Make user creation optional when creating service.

In some cases it is useful to be able to just configure the service in Keystone and not the service user. This is the case when e.g. a read only LDAP backend is used. Added a parameter configure_user (defaults to true). Closes-Bug: 1360232 Change-Id: I541224b9bf431da957b9de31909e0aad5c9be187
2014-09-10 11:39:04 -05:00 · 2014-09-10 11:39:04 -05:00 · 7719ceaff0
commit 7719ceaff0
parent 957c2120d0
2 changed files with 81 additions and 34 deletions
--- a/manifests/keystone/auth.pp
+++ b/manifests/keystone/auth.pp
@ -16,6 +16,12 @@
 # [*configure_endpoint*]
 #   Should Ceilometer endpoint be configured? Optional. Defaults to 'true'.
 #
+# [*configure_user*]
+#   Should Ceilometer service user be configured? Optional. Defaults to 'true'.
+#
+# [*configure_user_role*]
+#   Should roles be configured on Ceilometer service user? Optional. Defaults to 'true'.
+#
 # [*service_name*]
 #   Name of the service. Optional. Defaults to value of auth_name.
 #
@ -71,24 +77,26 @@
 #    Setting this variable overrides other $internal_* parameters.
 #
 class ceilometer::keystone::auth (
-  $password           = false,
-  $email              = 'ceilometer@localhost',
-  $auth_name          = 'ceilometer',
-  $service_name       = undef,
-  $service_type       = 'metering',
-  $public_address     = '127.0.0.1',
-  $admin_address      = '127.0.0.1',
-  $internal_address   = '127.0.0.1',
-  $port               = '8777',
-  $region             = 'RegionOne',
-  $tenant             = 'services',
-  $public_protocol    = 'http',
-  $admin_protocol     = 'http',
-  $internal_protocol  = 'http',
-  $configure_endpoint = true,
-  $public_url         = undef,
-  $admin_url          = undef,
-  $internal_url       = undef,
+  $password             = false,
+  $email                = 'ceilometer@localhost',
+  $auth_name            = 'ceilometer',
+  $configure_user       = true,
+  $configure_user_role  = true,
+  $service_name         = undef,
+  $service_type         = 'metering',
+  $public_address       = '127.0.0.1',
+  $admin_address        = '127.0.0.1',
+  $internal_address     = '127.0.0.1',
+  $port                 = '8777',
+  $region               = 'RegionOne',
+  $tenant               = 'services',
+  $public_protocol      = 'http',
+  $admin_protocol       = 'http',
+  $internal_protocol    = 'http',
+  $configure_endpoint   = true,
+  $public_url           = undef,
+  $admin_url            = undef,
+  $internal_url         = undef,
 ) {

  validate_string($password)
@ -117,25 +125,31 @@ class ceilometer::keystone::auth (
    $real_service_name = $auth_name
  }

-  Keystone_user_role["${auth_name}@${tenant}"] ~>
-    Service <| name == 'ceilometer-api' |>
-
-  keystone_user { $auth_name:
-    ensure   => present,
-    password => $password,
-    email    => $email,
-    tenant   => $tenant,
-  }
-  if !defined(Keystone_role['ResellerAdmin']) {
-    keystone_role { 'ResellerAdmin':
-      ensure => present,
+  if $configure_user {
+    keystone_user { $auth_name:
+      ensure   => present,
+      password => $password,
+      email    => $email,
+      tenant   => $tenant,
    }
  }
-  keystone_user_role { "${auth_name}@${tenant}":
-    ensure  => present,
-    roles   => ['admin', 'ResellerAdmin'],
-    require => Keystone_role['ResellerAdmin'],
+
+  if $configure_user_role {
+    Keystone_user_role["${auth_name}@${tenant}"] ~>
+      Service <| name == 'ceilometer-api' |>
+
+    if !defined(Keystone_role['ResellerAdmin']) {
+      keystone_role { 'ResellerAdmin':
+        ensure => present,
+      }
+    }
+    keystone_user_role { "${auth_name}@${tenant}":
+      ensure  => present,
+      roles   => ['admin', 'ResellerAdmin'],
+      require => Keystone_role['ResellerAdmin'],
+    }
  }
+
  keystone_service { $real_service_name:
    ensure      => present,
    type        => $service_type,
--- a/spec/classes/ceilometer_keystone_auth_spec.rb
+++ b/spec/classes/ceilometer_keystone_auth_spec.rb
@ -164,6 +164,39 @@ describe 'ceilometer::keystone::auth' do
      end
    end

+    context 'when disabling user configuration' do
+      before do
+        params.merge!( :configure_user => false )
+      end
+
+      it { should_not contain_keystone_user('ceilometer') }
+      it { should contain_keystone_user_role('ceilometer@services') }
+
+      it { should contain_keystone_service('ceilometer').with(
+        :ensure => 'present',
+        :type        => 'metering',
+        :description => 'Openstack Metering Service'
+      )}
+    end
+
+    context 'when disabling user and role configuration' do
+      before do
+        params.merge!(
+          :configure_user       => false,
+          :configure_user_role  => false
+        )
+      end
+
+      it { should_not contain_keystone_user('ceilometer') }
+      it { should_not contain_keystone_user_role('ceilometer@services') }
+
+      it { should contain_keystone_service('ceilometer').with(
+        :ensure => 'present',
+        :type        => 'metering',
+        :description => 'Openstack Metering Service'
+      )}
+    end
+
  end

  context 'on Debian platforms' do