openstack/puppet-keystone
Code Issues Proposed changes

service_identity: Fix incomplete usage of domain parameters

Browse Source 
This fixes the ignored project_domain parameter, and also ensures
the user_domain parameter is used when creating a role assignment.

Closes-Bug: #2029035
Change-Id: I2a2d9c648fff1b940952700b492af6a09974ee5c
This commit is contained in:
Takashi Kajinami
2023-07-30 20:18:56 +09:00
parent 9331acb930
commit 7e8c3de8ed
4 changed files with 106 additions and 23 deletions
Download Patch File Download Diff File Expand all files Collapse all files

28
manifests/resource/service_identity.pp
View File

@@ -138,16 +138,15 @@ define keystone::resource::service_identity(
include keystone::deps include keystone::deps
if $service_name == undef { $service_name_real = pick($service_name, $auth_name)
$service_name_real = $auth_name
} else {
$service_name_real = $service_name
}
if $user_domain == undef { $user_domain_real = $user_domain ? {
$user_domain_real = $default_domain undef => $default_domain,
} else { default => $user_domain,
$user_domain_real = $user_domain }
$project_domain_real = $project_domain ? {
undef => $default_domain,
default => $project_domain,
} }
if $configure_user { if $configure_user {
@@ -190,14 +189,17 @@ define keystone::resource::service_identity(
unless empty($roles) { unless empty($roles) {
ensure_resource('keystone_user_role', "${auth_name}@${tenant}", { ensure_resource('keystone_user_role', "${auth_name}@${tenant}", {
'ensure' => $ensure, 'ensure' => $ensure,
'roles' => $roles, 'roles' => $roles,
'user_domain' => $user_domain_real,
'project_domain' => $project_domain_real,
}) })
} }
unless empty($system_roles) { unless empty($system_roles) {
ensure_resource('keystone_user_role', "${auth_name}@::::${system_scope}", { ensure_resource('keystone_user_role', "${auth_name}@::::${system_scope}", {
'ensure' => $ensure, 'ensure' => $ensure,
'roles' => $system_roles, 'roles' => $system_roles,
'user_domain' => $user_domain_real,
}) })
} }
} }

5
releasenotes/notes/bug-2029035-943e3c24116b4149.yaml Normal file
View File

@@ -0,0 +1,5 @@
---
fixes:
- |
Fixed the ignored ``keystone::resource::service_identiry::project_domain``
parameter.

19
spec/acceptance/10_basic_keystone_spec.rb
View File

@@ -61,18 +61,28 @@ describe 'keystone server running with Apache/WSGI with resources' do
} }
# service user exists only in the service_domain - must # service user exists only in the service_domain - must
# use v3 api # use v3 api
keystone::resource::service_identity { 'civ3::service_domain': keystone::resource::service_identity { 'civ3':
service_type => 'civ3', service_type => 'civ3',
service_description => 'civ3 service', service_description => 'civ3 service',
service_name => 'civ3', service_name => 'civ3',
password => 'secret', password => 'secret',
tenant => 'servicesv3::service_domain', tenant => 'servicesv3',
public_url => 'http://127.0.0.1:1234/v3', public_url => 'http://127.0.0.1:1234/v3',
admin_url => 'http://127.0.0.1:1234/v3', admin_url => 'http://127.0.0.1:1234/v3',
internal_url => 'http://127.0.0.1:1234/v3', internal_url => 'http://127.0.0.1:1234/v3',
user_domain => 'service_domain', user_domain => 'service_domain',
project_domain => 'service_domain', project_domain => 'service_domain',
} }
keystone::resource::service_identity { 'civ3alt::service_domain':
service_type => 'civ3alt',
service_description => 'civ3alt service',
service_name => 'civ3alt',
password => 'secret',
tenant => 'servicesv3::service_domain',
public_url => 'http://127.0.0.1:1234/v3',
admin_url => 'http://127.0.0.1:1234/v3',
internal_url => 'http://127.0.0.1:1234/v3',
}
EOS EOS
# Run it twice and test for idempotency # Run it twice and test for idempotency
@@ -135,7 +145,10 @@ describe 'keystone server running with Apache/WSGI with resources' do
describe "with v3 service with v3 credentials" do describe "with v3 service with v3 credentials" do
include_examples 'keystone user/tenant/service/role/endpoint resources using v3 API', include_examples 'keystone user/tenant/service/role/endpoint resources using v3 API',
'--os-username civ3 --os-password secret --os-project-name servicesv3 --os-user-domain-name service_domain --os-project-domain-name service_domain' '--os-username civ3 --os-password secret --os-project-name servicesv3 --os-user-domain-name service_domain --os-project-domain-name service_domain'
end
describe "with v3 service with v3 credentials" do
include_examples 'keystone user/tenant/service/role/endpoint resources using v3 API',
'--os-username civ3alt --os-password secret --os-project-name servicesv3 --os-user-domain-name service_domain --os-project-domain-name service_domain'
end end
end end
describe 'composite namevar quick test' do describe 'composite namevar quick test' do

77
spec/defines/keystone_resource_service_identity_spec.rb
View File

@@ -165,8 +165,9 @@ describe 'keystone::resource::service_identity' do
)} )}
it { is_expected.to contain_keystone_user_role("#{title}@services").with( it { is_expected.to contain_keystone_user_role("#{title}@services").with(
:ensure => 'present', :ensure => 'present',
:roles => ['admin'], :roles => ['admin'],
:user_domain => 'userdomain',
)} )}
it { is_expected.to_not contain_keystone_user_role("#{title}@::::all") } it { is_expected.to_not contain_keystone_user_role("#{title}@::::all") }
@@ -175,7 +176,7 @@ describe 'keystone::resource::service_identity' do
context 'with user and project domain' do context 'with user and project domain' do
let :params do let :params do
required_params.merge({ required_params.merge({
:user_domain => 'userdomain', :user_domain => 'userdomain',
:project_domain => 'projdomain', :project_domain => 'projdomain',
}) })
end end
@@ -192,8 +193,10 @@ describe 'keystone::resource::service_identity' do
)} )}
it { is_expected.to contain_keystone_user_role("#{title}@services").with( it { is_expected.to contain_keystone_user_role("#{title}@services").with(
:ensure => 'present', :ensure => 'present',
:roles => ['admin'], :roles => ['admin'],
:user_domain => 'userdomain',
:project_domain => 'projdomain',
)} )}
it { is_expected.to_not contain_keystone_user_role("#{title}@::::all") } it { is_expected.to_not contain_keystone_user_role("#{title}@::::all") }
@@ -218,8 +221,68 @@ describe 'keystone::resource::service_identity' do
)} )}
it { is_expected.to contain_keystone_user_role("#{title}@services").with( it { is_expected.to contain_keystone_user_role("#{title}@services").with(
:ensure => 'present', :ensure => 'present',
:roles => ['admin'], :roles => ['admin'],
:user_domain => 'defaultdomain',
:project_domain => 'defaultdomain',
)}
it { is_expected.to_not contain_keystone_user_role("#{title}@::::all") }
end
context 'with user and default domain' do
let :params do
required_params.merge({
:user_domain => 'userdomain',
:default_domain => 'defaultdomain',
})
end
it { is_expected.to contain_keystone_user(title).with(
:ensure => 'present',
:password => 'secrete',
:email => 'neutron@localhost',
:domain => 'userdomain',
)}
it { is_expected.to contain_keystone_domain('userdomain').with(
:ensure => 'present',
)}
it { is_expected.to contain_keystone_user_role("#{title}@services").with(
:ensure => 'present',
:roles => ['admin'],
:user_domain => 'userdomain',
:project_domain => 'defaultdomain',
)}
it { is_expected.to_not contain_keystone_user_role("#{title}@::::all") }
end
context 'with project and default domain' do
let :params do
required_params.merge({
:project_domain => 'projdomain',
:default_domain => 'defaultdomain',
})
end
it { is_expected.to contain_keystone_user(title).with(
:ensure => 'present',
:password => 'secrete',
:email => 'neutron@localhost',
:domain => 'defaultdomain',
)}
it { is_expected.to contain_keystone_domain('defaultdomain').with(
:ensure => 'present',
)}
it { is_expected.to contain_keystone_user_role("#{title}@services").with(
:ensure => 'present',
:roles => ['admin'],
:user_domain => 'defaultdomain',
:project_domain => 'projdomain',
)} )}
it { is_expected.to_not contain_keystone_user_role("#{title}@::::all") } it { is_expected.to_not contain_keystone_user_role("#{title}@::::all") }