From ea58c9f8f5825cf9e699c6a00f5e528b58ff8e45 Mon Sep 17 00:00:00 2001
From: Dmitriy Rabotyagov <dmitriy.rabotyagov@cleura.com>
Date: Tue, 15 Aug 2023 13:18:45 +0200
Subject: [PATCH] Stop reffering _member_ role

Keystone has stopped providing or reffering `_member_` role for a while,
thus role should not be refferenced anymore.

Moreover, with 2023.1 service policies have dropped `_member_`
which resulted in the role to be insufficient for basic operations.

Change-Id: I5732f9197902fccb96eb8537050849a1692d3725
Related-Bug: #2029486
---
 defaults/main.yml                           |  8 ++++----
 doc/source/configure-federation-mapping.rst | 10 +++++-----
 doc/source/configure-federation-sp.rst      |  6 +++---
 tasks/keystone_federation_sp_idp_setup.yml  |  4 ++--
 4 files changed, 14 insertions(+), 14 deletions(-)

diff --git a/defaults/main.yml b/defaults/main.yml
index 607c6356..198b009b 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -434,7 +434,7 @@ keystone_sp: {}
 #        - domain: default
 #          project: fedproject
 #          group: fedgroup
-#          role: _member_
+#          role: member
 #      protocols:
 #        - name: saml2
 #          mapping:
@@ -471,7 +471,7 @@ keystone_sp: {}
 #        - domain: default
 #          project: fedproject
 #          group: fedgroup
-#          role: _member_
+#          role: member
 #      protocols:
 #        - name: saml2
 #          mapping:
@@ -497,7 +497,7 @@ keystone_sp: {}
 #        - domain: default
 #          project: fedproject
 #          group: fedgroup
-#          role: _member_
+#          role: member
 #      protocols:
 #        - name: saml2
 #          mapping:
@@ -536,7 +536,7 @@ keystone_sp: {}
 #        - domain: default
 #          project: fedproject
 #          group: fedgroup
-#          role: _member_
+#          role: member
 #      protocols:
 #        - name: openid
 #          mapping:
diff --git a/doc/source/configure-federation-mapping.rst b/doc/source/configure-federation-mapping.rst
index 6ee55553..7ea67848 100644
--- a/doc/source/configure-federation-mapping.rst
+++ b/doc/source/configure-federation-mapping.rst
@@ -14,7 +14,7 @@ of federated_identities is not required.
         - domain: default
           project: fedproject
           group: fedgroup
-          role: _member_
+          role: member
 
 #. ``project``: The project that federation users have access to.
    If the project does not already exist, create it in the
@@ -42,13 +42,13 @@ Ansible implements the equivalent of the following OpenStack CLI commands:
   openstack group create fedgroup --domain Default
 
   # if the role does not already exist
-  openstack role create _member_
+  openstack role create member
 
   # if the project does not already exist
   openstack project create --domain default fedproject
 
   # map the role to the project and user group in the domain
-  openstack role add --project fedproject --group fedgroup _member_
+  openstack role add --project fedproject --group fedgroup member
 
 To extend simply add more entries to the list.
 For example:
@@ -59,11 +59,11 @@ For example:
         - domain: default
           project: fedproject
           group: fedgroup
-          role: _member_
+          role: member
         - domain: default
           project: fedproject2
           group: fedgroup2
-          role: _member_
+          role: member
 
 Keystone federation attribute mapping
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/configure-federation-sp.rst b/doc/source/configure-federation-sp.rst
index 7aaebc20..fc92abdc 100644
--- a/doc/source/configure-federation-sp.rst
+++ b/doc/source/configure-federation-sp.rst
@@ -145,7 +145,7 @@ service provider to an IDP using Shibboleth with CADF notifications on.
               - domain: default
                 project: fedproject
                 group: fedgroup
-                role: _member_
+                role: member
             protocols:
               - name: saml2
                 mapping:
@@ -259,7 +259,7 @@ multiple clouds.
               - domain: default
                 project: fedproject
                 group: fedgroup
-                role: _member_
+                role: member
             protocols:
               - name: saml2
                 mapping:
@@ -380,7 +380,7 @@ service provider to an IDP using mod_auth_openidc with CADF notifications on.
               - domain: default
                 project: fedproject
                 group: fedgroup
-                role: _member_
+                role: member
             protocols:
               - name: openid
                 mapping:
diff --git a/tasks/keystone_federation_sp_idp_setup.yml b/tasks/keystone_federation_sp_idp_setup.yml
index ed655810..22c0d0c7 100644
--- a/tasks/keystone_federation_sp_idp_setup.yml
+++ b/tasks/keystone_federation_sp_idp_setup.yml
@@ -74,7 +74,7 @@
       openstack.cloud.identity_role:
         cloud: default
         state: present
-        name: "{{ item.role | default('_member_') }}"
+        name: "{{ item.role | default('member') }}"
         interface: admin
         verify: "{{ keystone_service_adminuri_insecure }}"
       with_items: "{{ trusted_idp.federated_identities | default([]) }}"
@@ -89,7 +89,7 @@
         state: present
         group: "{{ item.group }}"
         project: "{{ item.project }}"
-        role: "{{ item.role | default('_member_') }}"
+        role: "{{ item.role | default('member') }}"
         interface: admin
         verify: "{{ keystone_service_adminuri_insecure }}"
       with_items: "{{ trusted_idp.federated_identities | default([]) }}"