Add association of the admin user to a domain.

If the user specify target_admin_domain then the admin user will be
admin in this domain.

Change-Id: Ia0661f9ab8807a96d3c7de22de4e4624db9e7f28
Closes-bug: 1589933
This commit is contained in:
Sofer Athlan-Guyot 2016-06-15 09:52:01 +02:00 committed by Athlan-Guyot sofer
parent 174d257981
commit beab6cecff
3 changed files with 45 additions and 2 deletions

View File

@ -53,6 +53,11 @@
# Optional. Domain of the admin user # Optional. Domain of the admin user
# Defaults to undef (undef will resolve to class keystone $default_domain) # Defaults to undef (undef will resolve to class keystone $default_domain)
# #
# [*target_admin_domain*]
# Optional. Domain where the admin user will have the $admin_role
# Defaults to undef (undef will not associate the $admin_role to any
# domain, only project)
#
# [*admin_project_domain*] # [*admin_project_domain*]
# Optional. Domain of the admin tenant # Optional. Domain of the admin tenant
# Defaults to undef (undef will resolve to class keystone $default_domain) # Defaults to undef (undef will resolve to class keystone $default_domain)
@ -85,11 +90,12 @@ class keystone::roles::admin(
$admin_user_domain = undef, $admin_user_domain = undef,
$admin_project_domain = undef, $admin_project_domain = undef,
$service_project_domain = undef, $service_project_domain = undef,
$target_admin_domain = undef,
) { ) {
include ::keystone::deps include ::keystone::deps
$domains = unique(delete_undef_values([ $admin_user_domain, $admin_project_domain, $service_project_domain])) $domains = unique(delete_undef_values([ $admin_user_domain, $admin_project_domain, $service_project_domain, $target_admin_domain]))
keystone_domain { $domains: keystone_domain { $domains:
ensure => present, ensure => present,
enabled => true, enabled => true,
@ -131,6 +137,15 @@ class keystone::roles::admin(
roles => $admin_roles, roles => $admin_roles,
} }
Keystone_user_role["${admin}@${admin_tenant}"] -> File<| tag == 'openrc' |> Keystone_user_role["${admin}@${admin_tenant}"] -> File<| tag == 'openrc' |>
if $target_admin_domain {
keystone_user_role { "${admin}@::${target_admin_domain}":
ensure => present,
user_domain => $admin_user_domain,
roles => $admin_roles,
}
Keystone_user_role["${admin}@::${target_admin_domain}"] -> File<| tag == 'openrc' |>
}
} }
} }

View File

@ -0,0 +1,6 @@
---
features:
- Implement `bug 1589933
<https://bugs.launchpad.net/puppet-keystone/+bug/1589933>`__ so now
one associate the admin to admin_role for an entire domain if it
uses the target_admin_domain parameter in the auth.pp class.

View File

@ -192,5 +192,27 @@ describe 'keystone::roles::admin' do
} }
end end
it { is_expected.to contain_keystone_domain('admin_domain') } it { is_expected.to contain_keystone_domain('admin_domain') }
end end
describe 'when specifying a target admin domain' do
let :params do
{
:email => 'foo@bar',
:password => 'ChangeMe',
:admin_user_domain => 'admin_domain',
:admin_project_domain => 'admin_domain',
:target_admin_domain => 'admin_domain_target'
}
end
let(:pre_condition) { 'file { "/root/openrc": tag => ["openrc"]}' }
it { is_expected.to contain_keystone_domain('admin_domain_target') }
it { is_expected.to contain_keystone_user_role('admin@::admin_domain_target')
.with(
:roles => ['admin'],
:ensure => 'present',
:user_domain => 'admin_domain',
)
.that_comes_before('File[/root/openrc]')
}
end
end end