Ensure role when to assigning a role for a service user to a project
This makes sure that the role exists when wanting to assign a service user to a role in a project. Change-Id: I92c721fc697d9cfb28ad7069d5898ca4db82897f
This commit is contained in:
parent
40c3dca374
commit
85e2dba422
|
@ -170,6 +170,13 @@ define keystone::resource::service_identity(
|
|||
}
|
||||
|
||||
if $configure_user_role {
|
||||
if $ensure == 'present' {
|
||||
# NOTE(jaosorior): We only handle ensure 'present' here, since deleting a
|
||||
# role might be conflicting in some cases. e.g. the deployer removing a
|
||||
# role from one service but adding it to another in the same puppet run.
|
||||
# So role deletion should be handled elsewhere.
|
||||
ensure_resource('keystone_role', $roles, { 'ensure' => 'present' })
|
||||
}
|
||||
ensure_resource('keystone_user_role', "${auth_name}@${tenant}", {
|
||||
'ensure' => $ensure,
|
||||
'roles' => $roles,
|
||||
|
|
|
@ -0,0 +1,5 @@
|
|||
---
|
||||
features:
|
||||
- Calls to the '::keystone::resource::service_identity' will automatically
|
||||
create roles as needed. So if a role is specified, the resource will
|
||||
make sure it exists.
|
|
@ -159,6 +159,9 @@ describe 'keystone::resource::service_identity' do
|
|||
:email => 'neutron@localhost',
|
||||
:domain => 'userdomain',
|
||||
)}
|
||||
it { is_expected.to contain_keystone_role('admin').with(
|
||||
:ensure => 'present',
|
||||
)}
|
||||
it { is_expected.to contain_keystone_user_role("#{title}@services").with(
|
||||
:ensure => 'present',
|
||||
:roles => ['admin'],
|
||||
|
|
Loading…
Reference in New Issue