From 2f91ad1584f2f1e0bfcf271d97dfc3ebaa85b6c0 Mon Sep 17 00:00:00 2001
From: Takashi Kajinami <tkajinam@redhat.com>
Date: Sat, 18 Jan 2020 21:07:42 +0900
Subject: [PATCH] Customize roles assigned to ironic user

This patch introduces a new hieradata ironic::keystone::auth::roles,
to configure customized role assigned to ironic user.

This is required to configure service token feature, as it requires
special role is assigned to the user who uses the feature.

Change-Id: If7e71bb3acaaa6f74279031730b18a7f129edb51
(cherry picked from commit a9da71c39df8fdd3ce88c677291fea04a20c4f90)
---
 manifests/keystone/auth.pp                           |  6 ++++++
 .../notes/keystone-user-roles-9a21ef5f9a74777e.yaml  |  5 +++++
 spec/classes/ironic_keystone_auth_spec.rb            | 12 ++++++++++++
 3 files changed, 23 insertions(+)
 create mode 100644 releasenotes/notes/keystone-user-roles-9a21ef5f9a74777e.yaml

diff --git a/manifests/keystone/auth.pp b/manifests/keystone/auth.pp
index 7201aaca..346820ba 100644
--- a/manifests/keystone/auth.pp
+++ b/manifests/keystone/auth.pp
@@ -36,6 +36,10 @@
 #   (Optional) Tenant for Ironic user.
 #   Defaults to 'services'.
 #
+# [*roles*]
+#   (Optional) List of roles assigned to the ironic service user
+#   Defaults to ['admin']
+#
 # [*configure_endpoint*]
 #   (Optional) Should Ironic endpoint be configured?
 #   Defaults to true.
@@ -92,6 +96,7 @@ class ironic::keystone::auth (
   $auth_name           = 'ironic',
   $email               = 'ironic@localhost',
   $tenant              = 'services',
+  $roles               = ['admin'],
   $configure_endpoint  = true,
   $configure_user      = true,
   $configure_user_role = true,
@@ -124,6 +129,7 @@ class ironic::keystone::auth (
     password            => $password,
     email               => $email,
     tenant              => $tenant,
+    roles               => $roles,
     public_url          => $public_url,
     internal_url        => $internal_url,
     admin_url           => $admin_url,
diff --git a/releasenotes/notes/keystone-user-roles-9a21ef5f9a74777e.yaml b/releasenotes/notes/keystone-user-roles-9a21ef5f9a74777e.yaml
new file mode 100644
index 00000000..48006497
--- /dev/null
+++ b/releasenotes/notes/keystone-user-roles-9a21ef5f9a74777e.yaml
@@ -0,0 +1,5 @@
+---
+features:
+  - |
+    New parameter, ironic::keystone::auth::roles is introduced to configure
+    customized role for ironic user in keystone identity.
diff --git a/spec/classes/ironic_keystone_auth_spec.rb b/spec/classes/ironic_keystone_auth_spec.rb
index e8902d87..0ac30734 100644
--- a/spec/classes/ironic_keystone_auth_spec.rb
+++ b/spec/classes/ironic_keystone_auth_spec.rb
@@ -66,6 +66,18 @@ describe 'ironic::keystone::auth' do
       #FIXME it { should contain_keystone_endpoint('RegionOne/ironic').with_notify('Service[ironic-server]') }
     end
 
+    describe 'with overrided roles' do
+      let :params do
+        { :password => 'ironic_password',
+          :roles    => ['admin', 'service']}
+      end
+
+      it { is_expected.to contain_keystone_user_role('ironic@services').with(
+        :ensure  => 'present',
+        :roles   => ['admin', 'service']
+      )}
+    end
+
     describe 'with endpoint parameters' do
       let :params do
         { :password     => 'ironic_password',