service_identity: Fix incomplete usage of domain parameters
This fixes the ignored project_domain parameter, and also ensures the user_domain parameter is used when creating a role assignment. Closes-Bug: #2029035 Change-Id: I2a2d9c648fff1b940952700b492af6a09974ee5c
This commit is contained in:
parent
9331acb930
commit
7e8c3de8ed
|
@ -138,16 +138,15 @@ define keystone::resource::service_identity(
|
|||
|
||||
include keystone::deps
|
||||
|
||||
if $service_name == undef {
|
||||
$service_name_real = $auth_name
|
||||
} else {
|
||||
$service_name_real = $service_name
|
||||
}
|
||||
$service_name_real = pick($service_name, $auth_name)
|
||||
|
||||
if $user_domain == undef {
|
||||
$user_domain_real = $default_domain
|
||||
} else {
|
||||
$user_domain_real = $user_domain
|
||||
$user_domain_real = $user_domain ? {
|
||||
undef => $default_domain,
|
||||
default => $user_domain,
|
||||
}
|
||||
$project_domain_real = $project_domain ? {
|
||||
undef => $default_domain,
|
||||
default => $project_domain,
|
||||
}
|
||||
|
||||
if $configure_user {
|
||||
|
@ -192,12 +191,15 @@ define keystone::resource::service_identity(
|
|||
ensure_resource('keystone_user_role', "${auth_name}@${tenant}", {
|
||||
'ensure' => $ensure,
|
||||
'roles' => $roles,
|
||||
'user_domain' => $user_domain_real,
|
||||
'project_domain' => $project_domain_real,
|
||||
})
|
||||
}
|
||||
unless empty($system_roles) {
|
||||
ensure_resource('keystone_user_role', "${auth_name}@::::${system_scope}", {
|
||||
'ensure' => $ensure,
|
||||
'roles' => $system_roles,
|
||||
'user_domain' => $user_domain_real,
|
||||
})
|
||||
}
|
||||
}
|
||||
|
|
|
@ -0,0 +1,5 @@
|
|||
---
|
||||
fixes:
|
||||
- |
|
||||
Fixed the ignored ``keystone::resource::service_identiry::project_domain``
|
||||
parameter.
|
|
@ -61,18 +61,28 @@ describe 'keystone server running with Apache/WSGI with resources' do
|
|||
}
|
||||
# service user exists only in the service_domain - must
|
||||
# use v3 api
|
||||
keystone::resource::service_identity { 'civ3::service_domain':
|
||||
keystone::resource::service_identity { 'civ3':
|
||||
service_type => 'civ3',
|
||||
service_description => 'civ3 service',
|
||||
service_name => 'civ3',
|
||||
password => 'secret',
|
||||
tenant => 'servicesv3::service_domain',
|
||||
tenant => 'servicesv3',
|
||||
public_url => 'http://127.0.0.1:1234/v3',
|
||||
admin_url => 'http://127.0.0.1:1234/v3',
|
||||
internal_url => 'http://127.0.0.1:1234/v3',
|
||||
user_domain => 'service_domain',
|
||||
project_domain => 'service_domain',
|
||||
}
|
||||
keystone::resource::service_identity { 'civ3alt::service_domain':
|
||||
service_type => 'civ3alt',
|
||||
service_description => 'civ3alt service',
|
||||
service_name => 'civ3alt',
|
||||
password => 'secret',
|
||||
tenant => 'servicesv3::service_domain',
|
||||
public_url => 'http://127.0.0.1:1234/v3',
|
||||
admin_url => 'http://127.0.0.1:1234/v3',
|
||||
internal_url => 'http://127.0.0.1:1234/v3',
|
||||
}
|
||||
EOS
|
||||
|
||||
# Run it twice and test for idempotency
|
||||
|
@ -135,7 +145,10 @@ describe 'keystone server running with Apache/WSGI with resources' do
|
|||
describe "with v3 service with v3 credentials" do
|
||||
include_examples 'keystone user/tenant/service/role/endpoint resources using v3 API',
|
||||
'--os-username civ3 --os-password secret --os-project-name servicesv3 --os-user-domain-name service_domain --os-project-domain-name service_domain'
|
||||
|
||||
end
|
||||
describe "with v3 service with v3 credentials" do
|
||||
include_examples 'keystone user/tenant/service/role/endpoint resources using v3 API',
|
||||
'--os-username civ3alt --os-password secret --os-project-name servicesv3 --os-user-domain-name service_domain --os-project-domain-name service_domain'
|
||||
end
|
||||
end
|
||||
describe 'composite namevar quick test' do
|
||||
|
|
|
@ -167,6 +167,7 @@ describe 'keystone::resource::service_identity' do
|
|||
it { is_expected.to contain_keystone_user_role("#{title}@services").with(
|
||||
:ensure => 'present',
|
||||
:roles => ['admin'],
|
||||
:user_domain => 'userdomain',
|
||||
)}
|
||||
|
||||
it { is_expected.to_not contain_keystone_user_role("#{title}@::::all") }
|
||||
|
@ -194,6 +195,8 @@ describe 'keystone::resource::service_identity' do
|
|||
it { is_expected.to contain_keystone_user_role("#{title}@services").with(
|
||||
:ensure => 'present',
|
||||
:roles => ['admin'],
|
||||
:user_domain => 'userdomain',
|
||||
:project_domain => 'projdomain',
|
||||
)}
|
||||
|
||||
it { is_expected.to_not contain_keystone_user_role("#{title}@::::all") }
|
||||
|
@ -220,6 +223,66 @@ describe 'keystone::resource::service_identity' do
|
|||
it { is_expected.to contain_keystone_user_role("#{title}@services").with(
|
||||
:ensure => 'present',
|
||||
:roles => ['admin'],
|
||||
:user_domain => 'defaultdomain',
|
||||
:project_domain => 'defaultdomain',
|
||||
)}
|
||||
|
||||
it { is_expected.to_not contain_keystone_user_role("#{title}@::::all") }
|
||||
end
|
||||
|
||||
context 'with user and default domain' do
|
||||
let :params do
|
||||
required_params.merge({
|
||||
:user_domain => 'userdomain',
|
||||
:default_domain => 'defaultdomain',
|
||||
})
|
||||
end
|
||||
|
||||
it { is_expected.to contain_keystone_user(title).with(
|
||||
:ensure => 'present',
|
||||
:password => 'secrete',
|
||||
:email => 'neutron@localhost',
|
||||
:domain => 'userdomain',
|
||||
)}
|
||||
|
||||
it { is_expected.to contain_keystone_domain('userdomain').with(
|
||||
:ensure => 'present',
|
||||
)}
|
||||
|
||||
it { is_expected.to contain_keystone_user_role("#{title}@services").with(
|
||||
:ensure => 'present',
|
||||
:roles => ['admin'],
|
||||
:user_domain => 'userdomain',
|
||||
:project_domain => 'defaultdomain',
|
||||
)}
|
||||
|
||||
it { is_expected.to_not contain_keystone_user_role("#{title}@::::all") }
|
||||
end
|
||||
|
||||
context 'with project and default domain' do
|
||||
let :params do
|
||||
required_params.merge({
|
||||
:project_domain => 'projdomain',
|
||||
:default_domain => 'defaultdomain',
|
||||
})
|
||||
end
|
||||
|
||||
it { is_expected.to contain_keystone_user(title).with(
|
||||
:ensure => 'present',
|
||||
:password => 'secrete',
|
||||
:email => 'neutron@localhost',
|
||||
:domain => 'defaultdomain',
|
||||
)}
|
||||
|
||||
it { is_expected.to contain_keystone_domain('defaultdomain').with(
|
||||
:ensure => 'present',
|
||||
)}
|
||||
|
||||
it { is_expected.to contain_keystone_user_role("#{title}@services").with(
|
||||
:ensure => 'present',
|
||||
:roles => ['admin'],
|
||||
:user_domain => 'defaultdomain',
|
||||
:project_domain => 'projdomain',
|
||||
)}
|
||||
|
||||
it { is_expected.to_not contain_keystone_user_role("#{title}@::::all") }
|
||||
|
|
Loading…
Reference in New Issue