diff --git a/manifests/roles/admin.pp b/manifests/roles/admin.pp index 5f4dbbcfc..b78c7ccaa 100644 --- a/manifests/roles/admin.pp +++ b/manifests/roles/admin.pp @@ -53,6 +53,11 @@ # Optional. Domain of the admin user # Defaults to undef (undef will resolve to class keystone $default_domain) # +# [*target_admin_domain*] +# Optional. Domain where the admin user will have the $admin_role +# Defaults to undef (undef will not associate the $admin_role to any +# domain, only project) +# # [*admin_project_domain*] # Optional. Domain of the admin tenant # Defaults to undef (undef will resolve to class keystone $default_domain) @@ -85,11 +90,12 @@ class keystone::roles::admin( $admin_user_domain = undef, $admin_project_domain = undef, $service_project_domain = undef, + $target_admin_domain = undef, ) { include ::keystone::deps - $domains = unique(delete_undef_values([ $admin_user_domain, $admin_project_domain, $service_project_domain])) + $domains = unique(delete_undef_values([ $admin_user_domain, $admin_project_domain, $service_project_domain, $target_admin_domain])) keystone_domain { $domains: ensure => present, enabled => true, @@ -133,6 +139,15 @@ class keystone::roles::admin( Keystone_tenant[$admin_tenant] -> Keystone_user_role["${admin}@${admin_tenant}"] Keystone_user<| title == $admin |> -> Keystone_user_role["${admin}@${admin_tenant}"] Keystone_user_role["${admin}@${admin_tenant}"] -> File<| tag == 'openrc' |> + + if $target_admin_domain { + keystone_user_role { "${admin}@::${target_admin_domain}": + ensure => present, + user_domain => $admin_user_domain, + roles => $admin_roles, + } + Keystone_user_role["${admin}@::${target_admin_domain}"] -> File<| tag == 'openrc' |> + } } } diff --git a/releasenotes/notes/add_target_admin_domain-272f97b06e476495.yaml b/releasenotes/notes/add_target_admin_domain-272f97b06e476495.yaml new file mode 100644 index 000000000..385ac4c7e --- /dev/null +++ b/releasenotes/notes/add_target_admin_domain-272f97b06e476495.yaml @@ -0,0 +1,6 @@ +--- +features: + - Implement `bug 1589933 + `__ so now + one associate the admin to admin_role for an entire domain if it + uses the target_admin_domain parameter in the auth.pp class. diff --git a/spec/classes/keystone_roles_admin_spec.rb b/spec/classes/keystone_roles_admin_spec.rb index f55bd721a..4f294b540 100644 --- a/spec/classes/keystone_roles_admin_spec.rb +++ b/spec/classes/keystone_roles_admin_spec.rb @@ -192,5 +192,27 @@ describe 'keystone::roles::admin' do } end it { is_expected.to contain_keystone_domain('admin_domain') } - end + end + + describe 'when specifying a target admin domain' do + let :params do + { + :email => 'foo@bar', + :password => 'ChangeMe', + :admin_user_domain => 'admin_domain', + :admin_project_domain => 'admin_domain', + :target_admin_domain => 'admin_domain_target' + } + end + let(:pre_condition) { 'file { "/root/openrc": tag => ["openrc"]}' } + it { is_expected.to contain_keystone_domain('admin_domain_target') } + it { is_expected.to contain_keystone_user_role('admin@::admin_domain_target') + .with( + :roles => ['admin'], + :ensure => 'present', + :user_domain => 'admin_domain', + ) + .that_comes_before('File[/root/openrc]') + } + end end