openstack/kolla-ansible
Code Issues Proposed changes

Use default user group consistently

Browse Source 
Default user group should be set much earlier in deployment
and should be used consistently accross all projects.

Change-Id: Id399f9ddebc903bb9c3eeb5a0ff6f33ca6d6828c
Closes-Bug: #1650501
This commit is contained in:
Vladislav Belogrudov 2016-12-16 13:20:47 +03:00
parent 627719e66c
commit 25fcdfb986
8 changed files with 17 additions and 24 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
ansible/group_vars/all.yml
View File

@ -359,6 +359,7 @@ keystone_public_url: "{{ public_protocol }}://{{ kolla_external_fqdn }}:{{ keyst
keystone_token_provider: "uuid"
fernet_token_expiry: 86400
keystone_default_user_role: "_member_"
#######################
# Glance options

2
ansible/roles/ceph/templates/ceph.conf.j2
View File

@ -40,7 +40,7 @@ rgw_keystone_admin_password = {{ openstack_auth.password }}
rgw_keystone_admin_project = {{ openstack_auth.project_name }}
rgw_keystone_admin_domain = default
rgw_keystone_api_version = 3
rgw_keystone_accepted_roles = admin, _member_
rgw_keystone_accepted_roles = admin, {{ keystone_default_user_role }}
{% endif %}
keyring = /etc/ceph/ceph.client.radosgw.keyring
log file = /var/log/kolla/ceph/client.radosgw.gateway.log

6
ansible/roles/horizon/defaults/main.yml
View File

@ -22,9 +22,3 @@ horizon_image_full: "{{ horizon_image }}:{{ horizon_tag }}"
openstack_horizon_auth: "{'auth_url':'{{ openstack_auth.auth_url }}','username':'{{ openstack_auth.username }}','password':'{{ openstack_auth.password }}','project_name':'{{ openstack_auth.project_name }}'}"
horizon_logging_debug: "{{ openstack_logging_debug }}"
####################
# Horizon
####################
horizon_openstack_keystone_default_role: "_member_"

2
ansible/roles/horizon/tasks/deploy.yml
View File

@ -1,8 +1,6 @@
---
- include: config.yml
- include: register.yml
- include: bootstrap.yml
when: horizon_backend_database | bool

13
ansible/roles/horizon/tasks/register.yml
View File

@ -1,13 +0,0 @@
---
- name: Creating the _member_ role
command: docker exec -t kolla_toolbox /usr/bin/ansible localhost
-m os_keystone_role
-a "name={{ horizon_openstack_keystone_default_role }}
auth={{ '{{ openstack_horizon_auth }}' }}"
-e "{'openstack_horizon_auth':{{ openstack_horizon_auth }}}"
register: horizon_role
changed_when: "{{ horizon_role.stdout.find('localhost | SUCCESS => ') != -1 and (horizon_role.stdout.split('localhost | SUCCESS => ')[1]|from_json).changed }}"
until: horizon_role.stdout.split()[2] == 'SUCCESS'
retries: 10
delay: 5
run_once: True

2
ansible/roles/horizon/templates/local_settings.j2
View File

@ -193,7 +193,7 @@ EMAIL_BACKEND = 'django.core.mail.backends.console.EmailBackend'
OPENSTACK_HOST = "{% if orchestration_engine == 'KUBERNETES' %}{{ api_interface_address }}{% else %}{{ kolla_internal_fqdn }}{% endif %}"
OPENSTACK_KEYSTONE_URL = "{{ keystone_internal_url }}"
OPENSTACK_KEYSTONE_DEFAULT_ROLE = "{{ horizon_openstack_keystone_default_role }}"
OPENSTACK_KEYSTONE_DEFAULT_ROLE = "{{ keystone_default_user_role }}"
# Enables keystone web single-sign-on if set to True.
#WEBSSO_ENABLED = False

13
ansible/roles/keystone/tasks/register.yml
View File

@ -5,3 +5,16 @@
changed_when: "{{ (keystone_bootstrap.stdout | from_json).changed }}"
failed_when: "{{ (keystone_bootstrap.stdout | from_json).failed }}"
run_once: True
- name: Creating default user role
command: docker exec -t kolla_toolbox /usr/bin/ansible localhost
-m os_keystone_role
-a "name={{ keystone_default_user_role }}
auth={{ '{{ openstack_keystone_auth }}' }}"
-e "{'openstack_keystone_auth':{{ openstack_keystone_auth }}}"
register: default_role
changed_when: "{{ default_role.stdout.find('localhost | SUCCESS => ') != -1 and (default_role.stdout.split('localhost | SUCCESS => ')[1]|from_json).changed }}"
until: default_role.stdout.split()[2] == 'SUCCESS'
retries: 10
delay: 5
run_once: True

2
ansible/roles/swift/templates/proxy-server.conf.j2
View File

@ -46,7 +46,7 @@ memcached_servers = {% for host in groups['memcached'] %}{{ hostvars[host]['ansi
[filter:keystoneauth]
use = egg:swift#keystoneauth
operator_roles = admin,user
operator_roles = admin,{{ keystone_default_user_role }}
[filter:container_sync]
use = egg:swift#container_sync