Merge "Purge old openstack admin access user if changed" into stable/mitaka
This commit is contained in:
commit
2bf98ebfcd
|
@ -0,0 +1 @@
|
||||||
|
class { '::openstack_tasks::keystone::purge_old_admin' :}
|
|
@ -104,3 +104,49 @@
|
||||||
puppet_manifest: /etc/puppet/modules/openstack_tasks/examples/keystone/workloads_collector_add.pp
|
puppet_manifest: /etc/puppet/modules/openstack_tasks/examples/keystone/workloads_collector_add.pp
|
||||||
puppet_modules: /etc/puppet/modules
|
puppet_modules: /etc/puppet/modules
|
||||||
timeout: 1800
|
timeout: 1800
|
||||||
|
|
||||||
|
- id: generate_changed_admin_user
|
||||||
|
version: 2.1.0
|
||||||
|
type: upload_file
|
||||||
|
role: master
|
||||||
|
condition:
|
||||||
|
yaql_exp: &changed_username >
|
||||||
|
changed($.access.user)
|
||||||
|
requires: [upload_configuration]
|
||||||
|
required_for: [pre_deployment_end]
|
||||||
|
parameters:
|
||||||
|
path: /etc/fuel/cluster/{CLUSTER_ID}/old_admin_user.yaml
|
||||||
|
data:
|
||||||
|
yaql_exp: '{"old_access" => old($).get("access", {})}.toYaml()'
|
||||||
|
|
||||||
|
- id: copy_changed_admin_user
|
||||||
|
type: copy_files
|
||||||
|
version: 2.1.0
|
||||||
|
role: ['/.*/']
|
||||||
|
condition:
|
||||||
|
yaql_exp: *changed_username
|
||||||
|
required_for: [pre_deployment_end]
|
||||||
|
requires: [generate_changed_admin_user]
|
||||||
|
cross-depends:
|
||||||
|
- name: generate_changed_admin_user
|
||||||
|
role: master
|
||||||
|
parameters:
|
||||||
|
files:
|
||||||
|
- src: /etc/fuel/cluster/{CLUSTER_ID}/old_admin_user.yaml
|
||||||
|
dst: /etc/hiera/old_admin_user.yaml
|
||||||
|
permissions: '0600'
|
||||||
|
dir_permissions: '0700'
|
||||||
|
|
||||||
|
- id: delete_old_admin_user
|
||||||
|
version: 2.1.0
|
||||||
|
type: puppet
|
||||||
|
role: [primary-controller]
|
||||||
|
condition:
|
||||||
|
yaql_exp: *changed_username
|
||||||
|
requires: [post_deployment_start, primary-keystone]
|
||||||
|
required_for: [post_deployment_end]
|
||||||
|
parameters:
|
||||||
|
puppet_manifest: /etc/puppet/modules/openstack_tasks/examples/keystone/purge_old_admin.pp
|
||||||
|
puppet_modules: /etc/puppet/modules
|
||||||
|
timeout: 180
|
||||||
|
cwd: /
|
||||||
|
|
|
@ -0,0 +1,17 @@
|
||||||
|
class openstack_tasks::keystone::purge_old_admin {
|
||||||
|
|
||||||
|
notice('MODULAR: keystone/purge_old_admin.pp')
|
||||||
|
|
||||||
|
$old_access_hash = hiera_hash('old_access', {})
|
||||||
|
$access_hash = hiera_hash('access', {})
|
||||||
|
|
||||||
|
if !empty($old_access_hash) {
|
||||||
|
$old_admin_user = $old_access_hash['user']
|
||||||
|
|
||||||
|
if $old_admin_user != $access_hash['user'] {
|
||||||
|
keystone_user { $old_admin_user:
|
||||||
|
ensure => absent,
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
|
@ -21,6 +21,7 @@ class osnailyfacter::hiera::hiera {
|
||||||
'module/%{calling_module}%{disable_globals_yaml}',
|
'module/%{calling_module}%{disable_globals_yaml}',
|
||||||
'deleted_nodes%{disable_globals_yaml}',
|
'deleted_nodes%{disable_globals_yaml}',
|
||||||
'nodes%{disable_globals_yaml}',
|
'nodes%{disable_globals_yaml}',
|
||||||
|
'old_admin_user%{disable_globals_yaml}',
|
||||||
'globals%{disable_globals_yaml}',
|
'globals%{disable_globals_yaml}',
|
||||||
'astute',
|
'astute',
|
||||||
]
|
]
|
||||||
|
|
|
@ -0,0 +1 @@
|
||||||
|
class { '::openstack_tasks::keystone::purge_old_admin' :}
|
|
@ -0,0 +1,19 @@
|
||||||
|
# ROLE: primary-controller
|
||||||
|
|
||||||
|
require 'spec_helper'
|
||||||
|
require 'shared-examples'
|
||||||
|
manifest = 'keystone/purge_old_admin.pp'
|
||||||
|
|
||||||
|
describe manifest do
|
||||||
|
shared_examples 'catalog' do
|
||||||
|
|
||||||
|
access_hash = Noop.hiera('old_access', {})
|
||||||
|
|
||||||
|
if !access_hash.empty?
|
||||||
|
it 'should purge old admin user' do
|
||||||
|
is_expected.to contain_keystone_user(access_hash['user']).with_ensure('absent')
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
||||||
|
test_ubuntu_and_centos manifest
|
||||||
|
end
|
Loading…
Reference in New Issue