Create swift operator keystone roles

Defining operator_roles in swift-proxy.conf requires
that these roles exist in keystone.

Because Keystone API access is not available on Swift
proxy hosts in most cases, operator_roles keystone
roles have been added to swift::keystone::auth class.

Added basic docs for swift::keystone::auth
Updated ensure_resource from latest PuppetLabs stdlib

Change-Id: I941c75e51898847ad346cdefbaa6ed7737dffc69
Related-Bug: #1251251

deployment/puppet/stdlib/lib/puppet/parser/functions/ensure_resource.rb

@@ -13,23 +13,33 @@ resource.
 
 This example only creates the resource if it does not already exist:
 
-    ensure_resource('user, 'dan', {'ensure' => 'present' })
+    ensure_resource('user', 'dan', {'ensure' => 'present' })
 
 If the resource already exists but does not match the specified parameters,
 this function will attempt to recreate the resource leading to a duplicate
 resource definition error.
 
+An array of resources can also be passed in and each will be created with
+the type and parameters specified if it doesn't already exist.
+
+    ensure_resource('user', ['dan','alex'], {'ensure' => 'present'})
+
 ENDOFDOC
 ) do |vals|
   type, title, params = vals
   raise(ArgumentError, 'Must specify a type') unless type
   raise(ArgumentError, 'Must specify a title') unless title
   params ||= {}
-  Puppet::Parser::Functions.function(:defined_with_params)
-  if function_defined_with_params(["#{type}[#{title}]", params])
-    Puppet.debug("Resource #{type}[#{title}] not created b/c it already exists")
-  else
-    Puppet::Parser::Functions.function(:create_resources)
-    function_create_resources([type.capitalize, { title => params }])
+
+  items = [title].flatten
+
+  items.each do |item|
+    Puppet::Parser::Functions.function(:defined_with_params)
+    if function_defined_with_params(["#{type}[#{item}]", params])
+      Puppet.debug("Resource #{type}[#{item}] not created because it already exists")
+    else
+      Puppet::Parser::Functions.function(:create_resources)
+      function_create_resources([type.capitalize, { item => params }])
+    end
   end
 end

deployment/puppet/swift/manifests/keystone/auth.pp

@@ -1,11 +1,31 @@
+# == Class: swift::keystone::auth
+#
+# This class creates keystone users, services, endpoints, and roles
+# for Swift services.
+#
+# The user is given the admin role in the services tenant.
+#
+# === Parameters
+# [*auth_user*]
+#  String. The name of the user.
+#  Optional. Defaults to 'swift'.
+#
+# [*password*]
+#  String. The user's password.
+#  Optional. Defaults to 'swift_password'.
+#
+# [*operator_roles*]
+#  Array of strings. List of roles Swift considers as admin.
+#
 class swift::keystone::auth(
-  $auth_name = 'swift',
-  $password  = 'swift_password',
-  $address = '127.0.0.1',
-  $internal_address   = undef,
-  $admin_address = undef,
-  $public_address = undef,
-  $port      = '8080'
+  $auth_name        = 'swift',
+  $password         = 'swift_password',
+  $address          = '127.0.0.1',
+  $operator_roles   = ['admin', 'SwiftOperator'],
+  $internal_address = undef,
+  $admin_address    = undef,
+  $public_address   = undef,
+  $port             = '8080'
 ) {
   if ($internal_address == undef) {
     $internal_address_real = $address
@@ -62,4 +82,9 @@ class swift::keystone::auth(
     internal_url => "http://${internal_address_real}:${port}",
   }
 
+  if $operator_roles {
+    #Roles like "admin" may be defined elsewhere, so use ensure_resource
+    ensure_resource('keystone_role', $operator_roles, { 'ensure' => 'present'})
+  }
+
 }

deployment/puppet/swift/manifests/proxy/keystone.pp

@@ -6,6 +6,8 @@
 #    access to Swift.
 #    Optional. Dfeaults to ['admin', 'SwiftOperator']
 #    Must be an array of strings
+#    Swift operator roles must be defined in swift::keystone::auth because
+#    keystone API access is usually not available on Swift proxy nodes.
 #  [is_admin] Set to true to allow users to set ACLs on their account.
 #    Optional. Defaults to true.
 #  [cache] the cache backend to use