Ensure role when to assigning a role for a service user to a project
This makes sure that the role exists when wanting to assign a service user to a role in a project. Change-Id: I92c721fc697d9cfb28ad7069d5898ca4db82897f
This commit is contained in:
parent
40c3dca374
commit
85e2dba422
|
@ -170,6 +170,13 @@ define keystone::resource::service_identity(
|
||||||
}
|
}
|
||||||
|
|
||||||
if $configure_user_role {
|
if $configure_user_role {
|
||||||
|
if $ensure == 'present' {
|
||||||
|
# NOTE(jaosorior): We only handle ensure 'present' here, since deleting a
|
||||||
|
# role might be conflicting in some cases. e.g. the deployer removing a
|
||||||
|
# role from one service but adding it to another in the same puppet run.
|
||||||
|
# So role deletion should be handled elsewhere.
|
||||||
|
ensure_resource('keystone_role', $roles, { 'ensure' => 'present' })
|
||||||
|
}
|
||||||
ensure_resource('keystone_user_role', "${auth_name}@${tenant}", {
|
ensure_resource('keystone_user_role', "${auth_name}@${tenant}", {
|
||||||
'ensure' => $ensure,
|
'ensure' => $ensure,
|
||||||
'roles' => $roles,
|
'roles' => $roles,
|
||||||
|
|
|
@ -0,0 +1,5 @@
|
||||||
|
---
|
||||||
|
features:
|
||||||
|
- Calls to the '::keystone::resource::service_identity' will automatically
|
||||||
|
create roles as needed. So if a role is specified, the resource will
|
||||||
|
make sure it exists.
|
|
@ -159,6 +159,9 @@ describe 'keystone::resource::service_identity' do
|
||||||
:email => 'neutron@localhost',
|
:email => 'neutron@localhost',
|
||||||
:domain => 'userdomain',
|
:domain => 'userdomain',
|
||||||
)}
|
)}
|
||||||
|
it { is_expected.to contain_keystone_role('admin').with(
|
||||||
|
:ensure => 'present',
|
||||||
|
)}
|
||||||
it { is_expected.to contain_keystone_user_role("#{title}@services").with(
|
it { is_expected.to contain_keystone_user_role("#{title}@services").with(
|
||||||
:ensure => 'present',
|
:ensure => 'present',
|
||||||
:roles => ['admin'],
|
:roles => ['admin'],
|
||||||
|
|
Loading…
Reference in New Issue