From 68d6a5193136746690f7e7e59733942945249e40 Mon Sep 17 00:00:00 2001
From: Takashi Kajinami <tkajinam@redhat.com>
Date: Sat, 22 Jan 2022 21:23:53 +0900
Subject: [PATCH] Allow customizing roles of the ceilometer service user

This change introduces the capability to customize project-scoped and
system-scoped roles assigned to the ceilometer service user.

Change-Id: I6221fa85ad1fd0388c49f2ed49db1b6645dec3f5
---
 manifests/keystone/auth.pp                     | 18 ++++++++++++++++++
 .../system_scope-role-d29cc9a3c6da4fef.yaml    |  9 +++++++++
 spec/classes/ceilometer_keystone_auth_spec.rb  |  9 +++++++++
 3 files changed, 36 insertions(+)
 create mode 100644 releasenotes/notes/system_scope-role-d29cc9a3c6da4fef.yaml

diff --git a/manifests/keystone/auth.pp b/manifests/keystone/auth.pp
index c8cb0c8f..1cf24b2f 100644
--- a/manifests/keystone/auth.pp
+++ b/manifests/keystone/auth.pp
@@ -31,6 +31,18 @@
 #   (Optional) Tenant for Ceilometer user.
 #   Defaults to 'services'.
 #
+# [*roles*]
+#   (Optional) List of roles assigned to aodh user.
+#   Defaults to ['admin']
+#
+# [*system_scope*]
+#   (Optional) Scope for system operations.
+#   Defaults to 'all'
+#
+# [*system_roles*]
+#   (Optional) List of system roles assigned to aodh user.
+#   Defaults to []
+#
 # === Examples:
 #
 #  class { 'ceilometer::keystone::auth':
@@ -45,6 +57,9 @@ class ceilometer::keystone::auth (
   $configure_user_role  = true,
   $region               = 'RegionOne',
   $tenant               = 'services',
+  $roles                = ['admin'],
+  $system_scope         = 'all',
+  $system_roles         = [],
 ) {
 
   include ceilometer::deps
@@ -63,5 +78,8 @@ class ceilometer::keystone::auth (
     password            => $password,
     email               => $email,
     tenant              => $tenant,
+    roles               => $roles,
+    system_scope        => $system_scope,
+    system_roles        => $system_roles,
   }
 }
diff --git a/releasenotes/notes/system_scope-role-d29cc9a3c6da4fef.yaml b/releasenotes/notes/system_scope-role-d29cc9a3c6da4fef.yaml
new file mode 100644
index 00000000..b1f2e1e8
--- /dev/null
+++ b/releasenotes/notes/system_scope-role-d29cc9a3c6da4fef.yaml
@@ -0,0 +1,9 @@
+---
+features:
+  - |
+    The ``ceilometer::keystone::auth`` class now supports customizing roles
+    assigned to the ceilometer service user.
+
+  - |
+    The ``ceilometer::keystone::auth`` class now supports defining assignment
+    of system-scoped roles to the ceilometer user.
diff --git a/spec/classes/ceilometer_keystone_auth_spec.rb b/spec/classes/ceilometer_keystone_auth_spec.rb
index 326ddec8..c9d49cfa 100644
--- a/spec/classes/ceilometer_keystone_auth_spec.rb
+++ b/spec/classes/ceilometer_keystone_auth_spec.rb
@@ -21,6 +21,9 @@ describe 'ceilometer::keystone::auth' do
         :password            => 'ceilometer_password',
         :email               => 'ceilometer@localhost',
         :tenant              => 'services',
+        :roles               => ['admin'],
+        :system_scope        => 'all',
+        :system_roles        => [],
       ) }
     end
 
@@ -30,6 +33,9 @@ describe 'ceilometer::keystone::auth' do
           :auth_name           => 'alt_ceilometer',
           :email               => 'alt_ceilometer@alt_localhost',
           :tenant              => 'alt_service',
+          :roles               => ['admin', 'service'],
+          :system_scope        => 'alt_all',
+          :system_roles        => ['admin', 'member', 'reader'],
           :configure_user      => false,
           :configure_user_role => false,
           :region              => 'RegionTwo' }
@@ -45,6 +51,9 @@ describe 'ceilometer::keystone::auth' do
         :password            => 'ceilometer_password',
         :email               => 'alt_ceilometer@alt_localhost',
         :tenant              => 'alt_service',
+        :roles               => ['admin', 'service'],
+        :system_scope        => 'alt_all',
+        :system_roles        => ['admin', 'member', 'reader'],
       ) }
     end
   end