a12dcaff62
The heat stack user was being using the openstack cli tools. This has changed such that its now using our library. This will ensure that the roles, users, groups, projects, domains are created properly without the variability of the CLI interface and returned data. Closes-Bug: #1489947 Change-Id: I3f0af0589825fa506e3618f6f39a54bf89c87d14
95 lines
3.2 KiB
YAML
95 lines
3.2 KiB
YAML
---
|
|
# Copyright 2014, Rackspace US, Inc.
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
|
|
# This is the role assigned to users created within Heat stacks themselves
|
|
- name: Ensure heat_stack_user role
|
|
keystone:
|
|
command: ensure_role
|
|
role_name: "heat_stack_user"
|
|
token: "{{ keystone_auth_admin_token }}"
|
|
endpoint: "{{ keystone_service_adminurl }}"
|
|
insecure: "{{ keystone_service_adminuri_insecure }}"
|
|
tags:
|
|
- heat-domain
|
|
- heat-domain-role
|
|
- heat-domain-setup
|
|
- heat-config
|
|
|
|
- name: Ensure heat domain
|
|
keystone:
|
|
command: ensure_domain
|
|
domain_name: "{{ heat_stack_user_domain_name }}"
|
|
token: "{{ keystone_auth_admin_token }}"
|
|
endpoint: "{{ keystone_service_adminurl }}"
|
|
insecure: "{{ keystone_service_adminuri_insecure }}"
|
|
tags:
|
|
- heat-domain
|
|
- heat-domain-setup
|
|
- heat-config
|
|
|
|
- name: Ensure heat project
|
|
keystone:
|
|
command: ensure_project
|
|
project_name: "{{ heat_project_name }}"
|
|
domain_name: "{{ heat_stack_user_domain_name }}"
|
|
token: "{{ keystone_auth_admin_token }}"
|
|
endpoint: "{{ keystone_service_adminurl }}"
|
|
insecure: "{{ keystone_service_adminuri_insecure }}"
|
|
tags:
|
|
- heat-domain
|
|
- heat-domain-setup
|
|
- heat-config
|
|
|
|
# TODO Change the keystone library to support adding
|
|
# a user to a domain without specifying a project
|
|
- name: Ensure heat user
|
|
shell: |
|
|
. {{ ansible_env.HOME }}/openrc
|
|
openstack --os-identity-api-version=3 \
|
|
--os-auth-url={{ keystone_service_adminurl_v3 }} \
|
|
--os-project-name={{ heat_project_name }} \
|
|
--os-project-domain-name={{ heat_project_domain_name }} \
|
|
--os-user-domain-name={{ heat_user_domain_name }} \
|
|
user \
|
|
create \
|
|
--or-show \
|
|
--domain {{ heat_stack_user_domain_name }} \
|
|
--password {{ heat_stack_domain_admin_password }} \
|
|
"{{ heat_stack_domain_admin }}"
|
|
tags:
|
|
- heat-domain
|
|
- heat-domain-setup
|
|
- heat-config
|
|
|
|
# TODO Change the keystone library to support adding
|
|
# a role to a user without specifying a project
|
|
- name: Assign admin role to heat domain admin user
|
|
shell: |
|
|
. {{ ansible_env.HOME }}/openrc
|
|
openstack --os-identity-api-version=3 \
|
|
--os-auth-url={{ keystone_service_adminurl_v3 }} \
|
|
--os-project-name={{ heat_project_name }} \
|
|
--os-project-domain-name={{ heat_project_domain_name }} \
|
|
--os-user-domain-name={{ heat_user_domain_name }} \
|
|
role \
|
|
add \
|
|
--user {{ heat_stack_domain_admin }} \
|
|
--domain {{ heat_stack_user_domain_name }} \
|
|
admin
|
|
tags:
|
|
- heat-domain
|
|
- heat-domain-setup
|
|
- heat-config
|