From 741f6d9be950d1107814426e3625c106ede61b86 Mon Sep 17 00:00:00 2001 From: Mark Goddard Date: Fri, 20 Sep 2019 15:20:19 +0100 Subject: [PATCH] Create and grant all keystone roles in service-ks-register This ensures we execute the keystone os_* modules in one place. Also rework some of the task names and loop item display. Change-Id: I6764a71e8147410e7b24b0b73d0f92264f45240c --- ansible/roles/barbican/defaults/main.yml | 6 +++ ansible/roles/barbican/tasks/register.yml | 17 +-------- ansible/roles/cloudkitty/defaults/main.yml | 3 ++ ansible/roles/cloudkitty/tasks/register.yml | 12 +----- ansible/roles/heat/defaults/main.yml | 9 +++++ ansible/roles/heat/tasks/register.yml | 38 +------------------ ansible/roles/monasca/defaults/main.yml | 6 +++ ansible/roles/monasca/tasks/register.yml | 19 +--------- .../service-ks-register/defaults/main.yml | 29 ++++++++++++-- .../roles/service-ks-register/tasks/main.yml | 25 ++++++++---- 10 files changed, 72 insertions(+), 92 deletions(-) diff --git a/ansible/roles/barbican/defaults/main.yml b/ansible/roles/barbican/defaults/main.yml index c7349fb95c..37686cbc37 100644 --- a/ansible/roles/barbican/defaults/main.yml +++ b/ansible/roles/barbican/defaults/main.yml @@ -133,3 +133,9 @@ barbican_ks_users: user: "{{ barbican_keystone_user }}" password: "{{ barbican_keystone_password }}" role: "admin" + +barbican_ks_roles: + - "{{ barbican_keymanager_role }}" + - "{{ barbican_creator_role }}" + - "{{ barbican_observer_role }}" + - "{{ barbican_audit_role }}" diff --git a/ansible/roles/barbican/tasks/register.yml b/ansible/roles/barbican/tasks/register.yml index 84cc5d7911..0ceb37f914 100644 --- a/ansible/roles/barbican/tasks/register.yml +++ b/ansible/roles/barbican/tasks/register.yml @@ -5,20 +5,5 @@ service_ks_register_auth: "{{ openstack_barbican_auth }}" service_ks_register_services: "{{ barbican_ks_services }}" service_ks_register_users: "{{ barbican_ks_users }}" + service_ks_register_roles: "{{ barbican_ks_roles }}" tags: always - -- name: Creating default barbican roles - become: true - kolla_toolbox: - module_name: os_keystone_role - module_args: - name: "{{ item }}" - auth: "{{ openstack_barbican_auth }}" - endpoint_type: "{{ openstack_interface }}" - cacert: "{{ openstack_cacert }}" - run_once: True - with_items: - - "{{ barbican_keymanager_role }}" - - "{{ barbican_creator_role }}" - - "{{ barbican_observer_role }}" - - "{{ barbican_audit_role }}" diff --git a/ansible/roles/cloudkitty/defaults/main.yml b/ansible/roles/cloudkitty/defaults/main.yml index 440a40a48c..0f6ccce09d 100644 --- a/ansible/roles/cloudkitty/defaults/main.yml +++ b/ansible/roles/cloudkitty/defaults/main.yml @@ -140,3 +140,6 @@ cloudkitty_ks_users: user: "{{ cloudkitty_keystone_user }}" password: "{{ cloudkitty_keystone_password }}" role: "admin" + +cloudkitty_ks_roles: + - "{{ cloudkitty_openstack_keystone_default_role }}" diff --git a/ansible/roles/cloudkitty/tasks/register.yml b/ansible/roles/cloudkitty/tasks/register.yml index 639c48cfea..fa45947e2f 100644 --- a/ansible/roles/cloudkitty/tasks/register.yml +++ b/ansible/roles/cloudkitty/tasks/register.yml @@ -5,15 +5,5 @@ service_ks_register_auth: "{{ openstack_cloudkitty_auth }}" service_ks_register_services: "{{ cloudkitty_ks_services }}" service_ks_register_users: "{{ cloudkitty_ks_users }}" + service_ks_register_roles: "{{ cloudkitty_ks_roles }}" tags: always - -- name: Creating the rating role - become: true - kolla_toolbox: - module_name: os_keystone_role - module_args: - name: "{{ cloudkitty_openstack_keystone_default_role }}" - auth: "{{ openstack_cloudkitty_auth }}" - endpoint_type: "{{ openstack_interface }}" - cacert: "{{ openstack_cacert }}" - run_once: True diff --git a/ansible/roles/heat/defaults/main.yml b/ansible/roles/heat/defaults/main.yml index 93d4884921..aaee97bce6 100644 --- a/ansible/roles/heat/defaults/main.yml +++ b/ansible/roles/heat/defaults/main.yml @@ -161,3 +161,12 @@ heat_ks_users: user: "{{ heat_keystone_user }}" password: "{{ heat_keystone_password }}" role: "admin" + +heat_ks_roles: + - "{{ heat_stack_owner_role }}" + - "{{ heat_stack_user_role }}" + +heat_ks_user_roles: + - project: "{{ openstack_auth.project_name }}" + user: "{{ openstack_auth.username }}" + role: "{{ heat_stack_owner_role }}" diff --git a/ansible/roles/heat/tasks/register.yml b/ansible/roles/heat/tasks/register.yml index abb38cc6b2..aea43c7add 100644 --- a/ansible/roles/heat/tasks/register.yml +++ b/ansible/roles/heat/tasks/register.yml @@ -5,40 +5,6 @@ service_ks_register_auth: "{{ openstack_heat_auth }}" service_ks_register_services: "{{ heat_ks_services }}" service_ks_register_users: "{{ heat_ks_users }}" + service_ks_register_roles: "{{ heat_ks_roles }}" + service_ks_register_user_roles: "{{ heat_ks_user_roles }}" tags: always - -- name: Creating the heat_stack_user role - become: true - kolla_toolbox: - module_name: os_keystone_role - module_args: - name: "{{ heat_stack_user_role }}" - auth: "{{ openstack_heat_auth }}" - endpoint_type: "{{ openstack_interface }}" - cacert: "{{ openstack_cacert }}" - run_once: True - -- name: Creating the heat_stack_owner role - become: true - kolla_toolbox: - module_name: os_keystone_role - module_args: - name: "{{ heat_stack_owner_role }}" - auth: "{{ openstack_heat_auth }}" - endpoint_type: "{{ openstack_interface }}" - cacert: "{{ openstack_cacert }}" - run_once: True - -- name: Add the heat_stack_owner role to the admin project - become: true - kolla_toolbox: - module_name: "os_user_role" - module_args: - project: "{{ openstack_auth.project_name }}" - user: "{{ openstack_auth.username }}" - role: "{{ heat_stack_owner_role }}" - region_name: "{{ openstack_region_name }}" - auth: "{{ openstack_heat_auth }}" - endpoint_type: "{{ openstack_interface }}" - cacert: "{{ openstack_cacert }}" - run_once: True diff --git a/ansible/roles/monasca/defaults/main.yml b/ansible/roles/monasca/defaults/main.yml index 2fafe8dbed..ccd2294018 100644 --- a/ansible/roles/monasca/defaults/main.yml +++ b/ansible/roles/monasca/defaults/main.yml @@ -367,3 +367,9 @@ monasca_ks_users: user: "{{ monasca_agent_user }}" password: "{{ monasca_agent_password }}" role: "{{ monasca_agent_authorized_roles | first }}" + +monasca_ks_roles: + - "{{ monasca_default_authorized_roles }}" + - "{{ monasca_agent_authorized_roles }}" + - "{{ monasca_read_only_authorized_roles }}" + - "{{ monasca_delegate_authorized_roles }}" diff --git a/ansible/roles/monasca/tasks/register.yml b/ansible/roles/monasca/tasks/register.yml index 538f5ca26e..afab0c7699 100644 --- a/ansible/roles/monasca/tasks/register.yml +++ b/ansible/roles/monasca/tasks/register.yml @@ -5,22 +5,5 @@ service_ks_register_auth: "{{ monasca_openstack_auth }}" service_ks_register_services: "{{ monasca_ks_services }}" service_ks_register_users: "{{ monasca_ks_users }}" + service_ks_register_roles: "{{ monasca_ks_roles }}" tags: always - - -- name: Creating monasca roles - become: true - kolla_toolbox: - module_name: os_keystone_role - module_args: - name: "{{ item }}" - region_name: "{{ openstack_region_name }}" - auth: "{{ monasca_openstack_auth }}" - endpoint_type: "{{ openstack_interface }}" - cacert: "{{ openstack_cacert }}" - run_once: True - with_items: - - "{{ monasca_default_authorized_roles }}" - - "{{ monasca_agent_authorized_roles }}" - - "{{ monasca_read_only_authorized_roles }}" - - "{{ monasca_delegate_authorized_roles }}" diff --git a/ansible/roles/service-ks-register/defaults/main.yml b/ansible/roles/service-ks-register/defaults/main.yml index 8c27c12cd9..583774811d 100644 --- a/ansible/roles/service-ks-register/defaults/main.yml +++ b/ansible/roles/service-ks-register/defaults/main.yml @@ -7,11 +7,34 @@ service_ks_register_endpoint_region: "{{ openstack_region_name }}" service_ks_register_domain: "default" service_ks_register_delegate_host: "{{ groups['control'][0] }}" # A list of services to register with Keystone. Each service definition should -# provide a description, service type, and a list of associated endpoints to be -# registered. +# provide the following fields: +# 'name' +# 'description' +# 'type' +# 'endpoints' +# The 'endpoints' field should be a list, with each item having the following +# fields: +# 'url' +# 'interface' service_ks_register_services: [] -# A list of users and associated roles for this service to register with Keystone +# A list of users and associated roles for this service to register with +# Keystone. Each item should provide the following fields: +# 'project' +# 'user' +# 'password' +# 'role' +# The project, user and role will be created if they do not exist, and the user +# will be granted the role in the project. service_ks_register_users: [] +# A list of roles to register with Keystone. +service_ks_register_roles: [] +# A list of existing users and associated roles for this service to register +# with Keystone. Each item should provide the following fields: +# 'project' +# 'user' +# 'role' +# The user will be granted the role in the project. +service_ks_register_user_roles: [] # Number of retries for each task. service_ks_register_retries: 5 # Delay between task retries. diff --git a/ansible/roles/service-ks-register/tasks/main.yml b/ansible/roles/service-ks-register/tasks/main.yml index edba77d0ca..de5b9ea533 100644 --- a/ansible/roles/service-ks-register/tasks/main.yml +++ b/ansible/roles/service-ks-register/tasks/main.yml @@ -1,5 +1,5 @@ --- -- name: Creating the {{ project_name }} service +- name: "{{ project_name }} | Creating services" become: true kolla_toolbox: module_name: "os_keystone_service" @@ -14,12 +14,16 @@ run_once: True loop: "{{ service_ks_register_services }}" delegate_to: "{{ service_ks_register_delegate_host }}" + loop_control: + label: + name: "{{ item.name }}" + service_type: "{{ item.type }}" register: service_ks_register_result until: service_ks_register_result is success retries: "{{ service_ks_register_retries }}" delay: "{{ service_ks_register_delay }}" -- name: Creating the {{ project_name }} endpoints +- name: "{{ project_name }} | Creating endpoints" become: true kolla_toolbox: module_name: "os_keystone_endpoint" @@ -37,12 +41,17 @@ - "{{ service_ks_register_services }}" - endpoints delegate_to: "{{ service_ks_register_delegate_host }}" + loop_control: + label: + service: "{{ item.0.name }}" + url: "{{ item.1.url }}" + interface: "{{ item.1.interface }}" register: service_ks_register_result until: service_ks_register_result is success retries: "{{ service_ks_register_retries }}" delay: "{{ service_ks_register_delay }}" -- name: Creating the {{ project_name }} service project +- name: "{{ project_name }} | Creating projects" become: true kolla_toolbox: module_name: "os_project" @@ -61,7 +70,7 @@ retries: "{{ service_ks_register_retries }}" delay: "{{ service_ks_register_delay }}" -- name: Creating the {{ project_name }} service users +- name: "{{ project_name }} | Creating users" become: true kolla_toolbox: module_name: "os_user" @@ -86,7 +95,7 @@ retries: "{{ service_ks_register_retries }}" delay: "{{ service_ks_register_delay }}" -- name: Creating the {{ project_name }} service roles +- name: "{{ project_name }} | Creating roles" become: true kolla_toolbox: module_name: "os_keystone_role" @@ -97,14 +106,14 @@ interface: "{{ service_ks_register_interface }}" cacert: "{{ service_ks_cacert }}" run_once: True - with_items: "{{ service_ks_register_users | map(attribute='role') | unique | list }}" + with_items: "{{ service_ks_register_users | map(attribute='role') | unique | list + service_ks_register_roles }}" delegate_to: "{{ service_ks_register_delegate_host }}" register: service_ks_register_result until: service_ks_register_result is success retries: "{{ service_ks_register_retries }}" delay: "{{ service_ks_register_delay }}" -- name: Granting the {{ project_name }} service user roles +- name: "{{ project_name }} | Granting user roles" become: true kolla_toolbox: module_name: "os_user_role" @@ -118,7 +127,7 @@ interface: "{{ service_ks_register_interface }}" cacert: "{{ service_ks_cacert }}" run_once: True - with_items: "{{ service_ks_register_users }}" + with_items: "{{ service_ks_register_users + service_ks_register_user_roles }}" delegate_to: "{{ service_ks_register_delegate_host }}" loop_control: label: