Make user creation optional when creating service.

In some cases it is useful to be able to just configure the service in Keystone and not the service user. This is the case when e.g. a read only LDAP backend is used. Added parameters configure_user and configure_user_role (default to true). Change-Id: If9bb802ff2bb0b3ece55f36df773059ba9c7e9de Closes-Bug: 1360232
2014-08-22 15:38:36 +03:00 · 2014-08-22 15:38:36 +03:00 · 246842f13c
parent 78042d76c0
commit 246842f13c
2 changed files with 73 additions and 24 deletions
--- a/manifests/keystone/auth.pp
+++ b/manifests/keystone/auth.pp
@ -6,6 +6,9 @@
 #  $auth_name :: identifier used for all keystone objects related to glance.
 #    Optional. Defaults to glance.
 #  $password :: password for glance user. Optional. Defaults to glance_password.
+#  $configure_user :: Whether to configure a service user. Optional. Defaults to true.
+#  $configure_user_role :: Whether to configure the admin role for the service user.
+#    Optional. Defaults to true.
 #  $service_name :: name of the service. Optional. Defaults to value of auth_name.
 #  $service_type :: type of service to create. Optional. Defaults to image.
 #  $public_address :: Public address for endpoint. Optional. Defaults to 127.0.0.1.
@ -20,20 +23,22 @@
 #
 class glance::keystone::auth(
  $password,
-  $email              = 'glance@localhost',
-  $auth_name          = 'glance',
-  $configure_endpoint = true,
-  $service_name       = undef,
-  $service_type       = 'image',
-  $public_address     = '127.0.0.1',
-  $admin_address      = '127.0.0.1',
-  $internal_address   = '127.0.0.1',
-  $port               = '9292',
-  $region             = 'RegionOne',
-  $tenant             = 'services',
-  $public_protocol    = 'http',
-  $admin_protocol     = 'http',
-  $internal_protocol  = 'http'
+  $email               = 'glance@localhost',
+  $auth_name           = 'glance',
+  $configure_endpoint  = true,
+  $configure_user      = true,
+  $configure_user_role = true,
+  $service_name        = undef,
+  $service_type        = 'image',
+  $public_address      = '127.0.0.1',
+  $admin_address       = '127.0.0.1',
+  $internal_address    = '127.0.0.1',
+  $port                = '9292',
+  $region              = 'RegionOne',
+  $tenant              = 'services',
+  $public_protocol     = 'http',
+  $admin_protocol      = 'http',
+  $internal_protocol   = 'http'
 ) {

  if $service_name == undef {
@ -42,20 +47,25 @@ class glance::keystone::auth(
    $real_service_name = $service_name
  }

-  Keystone_user_role["${auth_name}@${tenant}"] ~> Service <| name == 'glance-registry' |>
-  Keystone_user_role["${auth_name}@${tenant}"] ~> Service <| name == 'glance-api' |>
  Keystone_endpoint["${region}/${real_service_name}"]  ~> Service <| name == 'glance-api' |>

-  keystone_user { $auth_name:
-    ensure   => present,
-    password => $password,
-    email    => $email,
-    tenant   => $tenant,
+  if $configure_user {
+    keystone_user { $auth_name:
+      ensure   => present,
+      password => $password,
+      email    => $email,
+      tenant   => $tenant,
+    }
  }

-  keystone_user_role { "${auth_name}@${tenant}":
-    ensure  => present,
-    roles   => 'admin',
+  if $configure_user_role {
+    Keystone_user_role["${auth_name}@${tenant}"] ~> Service <| name == 'glance-registry' |>
+    Keystone_user_role["${auth_name}@${tenant}"] ~> Service <| name == 'glance-api' |>
+
+    keystone_user_role { "${auth_name}@${tenant}":
+      ensure => present,
+      roles  => 'admin',
+    }
  }

  keystone_service { $real_service_name:
--- a/spec/classes/glance_keystone_auth_spec.rb
+++ b/spec/classes/glance_keystone_auth_spec.rb
@ -98,6 +98,45 @@ describe 'glance::keystone::auth' do
    it { should_not contain_keystone_endpoint('glance') }
  end

+  describe 'when disabling user configuration' do
+    let :params do
+      {
+        :configure_user => false,
+        :password       => 'pass',
+      }
+    end
+
+    it { should_not contain_keystone_user('glance') }
+
+    it { should contain_keystone_user_role('glance@services') }
+
+    it { should contain_keystone_service('glance').with(
+      :ensure      => 'present',
+      :type        => 'image',
+      :description => 'Openstack Image Service'
+    ) }
+  end
+
+  describe 'when disabling user and user role configuration' do
+    let :params do
+      {
+        :configure_user      => false,
+        :configure_user_role => false,
+        :password            => 'pass',
+      }
+    end
+
+    it { should_not contain_keystone_user('glance') }
+
+    it { should_not contain_keystone_user_role('glance@services') }
+
+    it { should contain_keystone_service('glance').with(
+      :ensure      => 'present',
+      :type        => 'image',
+      :description => 'Openstack Image Service'
+    ) }
+  end
+
  describe 'when configuring glance-api and the keystone endpoint' do
    let :pre_condition do
      "class { 'glance::api': keystone_password => 'test' }"