openstack
/
kolla-ansible
Code Issues Proposed changes

Merge "Create and grant all keystone roles in service-ks-register"

This commit is contained in:
Zuul 2019-09-24 13:09:19 +00:00 committed by Gerrit Code Review
parent 875cdec9f9 741f6d9be9
commit a89380375c
10 changed files with 72 additions and 92 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
ansible/roles/barbican/defaults/main.yml
View File

@ -133,3 +133,9 @@ barbican_ks_users:
user: "{{ barbican_keystone_user }}"
password: "{{ barbican_keystone_password }}"
role: "admin"
barbican_ks_roles:
- "{{ barbican_keymanager_role }}"
- "{{ barbican_creator_role }}"
- "{{ barbican_observer_role }}"
- "{{ barbican_audit_role }}"

17
ansible/roles/barbican/tasks/register.yml
View File

@ -5,20 +5,5 @@
service_ks_register_auth: "{{ openstack_barbican_auth }}"
service_ks_register_services: "{{ barbican_ks_services }}"
service_ks_register_users: "{{ barbican_ks_users }}"
service_ks_register_roles: "{{ barbican_ks_roles }}"
tags: always
- name: Creating default barbican roles
become: true
kolla_toolbox:
module_name: os_keystone_role
module_args:
name: "{{ item }}"
auth: "{{ openstack_barbican_auth }}"
endpoint_type: "{{ openstack_interface }}"
cacert: "{{ openstack_cacert }}"
run_once: True
with_items:
- "{{ barbican_keymanager_role }}"
- "{{ barbican_creator_role }}"
- "{{ barbican_observer_role }}"
- "{{ barbican_audit_role }}"

3
ansible/roles/cloudkitty/defaults/main.yml
View File

@ -140,3 +140,6 @@ cloudkitty_ks_users:
user: "{{ cloudkitty_keystone_user }}"
password: "{{ cloudkitty_keystone_password }}"
role: "admin"
cloudkitty_ks_roles:
- "{{ cloudkitty_openstack_keystone_default_role }}"

12
ansible/roles/cloudkitty/tasks/register.yml
View File

@ -5,15 +5,5 @@
service_ks_register_auth: "{{ openstack_cloudkitty_auth }}"
service_ks_register_services: "{{ cloudkitty_ks_services }}"
service_ks_register_users: "{{ cloudkitty_ks_users }}"
service_ks_register_roles: "{{ cloudkitty_ks_roles }}"
tags: always
- name: Creating the rating role
become: true
kolla_toolbox:
module_name: os_keystone_role
module_args:
name: "{{ cloudkitty_openstack_keystone_default_role }}"
auth: "{{ openstack_cloudkitty_auth }}"
endpoint_type: "{{ openstack_interface }}"
cacert: "{{ openstack_cacert }}"
run_once: True

9
ansible/roles/heat/defaults/main.yml
View File

@ -161,3 +161,12 @@ heat_ks_users:
user: "{{ heat_keystone_user }}"
password: "{{ heat_keystone_password }}"
role: "admin"
heat_ks_roles:
- "{{ heat_stack_owner_role }}"
- "{{ heat_stack_user_role }}"
heat_ks_user_roles:
- project: "{{ openstack_auth.project_name }}"
user: "{{ openstack_auth.username }}"
role: "{{ heat_stack_owner_role }}"

38
ansible/roles/heat/tasks/register.yml
View File

@ -5,40 +5,6 @@
service_ks_register_auth: "{{ openstack_heat_auth }}"
service_ks_register_services: "{{ heat_ks_services }}"
service_ks_register_users: "{{ heat_ks_users }}"
service_ks_register_roles: "{{ heat_ks_roles }}"
service_ks_register_user_roles: "{{ heat_ks_user_roles }}"
tags: always
- name: Creating the heat_stack_user role
become: true
kolla_toolbox:
module_name: os_keystone_role
module_args:
name: "{{ heat_stack_user_role }}"
auth: "{{ openstack_heat_auth }}"
endpoint_type: "{{ openstack_interface }}"
cacert: "{{ openstack_cacert }}"
run_once: True
- name: Creating the heat_stack_owner role
become: true
kolla_toolbox:
module_name: os_keystone_role
module_args:
name: "{{ heat_stack_owner_role }}"
auth: "{{ openstack_heat_auth }}"
endpoint_type: "{{ openstack_interface }}"
cacert: "{{ openstack_cacert }}"
run_once: True
- name: Add the heat_stack_owner role to the admin project
become: true
kolla_toolbox:
module_name: "os_user_role"
module_args:
project: "{{ openstack_auth.project_name }}"
user: "{{ openstack_auth.username }}"
role: "{{ heat_stack_owner_role }}"
region_name: "{{ openstack_region_name }}"
auth: "{{ openstack_heat_auth }}"
endpoint_type: "{{ openstack_interface }}"
cacert: "{{ openstack_cacert }}"
run_once: True

6
ansible/roles/monasca/defaults/main.yml
View File

@ -367,3 +367,9 @@ monasca_ks_users:
user: "{{ monasca_agent_user }}"
password: "{{ monasca_agent_password }}"
role: "{{ monasca_agent_authorized_roles | first }}"
monasca_ks_roles:
- "{{ monasca_default_authorized_roles }}"
- "{{ monasca_agent_authorized_roles }}"
- "{{ monasca_read_only_authorized_roles }}"
- "{{ monasca_delegate_authorized_roles }}"

19
ansible/roles/monasca/tasks/register.yml
View File

@ -5,22 +5,5 @@
service_ks_register_auth: "{{ monasca_openstack_auth }}"
service_ks_register_services: "{{ monasca_ks_services }}"
service_ks_register_users: "{{ monasca_ks_users }}"
service_ks_register_roles: "{{ monasca_ks_roles }}"
tags: always
- name: Creating monasca roles
become: true
kolla_toolbox:
module_name: os_keystone_role
module_args:
name: "{{ item }}"
region_name: "{{ openstack_region_name }}"
auth: "{{ monasca_openstack_auth }}"
endpoint_type: "{{ openstack_interface }}"
cacert: "{{ openstack_cacert }}"
run_once: True
with_items:
- "{{ monasca_default_authorized_roles }}"
- "{{ monasca_agent_authorized_roles }}"
- "{{ monasca_read_only_authorized_roles }}"
- "{{ monasca_delegate_authorized_roles }}"

29
ansible/roles/service-ks-register/defaults/main.yml
View File

@ -7,11 +7,34 @@ service_ks_register_endpoint_region: "{{ openstack_region_name }}"
service_ks_register_domain: "default"
service_ks_register_delegate_host: "{{ groups['control'][0] }}"
# A list of services to register with Keystone. Each service definition should
# provide a description, service type, and a list of associated endpoints to be
# registered.
# provide the following fields:
# 'name'
# 'description'
# 'type'
# 'endpoints'
# The 'endpoints' field should be a list, with each item having the following
# fields:
# 'url'
# 'interface'
service_ks_register_services: []
# A list of users and associated roles for this service to register with Keystone
# A list of users and associated roles for this service to register with
# Keystone. Each item should provide the following fields:
# 'project'
# 'user'
# 'password'
# 'role'
# The project, user and role will be created if they do not exist, and the user
# will be granted the role in the project.
service_ks_register_users: []
# A list of roles to register with Keystone.
service_ks_register_roles: []
# A list of existing users and associated roles for this service to register
# with Keystone. Each item should provide the following fields:
# 'project'
# 'user'
# 'role'
# The user will be granted the role in the project.
service_ks_register_user_roles: []
# Number of retries for each task.
service_ks_register_retries: 5
# Delay between task retries.

25
ansible/roles/service-ks-register/tasks/main.yml
View File

@ -1,5 +1,5 @@
---
- name: Creating the {{ project_name }} service
- name: "{{ project_name }} | Creating services"
become: true
kolla_toolbox:
module_name: "os_keystone_service"
@ -14,12 +14,16 @@
run_once: True
loop: "{{ service_ks_register_services }}"
delegate_to: "{{ service_ks_register_delegate_host }}"
loop_control:
label:
name: "{{ item.name }}"
service_type: "{{ item.type }}"
register: service_ks_register_result
until: service_ks_register_result is success
retries: "{{ service_ks_register_retries }}"
delay: "{{ service_ks_register_delay }}"
- name: Creating the {{ project_name }} endpoints
- name: "{{ project_name }} | Creating endpoints"
become: true
kolla_toolbox:
module_name: "os_keystone_endpoint"
@ -37,12 +41,17 @@
- "{{ service_ks_register_services }}"
- endpoints
delegate_to: "{{ service_ks_register_delegate_host }}"
loop_control:
label:
service: "{{ item.0.name }}"
url: "{{ item.1.url }}"
interface: "{{ item.1.interface }}"
register: service_ks_register_result
until: service_ks_register_result is success
retries: "{{ service_ks_register_retries }}"
delay: "{{ service_ks_register_delay }}"
- name: Creating the {{ project_name }} service project
- name: "{{ project_name }} | Creating projects"
become: true
kolla_toolbox:
module_name: "os_project"
@ -61,7 +70,7 @@
retries: "{{ service_ks_register_retries }}"
delay: "{{ service_ks_register_delay }}"
- name: Creating the {{ project_name }} service users
- name: "{{ project_name }} | Creating users"
become: true
kolla_toolbox:
module_name: "os_user"
@ -86,7 +95,7 @@
retries: "{{ service_ks_register_retries }}"
delay: "{{ service_ks_register_delay }}"
- name: Creating the {{ project_name }} service roles
- name: "{{ project_name }} | Creating roles"
become: true
kolla_toolbox:
module_name: "os_keystone_role"
@ -97,14 +106,14 @@
interface: "{{ service_ks_register_interface }}"
cacert: "{{ service_ks_cacert }}"
run_once: True
with_items: "{{ service_ks_register_users | map(attribute='role') | unique | list }}"
with_items: "{{ service_ks_register_users | map(attribute='role') | unique | list + service_ks_register_roles }}"
delegate_to: "{{ service_ks_register_delegate_host }}"
register: service_ks_register_result
until: service_ks_register_result is success
retries: "{{ service_ks_register_retries }}"
delay: "{{ service_ks_register_delay }}"
- name: Granting the {{ project_name }} service user roles
- name: "{{ project_name }} | Granting user roles"
become: true
kolla_toolbox:
module_name: "os_user_role"
@ -118,7 +127,7 @@
interface: "{{ service_ks_register_interface }}"
cacert: "{{ service_ks_cacert }}"
run_once: True
with_items: "{{ service_ks_register_users }}"
with_items: "{{ service_ks_register_users + service_ks_register_user_roles }}"
delegate_to: "{{ service_ks_register_delegate_host }}"
loop_control:
label: