Provide admin user ID and project ID

For keystone v3 deployments, provide the admin user and project ID over identity-service relations. This may be used by consuming services to build trust between the service account and the cloud admin account. Change-Id: I6166793a497a283e743210d067eb44c14071e61e
2020-03-05 15:40:04 +00:00 · 2020-03-05 15:40:04 +00:00 · dc2f5e5259
commit dc2f5e5259
parent f984c4ec9b
2 changed files with 21 additions and 0 deletions
--- a/hooks/keystone_utils.py
+++ b/hooks/keystone_utils.py
@ -1812,6 +1812,18 @@ def add_service_to_keystone(relation_id=None, remote_unit=None):
    service_tenant_id = manager.resolve_tenant_id(service_tenant,
                                                  domain=service_domain)

+    admin_project_id = None
+    admin_user_id = None
+    if get_api_version() > 2:
+        # NOTE(jamespage):
+        # Resolve cloud admin project and user ID's
+        # which may be used for trusts in consuming
+        # services - but don't pass the password
+        admin_project_id = manager.resolve_tenant_id(ADMIN_PROJECT,
+                                                     domain=ADMIN_DOMAIN)
+        admin_user_id = manager.resolve_user_id(config('admin-user'),
+                                                user_domain=ADMIN_DOMAIN)
+
    # NOTE(dosaboy): we use __null__ to represent settings that are to be
    # routed to relations via the cluster relation and set to None.
    relation_data = {
@ -1834,6 +1846,8 @@ def add_service_to_keystone(relation_id=None, remote_unit=None):
        "service_protocol": protocol,
        "api_version": get_api_version(),
        "admin_domain_id": leader_get(attribute='admin_domain_id'),
+        "admin_project_id": admin_project_id,
+        "admin_user_id": admin_user_id,
    }

    peer_store_and_set(relation_id=relation_id, **relation_data)
--- a/unit_tests/test_keystone_utils.py
+++ b/unit_tests/test_keystone_utils.py
@ -389,13 +389,18 @@ class TestKeystoneUtils(CharmTestCase):
        service_domain = None
        service_domain_id = None
        service_role = 'Admin'
+        admin_project_id = None
+        admin_user_id = None
        if test_api_version > 2:
            service_domain = 'service_domain'
            service_domain_id = '1234567890'
+            admin_user_id = 'foobar-user'
+            admin_project_id = 'tenant_id'

        mock_keystone = MagicMock()
        mock_keystone.resolve_tenant_id.return_value = 'tenant_id'
        mock_keystone.resolve_domain_id.return_value = service_domain_id
+        mock_keystone.resolve_user_id.return_value = admin_user_id
        KeystoneManager.return_value = mock_keystone

        self.relation_get.return_value = {'service': 'keystone',
@ -427,6 +432,8 @@ class TestKeystoneUtils(CharmTestCase):
                                            domain=service_domain)

        relation_data = {'admin_domain_id': None,
+                         'admin_user_id': admin_user_id,
+                         'admin_project_id': admin_project_id,
                         'auth_host': '10.0.0.3',
                         'service_host': '10.0.0.3', 'admin_token': 'token',
                         'service_port': 81, 'auth_port': 80,