Merge "Add association of the admin user to a domain."

manifests/roles/admin.pp

@@ -53,6 +53,11 @@
 #   Optional.  Domain of the admin user
 #   Defaults to undef (undef will resolve to class keystone $default_domain)
 #
+# [*target_admin_domain*]
+#   Optional.  Domain where the admin user will have the $admin_role
+#   Defaults to undef (undef will not associate the $admin_role to any
+#   domain, only project)
+#
 # [*admin_project_domain*]
 #   Optional.  Domain of the admin tenant
 #   Defaults to undef (undef will resolve to class keystone $default_domain)
@@ -85,11 +90,12 @@ class keystone::roles::admin(
   $admin_user_domain      = undef,
   $admin_project_domain   = undef,
   $service_project_domain = undef,
+  $target_admin_domain    = undef,
 ) {
 
   include ::keystone::deps
 
-  $domains = unique(delete_undef_values([ $admin_user_domain, $admin_project_domain, $service_project_domain]))
+  $domains = unique(delete_undef_values([ $admin_user_domain, $admin_project_domain, $service_project_domain, $target_admin_domain]))
   keystone_domain { $domains:
     ensure  => present,
     enabled => true,
@@ -133,6 +139,15 @@ class keystone::roles::admin(
     Keystone_tenant[$admin_tenant] -> Keystone_user_role["${admin}@${admin_tenant}"]
     Keystone_user<| title == $admin |> -> Keystone_user_role["${admin}@${admin_tenant}"]
     Keystone_user_role["${admin}@${admin_tenant}"] -> File<| tag == 'openrc' |>
+
+    if $target_admin_domain {
+      keystone_user_role { "${admin}@::${target_admin_domain}":
+        ensure      => present,
+        user_domain => $admin_user_domain,
+        roles       => $admin_roles,
+      }
+      Keystone_user_role["${admin}@::${target_admin_domain}"] -> File<| tag == 'openrc' |>
+    }
   }
 
 }

releasenotes/notes/add_target_admin_domain-272f97b06e476495.yaml

@@ -0,0 +1,6 @@
+---
+features:
+  - Implement `bug 1589933
+    <https://bugs.launchpad.net/puppet-keystone/+bug/1589933>`__ so now
+    one associate the admin to admin_role for an entire domain if it
+    uses the target_admin_domain parameter in the auth.pp class.

spec/classes/keystone_roles_admin_spec.rb

@@ -192,5 +192,27 @@ describe 'keystone::roles::admin' do
       }
     end
    it { is_expected.to contain_keystone_domain('admin_domain') }
-   end
+  end
+
+  describe 'when specifying a target admin domain' do
+    let :params do
+      {
+        :email                  => 'foo@bar',
+        :password               => 'ChangeMe',
+        :admin_user_domain      => 'admin_domain',
+        :admin_project_domain   => 'admin_domain',
+        :target_admin_domain    => 'admin_domain_target'
+      }
+    end
+    let(:pre_condition) { 'file { "/root/openrc": tag => ["openrc"]}' }
+    it { is_expected.to contain_keystone_domain('admin_domain_target') }
+    it { is_expected.to contain_keystone_user_role('admin@::admin_domain_target')
+             .with(
+               :roles          => ['admin'],
+               :ensure         => 'present',
+               :user_domain    => 'admin_domain',
+             )
+             .that_comes_before('File[/root/openrc]')
+    }
+  end
 end