--- # Copyright 2014, Rackspace US, Inc. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. # This is the role assigned to users created within Heat stacks themselves - name: Ensure heat_stack_user role keystone: command: ensure_role role_name: "heat_stack_user" token: "{{ keystone_auth_admin_token }}" endpoint: "{{ keystone_service_adminurl }}" insecure: "{{ keystone_service_adminuri_insecure }}" tags: - heat-domain - heat-domain-role - heat-domain-setup - heat-config - name: Ensure heat domain keystone: command: ensure_domain domain_name: "{{ heat_stack_user_domain_name }}" token: "{{ keystone_auth_admin_token }}" endpoint: "{{ keystone_service_adminurl }}" insecure: "{{ keystone_service_adminuri_insecure }}" tags: - heat-domain - heat-domain-setup - heat-config - name: Ensure heat project keystone: command: ensure_project project_name: "{{ heat_project_name }}" domain_name: "{{ heat_stack_user_domain_name }}" token: "{{ keystone_auth_admin_token }}" endpoint: "{{ keystone_service_adminurl }}" insecure: "{{ keystone_service_adminuri_insecure }}" tags: - heat-domain - heat-domain-setup - heat-config # TODO Change the keystone library to support adding # a user to a domain without specifying a project - name: Ensure heat user shell: | . {{ ansible_env.HOME }}/openrc openstack --os-identity-api-version=3 \ --os-auth-url={{ keystone_service_adminurl_v3 }} \ --os-project-name={{ heat_project_name }} \ --os-project-domain-name={{ heat_project_domain_name }} \ --os-user-domain-name={{ heat_user_domain_name }} \ user \ create \ --or-show \ --domain {{ heat_stack_user_domain_name }} \ --password {{ heat_stack_domain_admin_password }} \ "{{ heat_stack_domain_admin }}" tags: - heat-domain - heat-domain-setup - heat-config # TODO Change the keystone library to support adding # a role to a user without specifying a project - name: Assign admin role to heat domain admin user shell: | . {{ ansible_env.HOME }}/openrc openstack --os-identity-api-version=3 \ --os-auth-url={{ keystone_service_adminurl_v3 }} \ --os-project-name={{ heat_project_name }} \ --os-project-domain-name={{ heat_project_domain_name }} \ --os-user-domain-name={{ heat_user_domain_name }} \ role \ add \ --user {{ heat_stack_domain_admin }} \ --domain {{ heat_stack_user_domain_name }} \ admin tags: - heat-domain - heat-domain-setup - heat-config