Remove dedicated heat-cfn user

This keystone user is not actually used. Both heat-api and heat-cfn-api
uses the common heat user.

Change-Id: Id59ae644b9880358ae94696b49d4ba9ae58adfef
Signed-off-by: Takashi Kajinami <kajinamit@oss.nttdata.com>

manifests/keystone/auth_cfn.pp

@@ -3,17 +3,10 @@
 # Configures heat-api-cfn user, service and endpoint in Keystone.
 #
 # === Parameters
-# [*password*]
-#   (Mandatory) Password for heat-cfn user.
-#
 # [*email*]
 #   (Optional) Email for heat-cfn user.
 #   Defaults to 'heat-cfn@localhost'.
 #
-# [*auth_name*]
-#   (Optional) Username for heat-cfn service.
-#   Defaults to 'heat-cfn'.
-#
 # [*configure_endpoint*]
 #   (Optional) Should heat-cfn endpoint be configured?
 #   Defaults to 'true'.
@@ -22,14 +15,6 @@
 #   (Optional) Should heat-cfn service be configured?
 #   Defaults to 'true'.
 #
-# [*configure_user*]
-#   (Optional) Whether to create the service user.
-#   Defaults to 'true'.
-#
-# [*configure_user_role*]
-#   (Optional) Whether to configure the admin role for the service user.
-#   Defaults to 'true'.
-#
 # [*service_description*]
 #   (Optional) Description of the service.
 #   Default to 'OpenStack Cloudformation Service'
@@ -46,22 +31,6 @@
 #   (Optional) Region for endpoint.
 #   Defaults to 'RegionOne'.
 #
-# [*tenant*]
-#   (Optional) Tenant for heat-cfn user.
-#   Defaults to 'services'.
-#
-# [*roles*]
-#   (Optional) List of roles assigned to heat user.
-#   Defaults to ['admin']
-#
-# [*system_scope*]
-#   (Optional) Scope for system operations.
-#   Defaults to 'all'
-#
-# [*system_roles*]
-#   (Optional) List of system roles assigned to heat user.
-#   Defaults to []
-#
 # [*public_url*]
 #   (optional) The endpoint's public url. (Defaults to 'http://127.0.0.1:8000/v1')
 #   This url should *not* contain any trailing '/'.
@@ -74,6 +43,40 @@
 #   (optional) The endpoint's internal url. (Defaults to 'http://127.0.0.1:8000/v1')
 #   This url should *not* contain any trailing '/'.
 #
+# DEPRECATED PARAMETERS
+#
+# [*password*]
+#   (Optioal) Password for heat-cfn user.
+#   Defaults to undef
+#
+# [*auth_name*]
+#   (Optional) Username for heat-cfn service.
+#   Defaults to undef
+#
+# [*configure_user*]
+#   (Optional) Whether to create the service user.
+#   Defaults to undef
+#
+# [*configure_user_role*]
+#   (Optional) Whether to configure the admin role for the service user.
+#   Defaults to undef
+#
+# [*tenant*]
+#   (Optional) Tenant for heat-cfn user.
+#   Defaults to undef
+#
+# [*roles*]
+#   (Optional) List of roles assigned to heat user.
+#   Defaults to undef
+#
+# [*system_scope*]
+#   (Optional) Scope for system operations.
+#   Defaults to undef
+#
+# [*system_roles*]
+#   (Optional) List of system roles assigned to heat user.
+#   Defaults to undef
+#
 # === Examples
 #
 #  class { 'heat::keystone::auth_cfn':
@@ -83,46 +86,54 @@
 #  }
 #
 class heat::keystone::auth_cfn (
-  String[1] $password,
-  String[1] $email                        = 'heat-cfn@localhost',
-  String[1] $auth_name                    = 'heat-cfn',
   String[1] $service_name                 = 'heat-cfn',
   String[1] $service_description          = 'OpenStack Cloudformation Service',
   String[1] $service_type                 = 'cloudformation',
   String[1] $region                       = 'RegionOne',
-  String[1] $tenant                       = 'services',
-  Array[String[1]] $roles                 = ['admin'],
-  String[1] $system_scope                 = 'all',
-  Array[String[1]] $system_roles          = [],
   Boolean $configure_endpoint             = true,
   Boolean $configure_service              = true,
-  Boolean $configure_user                 = true,
-  Boolean $configure_user_role            = true,
   Keystone::PublicEndpointUrl $public_url = 'http://127.0.0.1:8000/v1',
   Keystone::EndpointUrl $admin_url        = 'http://127.0.0.1:8000/v1',
   Keystone::EndpointUrl $internal_url     = 'http://127.0.0.1:8000/v1',
+  # DEPRECATED PARAMETERS
+  Optional[Boolean] $configure_user       = undef,
+  Optional[Boolean] $configure_user_role  = undef,
+  $password                               = undef,
+  $email                                  = undef,
+  $auth_name                              = undef,
+  $tenant                                 = undef,
+  $roles                                  = undef,
+  $system_scope                           = undef,
+  $system_roles                           = undef,
 ) {
 
   include heat::deps
 
+  if $configure_user != undef {
+    warning('The configure_user parameter is deprecated')
+    if $configure_user {
+      fail('Management of heat-cfn user is no longer supported.')
+    }
+  }
+
+  if $configure_user_role != undef {
+    warning('The configure_user_role parameter is deprecated')
+    if $configure_user_role {
+      fail('Management of heat-cfn user is no longer supported.')
+    }
+  }
+
   Keystone::Resource::Service_identity['heat-cfn'] -> Anchor['heat::service::end']
 
   keystone::resource::service_identity { 'heat-cfn':
-    configure_user      => $configure_user,
+    configure_user      => false,
-    configure_user_role => $configure_user_role,
+    configure_user_role => false,
     configure_endpoint  => $configure_endpoint,
     configure_service   => $configure_service,
     service_type        => $service_type,
     service_description => $service_description,
     service_name        => $service_name,
     region              => $region,
-    auth_name           => $auth_name,
-    password            => $password,
-    email               => $email,
-    tenant              => $tenant,
-    roles               => $roles,
-    system_scope        => $system_scope,
-    system_roles        => $system_roles,
     public_url          => $public_url,
     admin_url           => $admin_url,
     internal_url        => $internal_url,

releasenotes/notes/remove-heat-cfn-user-6025c60ac3eb6b84.yaml

@@ -0,0 +1,19 @@
+---
+upgrade:
+  - |
+    The ``heat::keystone::auth_cfn`` class no longer supports management of
+    the dedicated keystone user for CFN API. Use the common heat user instead.
+
+deprecations:
+  - |
+    The following parameters of the ``heat::keystone::auth_cfn`` class have
+    been deprecated.
+
+    - ``configure_user``
+    - ``configure_user_role``
+    - ``auth_name``
+    - ``password``
+    - ``tenant``
+    - ``roles``
+    - ``system_scope``
+    - ``system_roles``

spec/classes/heat_keystone_auth_cfn_spec.rb

@@ -7,25 +7,14 @@ require 'spec_helper'
 describe 'heat::keystone::auth_cfn' do
   shared_examples_for 'heat::keystone::auth_cfn' do
     context 'with default class parameters' do
-      let :params do
-        { :password => 'heat_password' }
-      end
-
       it { is_expected.to contain_keystone__resource__service_identity('heat-cfn').with(
-        :configure_user      => true,
+        :configure_user      => false,
-        :configure_user_role => true,
+        :configure_user_role => false,
         :configure_endpoint  => true,
         :service_name        => 'heat-cfn',
         :service_type        => 'cloudformation',
         :service_description => 'OpenStack Cloudformation Service',
         :region              => 'RegionOne',
-        :auth_name           => 'heat-cfn',
-        :password            => 'heat_password',
-        :email               => 'heat-cfn@localhost',
-        :tenant              => 'services',
-        :roles               => ['admin'],
-        :system_scope        => 'all',
-        :system_roles        => [],
         :public_url          => 'http://127.0.0.1:8000/v1',
         :internal_url        => 'http://127.0.0.1:8000/v1',
         :admin_url           => 'http://127.0.0.1:8000/v1',
@@ -34,16 +23,9 @@ describe 'heat::keystone::auth_cfn' do
 
     context 'when overriding parameters' do
       let :params do
-        { :password            => 'heat_password',
+        {
-          :auth_name           => 'alt_heat-cfn',
-          :email               => 'alt_heat-cfn@alt_localhost',
-          :tenant              => 'alt_service',
-          :roles               => ['admin', 'service'],
-          :system_scope        => 'alt_all',
-          :system_roles        => ['admin', 'member', 'reader'],
           :configure_endpoint  => false,
-          :configure_user      => false,
+          :configure_service   => false,
-          :configure_user_role => false,
           :service_description => 'Alternative OpenStack Cloudformation Service',
           :service_name        => 'alt_service',
           :service_type        => 'alt_cloudformation',
@@ -58,17 +40,11 @@ describe 'heat::keystone::auth_cfn' do
         :configure_user      => false,
         :configure_user_role => false,
         :configure_endpoint  => false,
+        :configure_service   => false,
         :service_name        => 'alt_service',
         :service_type        => 'alt_cloudformation',
         :service_description => 'Alternative OpenStack Cloudformation Service',
         :region              => 'RegionTwo',
-        :auth_name           => 'alt_heat-cfn',
-        :password            => 'heat_password',
-        :email               => 'alt_heat-cfn@alt_localhost',
-        :tenant              => 'alt_service',
-        :roles               => ['admin', 'service'],
-        :system_scope        => 'alt_all',
-        :system_roles        => ['admin', 'member', 'reader'],
         :public_url          => 'https://10.10.10.10:80',
         :internal_url        => 'http://10.10.10.11:81',
         :admin_url           => 'http://10.10.10.12:81',