Merge "Purge old openstack admin access user if changed"

2016-06-16 17:32:03 +00:00 · 2016-06-16 17:32:03 +00:00 · 91a3612147
commit 91a3612147
parent dd4d8fd7fb 0a36a3bb8c
6 changed files with 85 additions and 0 deletions
--- a/deployment/puppet/openstack_tasks/examples/keystone/purge_old_admin.pp
+++ b/deployment/puppet/openstack_tasks/examples/keystone/purge_old_admin.pp
@ -0,0 +1 @@
+class { '::openstack_tasks::keystone::purge_old_admin' :}
--- a/deployment/puppet/openstack_tasks/examples/keystone/tasks.yaml
+++ b/deployment/puppet/openstack_tasks/examples/keystone/tasks.yaml
@ -104,3 +104,49 @@
    puppet_manifest: /etc/puppet/modules/openstack_tasks/examples/keystone/workloads_collector_add.pp
    puppet_modules: /etc/puppet/modules
    timeout: 1800
+
+- id: generate_changed_admin_user
+  version: 2.1.0
+  type: upload_file
+  role: master
+  condition:
+    yaql_exp: &changed_username >
+      changed($.access.user)
+  requires: [upload_configuration]
+  required_for: [pre_deployment_end]
+  parameters:
+    path: /etc/fuel/cluster/{CLUSTER_ID}/old_admin_user.yaml
+    data:
+      yaql_exp: '{"old_access" => old($).get("access", {})}.toYaml()'
+
+- id: copy_changed_admin_user
+  type: copy_files
+  version: 2.1.0
+  role: ['/.*/']
+  condition:
+    yaql_exp: *changed_username
+  required_for: [pre_deployment_end]
+  requires: [generate_changed_admin_user]
+  cross-depends:
+      - name: generate_changed_admin_user
+        role: master
+  parameters:
+    files:
+      - src: /etc/fuel/cluster/{CLUSTER_ID}/old_admin_user.yaml
+        dst: /etc/hiera/old_admin_user.yaml
+    permissions: '0600'
+    dir_permissions: '0700'
+
+- id: delete_old_admin_user
+  version: 2.1.0
+  type: puppet
+  role: [primary-controller]
+  condition:
+    yaql_exp: *changed_username
+  requires: [post_deployment_start, primary-keystone]
+  required_for: [post_deployment_end]
+  parameters:
+    puppet_manifest: /etc/puppet/modules/openstack_tasks/examples/keystone/purge_old_admin.pp
+    puppet_modules: /etc/puppet/modules
+    timeout: 180
+    cwd: /
--- a/deployment/puppet/openstack_tasks/manifests/keystone/purge_old_admin.pp
+++ b/deployment/puppet/openstack_tasks/manifests/keystone/purge_old_admin.pp
@ -0,0 +1,17 @@
+class openstack_tasks::keystone::purge_old_admin {
+
+  notice('MODULAR: keystone/purge_old_admin.pp')
+
+  $old_access_hash = hiera_hash('old_access', {})
+  $access_hash     = hiera_hash('access', {})
+
+  if !empty($old_access_hash) {
+    $old_admin_user = $old_access_hash['user']
+
+    if $old_admin_user != $access_hash['user'] {
+      keystone_user { $old_admin_user:
+        ensure   => absent,
+      }
+    }
+  }
+}
--- a/deployment/puppet/osnailyfacter/manifests/hiera/hiera.pp
+++ b/deployment/puppet/osnailyfacter/manifests/hiera/hiera.pp
@ -21,6 +21,7 @@ class osnailyfacter::hiera::hiera {
    'module/%{calling_module}%{disable_globals_yaml}',
    'deleted_nodes%{disable_globals_yaml}',
    'nodes%{disable_globals_yaml}',
+    'old_admin_user%{disable_globals_yaml}',
    'globals%{disable_globals_yaml}',
    'astute',
  ]
--- a/deployment/puppet/osnailyfacter/modular/keystone/purge_old_admin.pp
+++ b/deployment/puppet/osnailyfacter/modular/keystone/purge_old_admin.pp
@ -0,0 +1 @@
+class { '::openstack_tasks::keystone::purge_old_admin' :}
--- a/tests/noop/spec/hosts/keystone/purge_old_admin_spec.rb
+++ b/tests/noop/spec/hosts/keystone/purge_old_admin_spec.rb
@ -0,0 +1,19 @@
+# ROLE: primary-controller
+
+require 'spec_helper'
+require 'shared-examples'
+manifest = 'keystone/purge_old_admin.pp'
+
+describe manifest do
+  shared_examples 'catalog' do
+
+    access_hash = Noop.hiera('old_access', {})
+
+    if !access_hash.empty?
+      it 'should purge old admin user' do
+        is_expected.to contain_keystone_user(access_hash['user']).with_ensure('absent')
+      end
+    end
+  end
+  test_ubuntu_and_centos manifest
+end
				`@ -0,0 +1 @@`
				`class { '::openstack_tasks::keystone::purge_old_admin' :}`