filters['project'] = p['id'] filters['project'] = p['id']
@ -179,6 +165,9 @@ class IdentityRoleAssignmentModule(OpenStackModule):
# fail if the system role name is not valid # fail if the system role name is not valid
filters['system'] = system filters['system'] = system
# Keeping the self.conn.list_role_assignments because it calls directly
# the identity.role_assignments and there are some logics for the
# filters that won't worth rewrite here.
assignment = self.conn.list_role_assignments(filters=filters) assignment = self.conn.list_role_assignments(filters=filters)
if self.ansible.check_mode: if self.ansible.check_mode:
@ -186,6 +175,9 @@ class IdentityRoleAssignmentModule(OpenStackModule):
changed = False changed = False
# Both grant_role and revoke_role calls directly the proxy layer, and
# has some logic that won't worth to rewrite here so keeping it is a
# good idea
if state == 'present': if state == 'present':
if not assignment: if not assignment:
kwargs = self._build_kwargs(user, group, project, domain_id, system) kwargs = self._build_kwargs(user, group, project, domain_id, system)