From 246842f13cd06aeb0ce07959ff892f21749a340f Mon Sep 17 00:00:00 2001
From: Risto Laurikainen <risto.laurikainen@csc.fi>
Date: Fri, 22 Aug 2014 15:38:36 +0300
Subject: [PATCH] Make user creation optional when creating service.

In some cases it is useful to be able to just configure
the service in Keystone and not the service user. This
is the case when e.g. a read only LDAP backend is used.
Added parameters configure_user and configure_user_role
(default to true).

Change-Id: If9bb802ff2bb0b3ece55f36df773059ba9c7e9de
Closes-Bug: 1360232
---
 manifests/keystone/auth.pp                | 58 +++++++++++++----------
 spec/classes/glance_keystone_auth_spec.rb | 39 +++++++++++++++
 2 files changed, 73 insertions(+), 24 deletions(-)

diff --git a/manifests/keystone/auth.pp b/manifests/keystone/auth.pp
index c98860b6..d325acef 100644
--- a/manifests/keystone/auth.pp
+++ b/manifests/keystone/auth.pp
@@ -6,6 +6,9 @@
 #  $auth_name :: identifier used for all keystone objects related to glance.
 #    Optional. Defaults to glance.
 #  $password :: password for glance user. Optional. Defaults to glance_password.
+#  $configure_user :: Whether to configure a service user. Optional. Defaults to true.
+#  $configure_user_role :: Whether to configure the admin role for the service user.
+#    Optional. Defaults to true.
 #  $service_name :: name of the service. Optional. Defaults to value of auth_name.
 #  $service_type :: type of service to create. Optional. Defaults to image.
 #  $public_address :: Public address for endpoint. Optional. Defaults to 127.0.0.1.
@@ -20,20 +23,22 @@
 #
 class glance::keystone::auth(
   $password,
-  $email              = 'glance@localhost',
-  $auth_name          = 'glance',
-  $configure_endpoint = true,
-  $service_name       = undef,
-  $service_type       = 'image',
-  $public_address     = '127.0.0.1',
-  $admin_address      = '127.0.0.1',
-  $internal_address   = '127.0.0.1',
-  $port               = '9292',
-  $region             = 'RegionOne',
-  $tenant             = 'services',
-  $public_protocol    = 'http',
-  $admin_protocol     = 'http',
-  $internal_protocol  = 'http'
+  $email               = 'glance@localhost',
+  $auth_name           = 'glance',
+  $configure_endpoint  = true,
+  $configure_user      = true,
+  $configure_user_role = true,
+  $service_name        = undef,
+  $service_type        = 'image',
+  $public_address      = '127.0.0.1',
+  $admin_address       = '127.0.0.1',
+  $internal_address    = '127.0.0.1',
+  $port                = '9292',
+  $region              = 'RegionOne',
+  $tenant              = 'services',
+  $public_protocol     = 'http',
+  $admin_protocol      = 'http',
+  $internal_protocol   = 'http'
 ) {
 
   if $service_name == undef {
@@ -42,20 +47,25 @@ class glance::keystone::auth(
     $real_service_name = $service_name
   }
 
-  Keystone_user_role["${auth_name}@${tenant}"] ~> Service <| name == 'glance-registry' |>
-  Keystone_user_role["${auth_name}@${tenant}"] ~> Service <| name == 'glance-api' |>
   Keystone_endpoint["${region}/${real_service_name}"]  ~> Service <| name == 'glance-api' |>
 
-  keystone_user { $auth_name:
-    ensure   => present,
-    password => $password,
-    email    => $email,
-    tenant   => $tenant,
+  if $configure_user {
+    keystone_user { $auth_name:
+      ensure   => present,
+      password => $password,
+      email    => $email,
+      tenant   => $tenant,
+    }
   }
 
-  keystone_user_role { "${auth_name}@${tenant}":
-    ensure  => present,
-    roles   => 'admin',
+  if $configure_user_role {
+    Keystone_user_role["${auth_name}@${tenant}"] ~> Service <| name == 'glance-registry' |>
+    Keystone_user_role["${auth_name}@${tenant}"] ~> Service <| name == 'glance-api' |>
+
+    keystone_user_role { "${auth_name}@${tenant}":
+      ensure => present,
+      roles  => 'admin',
+    }
   }
 
   keystone_service { $real_service_name:
diff --git a/spec/classes/glance_keystone_auth_spec.rb b/spec/classes/glance_keystone_auth_spec.rb
index 9109973e..79de6b68 100644
--- a/spec/classes/glance_keystone_auth_spec.rb
+++ b/spec/classes/glance_keystone_auth_spec.rb
@@ -98,6 +98,45 @@ describe 'glance::keystone::auth' do
     it { should_not contain_keystone_endpoint('glance') }
   end
 
+  describe 'when disabling user configuration' do
+    let :params do
+      {
+        :configure_user => false,
+        :password       => 'pass',
+      }
+    end
+
+    it { should_not contain_keystone_user('glance') }
+
+    it { should contain_keystone_user_role('glance@services') }
+
+    it { should contain_keystone_service('glance').with(
+      :ensure      => 'present',
+      :type        => 'image',
+      :description => 'Openstack Image Service'
+    ) }
+  end
+
+  describe 'when disabling user and user role configuration' do
+    let :params do
+      {
+        :configure_user      => false,
+        :configure_user_role => false,
+        :password            => 'pass',
+      }
+    end
+
+    it { should_not contain_keystone_user('glance') }
+
+    it { should_not contain_keystone_user_role('glance@services') }
+
+    it { should contain_keystone_service('glance').with(
+      :ensure      => 'present',
+      :type        => 'image',
+      :description => 'Openstack Image Service'
+    ) }
+  end
+
   describe 'when configuring glance-api and the keystone endpoint' do
     let :pre_condition do
       "class { 'glance::api': keystone_password => 'test' }"