service_identity: Fix incomplete usage of domain parameters

This fixes the ignored project_domain parameter, and also ensures the user_domain parameter is used when creating a role assignment. Closes-Bug: #2029035 Change-Id: I2a2d9c648fff1b940952700b492af6a09974ee5c
2023-07-30 20:18:56 +09:00 · 2023-07-30 20:18:56 +09:00 · 7e8c3de8ed
parent 9331acb930
commit 7e8c3de8ed
4 changed files with 106 additions and 23 deletions
--- a/manifests/resource/service_identity.pp
+++ b/manifests/resource/service_identity.pp
@ -138,16 +138,15 @@ define keystone::resource::service_identity(

  include keystone::deps

-  if $service_name == undef {
-    $service_name_real = $auth_name
-  } else {
-    $service_name_real = $service_name
-  }
+  $service_name_real = pick($service_name, $auth_name)

-  if $user_domain == undef {
-    $user_domain_real = $default_domain
-  } else {
-    $user_domain_real = $user_domain
+  $user_domain_real = $user_domain ? {
+    undef   => $default_domain,
+    default => $user_domain,
+  }
+  $project_domain_real = $project_domain ? {
+    undef   => $default_domain,
+    default => $project_domain,
  }

  if $configure_user {
@ -190,14 +189,17 @@ define keystone::resource::service_identity(

    unless empty($roles) {
      ensure_resource('keystone_user_role', "${auth_name}@${tenant}", {
-        'ensure' => $ensure,
-        'roles'  => $roles,
+        'ensure'         => $ensure,
+        'roles'          => $roles,
+        'user_domain'    => $user_domain_real,
+        'project_domain' => $project_domain_real,
      })
    }
    unless empty($system_roles) {
      ensure_resource('keystone_user_role', "${auth_name}@::::${system_scope}", {
-        'ensure' => $ensure,
-        'roles'  => $system_roles,
+        'ensure'      => $ensure,
+        'roles'       => $system_roles,
+        'user_domain' => $user_domain_real,
      })
    }
  }
--- a/releasenotes/notes/bug-2029035-943e3c24116b4149.yaml
+++ b/releasenotes/notes/bug-2029035-943e3c24116b4149.yaml
@ -0,0 +1,5 @@
+---
+fixes:
+  - |
+    Fixed the ignored ``keystone::resource::service_identiry::project_domain``
+    parameter.
--- a/spec/acceptance/10_basic_keystone_spec.rb
+++ b/spec/acceptance/10_basic_keystone_spec.rb
@ -61,18 +61,28 @@ describe 'keystone server running with Apache/WSGI with resources' do
      }
      # service user exists only in the service_domain - must
      # use v3 api
-      keystone::resource::service_identity { 'civ3::service_domain':
+      keystone::resource::service_identity { 'civ3':
        service_type        => 'civ3',
        service_description => 'civ3 service',
        service_name        => 'civ3',
        password            => 'secret',
-        tenant              => 'servicesv3::service_domain',
+        tenant              => 'servicesv3',
        public_url          => 'http://127.0.0.1:1234/v3',
        admin_url           => 'http://127.0.0.1:1234/v3',
        internal_url        => 'http://127.0.0.1:1234/v3',
        user_domain         => 'service_domain',
        project_domain      => 'service_domain',
      }
+      keystone::resource::service_identity { 'civ3alt::service_domain':
+        service_type        => 'civ3alt',
+        service_description => 'civ3alt service',
+        service_name        => 'civ3alt',
+        password            => 'secret',
+        tenant              => 'servicesv3::service_domain',
+        public_url          => 'http://127.0.0.1:1234/v3',
+        admin_url           => 'http://127.0.0.1:1234/v3',
+        internal_url        => 'http://127.0.0.1:1234/v3',
+      }
      EOS

      # Run it twice and test for idempotency
@ -135,7 +145,10 @@ describe 'keystone server running with Apache/WSGI with resources' do
    describe "with v3 service with v3 credentials" do
      include_examples 'keystone user/tenant/service/role/endpoint resources using v3 API',
        '--os-username civ3 --os-password secret --os-project-name servicesv3 --os-user-domain-name service_domain --os-project-domain-name service_domain'
-
+    end
+    describe "with v3 service with v3 credentials" do
+      include_examples 'keystone user/tenant/service/role/endpoint resources using v3 API',
+        '--os-username civ3alt --os-password secret --os-project-name servicesv3 --os-user-domain-name service_domain --os-project-domain-name service_domain'
    end
  end
  describe 'composite namevar quick test' do
--- a/spec/defines/keystone_resource_service_identity_spec.rb
+++ b/spec/defines/keystone_resource_service_identity_spec.rb
@ -165,8 +165,9 @@ describe 'keystone::resource::service_identity' do
      )}

      it { is_expected.to contain_keystone_user_role("#{title}@services").with(
-        :ensure => 'present',
-        :roles  => ['admin'],
+        :ensure      => 'present',
+        :roles       => ['admin'],
+        :user_domain => 'userdomain',
      )}

      it { is_expected.to_not contain_keystone_user_role("#{title}@::::all") }
@ -175,7 +176,7 @@ describe 'keystone::resource::service_identity' do
    context 'with user and project domain' do
      let :params do
        required_params.merge({
-          :user_domain => 'userdomain',
+          :user_domain    => 'userdomain',
          :project_domain => 'projdomain',
        })
      end
@ -192,8 +193,10 @@ describe 'keystone::resource::service_identity' do
      )}

      it { is_expected.to contain_keystone_user_role("#{title}@services").with(
-        :ensure => 'present',
-        :roles  => ['admin'],
+        :ensure         => 'present',
+        :roles          => ['admin'],
+        :user_domain    => 'userdomain',
+        :project_domain => 'projdomain',
      )}

      it { is_expected.to_not contain_keystone_user_role("#{title}@::::all") }
@ -218,8 +221,68 @@ describe 'keystone::resource::service_identity' do
      )}

      it { is_expected.to contain_keystone_user_role("#{title}@services").with(
-        :ensure => 'present',
-        :roles  => ['admin'],
+        :ensure         => 'present',
+        :roles          => ['admin'],
+        :user_domain    => 'defaultdomain',
+        :project_domain => 'defaultdomain',
+      )}
+
+      it { is_expected.to_not contain_keystone_user_role("#{title}@::::all") }
+    end
+
+    context 'with user and default domain' do
+      let :params do
+        required_params.merge({
+          :user_domain    => 'userdomain',
+          :default_domain => 'defaultdomain',
+        })
+      end
+
+      it { is_expected.to contain_keystone_user(title).with(
+        :ensure   => 'present',
+        :password => 'secrete',
+        :email    => 'neutron@localhost',
+        :domain   => 'userdomain',
+      )}
+
+      it { is_expected.to contain_keystone_domain('userdomain').with(
+        :ensure   => 'present',
+      )}
+
+      it { is_expected.to contain_keystone_user_role("#{title}@services").with(
+        :ensure         => 'present',
+        :roles          => ['admin'],
+        :user_domain    => 'userdomain',
+        :project_domain => 'defaultdomain',
+      )}
+
+      it { is_expected.to_not contain_keystone_user_role("#{title}@::::all") }
+    end
+
+    context 'with project and default domain' do
+      let :params do
+        required_params.merge({
+          :project_domain => 'projdomain',
+          :default_domain => 'defaultdomain',
+        })
+      end
+
+      it { is_expected.to contain_keystone_user(title).with(
+        :ensure   => 'present',
+        :password => 'secrete',
+        :email    => 'neutron@localhost',
+        :domain   => 'defaultdomain',
+      )}
+
+      it { is_expected.to contain_keystone_domain('defaultdomain').with(
+        :ensure   => 'present',
+      )}
+
+      it { is_expected.to contain_keystone_user_role("#{title}@services").with(
+        :ensure         => 'present',
+        :roles          => ['admin'],
+        :user_domain    => 'defaultdomain',
+        :project_domain => 'projdomain',
      )}

      it { is_expected.to_not contain_keystone_user_role("#{title}@::::all") }