From d6381109703939235ce7763677f7b043b298e453 Mon Sep 17 00:00:00 2001
From: Jimmy McCrory <jimmy.mccrory@gmail.com>
Date: Wed, 3 Oct 2018 21:59:14 -0700
Subject: [PATCH] Remove keystone service user

The keystone service user is never used by the keystone service. Remove
the tasks creating it and related variables.

Change-Id: Iede26cba97ab43cdd0abc3887883e61d40007b34
---
 defaults/main.yml                             |  2 --
 doc/source/index.rst                          |  1 -
 examples/playbook.yml                         |  1 -
 ...-remove-service-user-f2100fa3127c7c2e.yaml |  7 ++++
 tasks/keystone_service_update.yml             | 32 -------------------
 5 files changed, 7 insertions(+), 36 deletions(-)
 create mode 100644 releasenotes/notes/os-keystone-remove-service-user-f2100fa3127c7c2e.yaml

diff --git a/defaults/main.yml b/defaults/main.yml
index 5c13df77..82d241d5 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -168,7 +168,6 @@ keystone_service_name: keystone
 keystone_service_port: 5000
 keystone_service_type: identity
 keystone_service_description: "Keystone Identity Service"
-keystone_service_user_name: keystone
 keystone_service_tenant_name: service
 
 keystone_service_proto: http
@@ -488,7 +487,6 @@ keystone_required_secrets:
   - keystone_oslomsg_rpc_password
   - keystone_oslomsg_notify_password
   - keystone_rabbitmq_password
-  - keystone_service_password
 
 keystone_uwsgi_init_overrides: {}
 
diff --git a/doc/source/index.rst b/doc/source/index.rst
index 83db9522..f5426060 100644
--- a/doc/source/index.rst
+++ b/doc/source/index.rst
@@ -44,7 +44,6 @@ To use this role, define the following variables:
     keystone_container_mysql_password: "YourPassword"
 
     keystone_auth_admin_password: "SuperSecretePassword"
-    keystone_service_password: "secrete"
     keystone_rabbitmq_password: "secrete"
     keystone_container_mysql_password: "SuperSecrete"
 
diff --git a/examples/playbook.yml b/examples/playbook.yml
index 203595d1..e5b4a949 100644
--- a/examples/playbook.yml
+++ b/examples/playbook.yml
@@ -13,7 +13,6 @@
     keystone_developer_mode: true
     keystone_git_install_branch: master
     keystone_auth_admin_password: "SuperSecretePassword"
-    keystone_service_password: "secrete"
     keystone_oslomsg_rpc_password: "secrete"
     keystone_oslomsg_notify_password: "secrete"
     keystone_container_mysql_password: "SuperSecrete"
diff --git a/releasenotes/notes/os-keystone-remove-service-user-f2100fa3127c7c2e.yaml b/releasenotes/notes/os-keystone-remove-service-user-f2100fa3127c7c2e.yaml
new file mode 100644
index 00000000..9aa82ac5
--- /dev/null
+++ b/releasenotes/notes/os-keystone-remove-service-user-f2100fa3127c7c2e.yaml
@@ -0,0 +1,7 @@
+---
+upgrade:
+  - |
+    The tasks creating a keystone service user have been removed, along with
+    related variables ``keystone_service_user_name`` and
+    ``keystone_service_password``. This user can be deleted in existing
+    deployments.
diff --git a/tasks/keystone_service_update.yml b/tasks/keystone_service_update.yml
index 0aca7c33..92cd1804 100644
--- a/tasks/keystone_service_update.yml
+++ b/tasks/keystone_service_update.yml
@@ -87,38 +87,6 @@
       retries: 5
       delay: 10
 
-    - name: Add service user
-      os_user:
-        cloud: default
-        state: present
-        name: "{{ keystone_service_user_name }}"
-        password: "{{ keystone_service_password }}"
-        domain: default
-        default_project: "{{ keystone_service_tenant_name }}"
-        endpoint_type: admin
-        verify: "{{ not keystone_service_adminuri_insecure }}"
-      register: add_service
-      when: not keystone_service_in_ldap | bool
-      until: add_service is success
-      retries: 5
-      delay: 10
-      no_log: True
-
-    - name: Add service user to admin role
-      os_user_role:
-        cloud: default
-        state: present
-        user: "{{ keystone_service_user_name }}"
-        role: "{{ keystone_role_name }}"
-        project: "{{ keystone_service_tenant_name }}"
-        endpoint_type: admin
-        verify: "{{ not keystone_service_adminuri_insecure }}"
-      register: add_service
-      when: not keystone_service_in_ldap | bool
-      until: add_service is success
-      retries: 5
-      delay: 10
-
     - name: Add endpoints to keystone endpoint catalog
       os_keystone_endpoint:
         cloud: default