Customize roles assigned to ironic user

This patch introduces a new hieradata ironic::keystone::auth::roles, to configure customized role assigned to ironic user. This is required to configure service token feature, as it requires special role is assigned to the user who uses the feature. Change-Id: If7e71bb3acaaa6f74279031730b18a7f129edb51
2020-01-18 21:07:42 +09:00 · 2020-01-18 21:07:42 +09:00 · a9da71c39d
parent 2ff5722e19
commit a9da71c39d
3 changed files with 23 additions and 0 deletions
--- a/manifests/keystone/auth.pp
+++ b/manifests/keystone/auth.pp
@ -36,6 +36,10 @@
 #   (Optional) Tenant for Ironic user.
 #   Defaults to 'services'.
 #
+# [*roles*]
+#   (Optional) List of roles assigned to the ironic service user
+#   Defaults to ['admin']
+#
 # [*configure_endpoint*]
 #   (Optional) Should Ironic endpoint be configured?
 #   Defaults to true.
@ -92,6 +96,7 @@ class ironic::keystone::auth (
  $auth_name           = 'ironic',
  $email               = 'ironic@localhost',
  $tenant              = 'services',
+  $roles               = ['admin'],
  $configure_endpoint  = true,
  $configure_user      = true,
  $configure_user_role = true,
@ -124,6 +129,7 @@ class ironic::keystone::auth (
    password            => $password,
    email               => $email,
    tenant              => $tenant,
+    roles               => $roles,
    public_url          => $public_url,
    internal_url        => $internal_url,
    admin_url           => $admin_url,
--- a/releasenotes/notes/keystone-user-roles-9a21ef5f9a74777e.yaml
+++ b/releasenotes/notes/keystone-user-roles-9a21ef5f9a74777e.yaml
@ -0,0 +1,5 @@
+---
+features:
+  - |
+    New parameter, ironic::keystone::auth::roles is introduced to configure
+    customized role for ironic user in keystone identity.
--- a/spec/classes/ironic_keystone_auth_spec.rb
+++ b/spec/classes/ironic_keystone_auth_spec.rb
@ -66,6 +66,18 @@ describe 'ironic::keystone::auth' do
      #FIXME it { should contain_keystone_endpoint('RegionOne/ironic').with_notify('Service[ironic-server]') }
    end

+    describe 'with overrided roles' do
+      let :params do
+        { :password => 'ironic_password',
+          :roles    => ['admin', 'service']}
+      end
+
+      it { is_expected.to contain_keystone_user_role('ironic@services').with(
+        :ensure  => 'present',
+        :roles   => ['admin', 'service']
+      )}
+    end
+
    describe 'with endpoint parameters' do
      let :params do
        { :password     => 'ironic_password',