Backport improvements to role_assignment

- Refactor module Change-Id: I09258e18d50acb57501ea1b47d9422dad857607e (cherry picked from commit 8d5195fdf2)
2022-05-30 11:46:14 +02:00 · 2022-05-30 11:46:14 +02:00 · b8c2310963
parent 915a78d7af
commit b8c2310963
3 changed files with 64 additions and 22 deletions
--- a/ci/roles/role_assignment/tasks/main.yml
+++ b/ci/roles/role_assignment/tasks/main.yml
@ -0,0 +1,47 @@
+---
+- name: Create project
+  openstack.cloud.project:
+     cloud: "{{ cloud }}"
+     state: present
+     name: ansible_project
+     description: dummy description
+     domain_id: default
+     enabled: True
+  register: project
+
+- name: Grant an admin role on the user admin in the project ansible_project
+  openstack.cloud.role_assignment:
+    cloud: "{{ cloud }}"
+    domain: default
+    project: ansible_project
+    role: admin
+    user: admin
+
+- name: Grant an admin role on the user admin in the project ansible_project again
+  openstack.cloud.role_assignment:
+    cloud: "{{ cloud }}"
+    domain: default
+    project: ansible_project
+    role: admin
+    user: admin
+  register: grant_again
+
+- name: Ensure grant again doesn't change anything
+  assert:
+    that:
+      - not grant_again.changed
+
+- name: Revoke the admin role on the user admin in the project ansible_project
+  openstack.cloud.role_assignment:
+    cloud: "{{ cloud }}"
+    domain: default
+    project: ansible_project
+    role: admin
+    state: absent
+    user: admin
+
+- name: Delete project
+  openstack.cloud.project:
+     cloud: "{{ cloud }}"
+     state: absent
+     name: ansible_project
--- a/ci/run-collection.yml
+++ b/ci/run-collection.yml
@ -51,6 +51,7 @@
    - { role: port, tags: port }
    - { role: project, tags: project }
    - { role: recordset, tags: recordset }
+    - { role: role_assignment, tags: role_assignment }
    - { role: router, tags: router }
    - { role: security_group, tags: security_group }
    - { role: server, tags: server }
--- a/plugins/modules/role_assignment.py
+++ b/plugins/modules/role_assignment.py
@ -120,51 +120,42 @@ class IdentityRoleAssignmentModule(OpenStackModule):
        state = self.params.get('state')

        filters = {}
+        find_filters = {}
        domain_id = None

-        r = self.conn.get_role(role)
+        r = self.conn.identity.find_role(role)
        if r is None:
            self.fail_json(msg="Role %s is not valid" % role)
        filters['role'] = r['id']

        if domain:
-            d = self.conn.get_domain(name_or_id=domain)
+            d = self.conn.identity.find_domain(domain)
            if d is None:
                self.fail_json(msg="Domain %s is not valid" % domain)
-            filters['domain'] = d['id']
            domain_id = d['id']
+            find_filters['domain_id'] = domain_id
        if user:
-            if domain:
-                u = self.conn.get_user(user, domain_id=filters['domain'])
-            else:
-                u = self.conn.get_user(user)
-
+            u = self.conn.identity.find_user(user, **find_filters)
            if u is None:
                self.fail_json(msg="User %s is not valid" % user)
            filters['user'] = u['id']
+
        if group:
-            if domain:
-                g = self.conn.get_group(group, domain_id=filters['domain'])
-            else:
-                g = self.conn.get_group(group)
+            # self.conn.identity.find_group() does not accept
+            # a domain_id argument in Train's openstacksdk
+            g = self.conn.get_group(group, **find_filters)
            if g is None:
                self.fail_json(msg="Group %s is not valid" % group)
            filters['group'] = g['id']
        if project:
-            if domain:
-                p = self.conn.get_project(project, domain_id=filters['domain'])
-                # OpenStack won't allow us to use both a domain and project as
-                # filter. Once we identified the project (using the domain as
-                # a filter criteria), we need to remove the domain itself from
-                # the filters list.
-                domain_id = filters.pop('domain')
-            else:
-                p = self.conn.get_project(project)
-
+            p = self.conn.identity.find_project(project, **find_filters)
            if p is None:
                self.fail_json(msg="Project %s is not valid" % project)
            filters['project'] = p['id']

+        # Keeping the self.conn.list_role_assignments because it calls directly
+        # the identity.role_assignments and there are some logics for the
+        # filters that won't worth rewrite here.
        assignment = self.conn.list_role_assignments(filters=filters)

        if self.ansible.check_mode:
@ -172,6 +163,9 @@ class IdentityRoleAssignmentModule(OpenStackModule):

        changed = False

+        # Both grant_role and revoke_role calls directly the proxy layer, and
+        # has some logic that won't worth to rewrite here so keeping it is a
+        # good idea
        if state == 'present':
            if not assignment:
                kwargs = self._build_kwargs(user, group, project, domain_id)