Customize roles assigned to nova user

This patch introduces a new hieradata nova::keystone::auth::roles,
to configure customized role assigned to nova user.

This is required to configure service token feature, as it requires
special role is assigned to the user who uses the feature.

Change-Id: I00021bac80d09258bf1c1c040adb835b4294df19

manifests/keystone/auth.pp

@@ -39,6 +39,10 @@
 #   (Optional) The tenant to use for the nova service user
 #   Defaults to 'services'
 #
+# [*roles*]
+#   (Optional) List of roles assigned to the nova service user
+#   Defaults to ['admin']
+#
 # [*email*]
 #   (Optional) The email address for the nova service user
 #   Defaults to 'nova@localhost'
@@ -62,6 +66,7 @@ class nova::keystone::auth(
   $service_description     = 'Openstack Compute Service',
   $region                  = 'RegionOne',
   $tenant                  = 'services',
+  $roles                   = ['admin'],
   $email                   = 'nova@localhost',
   $public_url              = 'http://127.0.0.1:8774/v2.1',
   $internal_url            = 'http://127.0.0.1:8774/v2.1',
@@ -90,6 +95,7 @@ class nova::keystone::auth(
     password            => $password,
     email               => $email,
     tenant              => $tenant,
+    roles               => $roles,
     public_url          => $public_url,
     admin_url           => $admin_url,
     internal_url        => $internal_url,

manifests/keystone/authtoken.pp

@@ -161,6 +161,16 @@
 #   (in seconds). Set to -1 to disable caching completely. Integer value
 #   Defaults to $::os_service_default.
 #
+# [*service_token_roles*]
+#  (Optional) A choice of roles that must be present in a service token.
+#  Service tokens are allowed to request that an expired token
+#  can be used and so this check should tightly control that
+#  only actual services should be sending this token. Roles
+#  here are applied as an ANY check so any role in this list
+#  must be present. For backwards compatibility reasons this
+#  currently only affects the allow_expired check. (list value)
+#  Defaults to $::os_service_default.
+#
 # [*service_token_roles_required*]
 #   (optional) backwards compatibility to ensure that the service tokens are
 #   compared against a list of possible roles for validity
@@ -219,6 +229,7 @@ class nova::keystone::authtoken(
   $manage_memcache_package        = false,
   $region_name                    = $::os_service_default,
   $token_cache_time               = $::os_service_default,
+  $service_token_roles            = $::os_service_default,
   $service_token_roles_required   = $::os_service_default,
   # DEPRECATED PARAMETERS
   $check_revocations_for_cached   = undef,
@@ -272,6 +283,7 @@ class nova::keystone::authtoken(
     manage_memcache_package        => $manage_memcache_package,
     region_name                    => $region_name,
     token_cache_time               => $token_cache_time,
+    service_token_roles            => $service_token_roles,
     service_token_roles_required   => $service_token_roles_required,
   }
 }

releasenotes/notes/keystone_authtoken-service_token_roles-12dbba5484efb7c6.yaml

@@ -0,0 +1,9 @@
+---
+features:
+  - |
+    New hieradata, nova::keystone::authtoken::service_token_roles, is
+    introduced so that specific role can be assigned to the service user
+    who can use service token feature.
+  - |
+    New hieradata, nova::keystone::roles is introduced to configure customized
+    role for nova user in keystone identity.

spec/classes/nova_keystone_auth_spec.rb

@@ -46,6 +46,17 @@ describe 'nova::keystone::auth' do
       )}
     end
 
+    context 'when overriding roles' do
+      before do
+        params.merge!( :roles => ['admin', 'service'] )
+      end
+
+      it { should contain_keystone_user_role('nova@services').with(
+        :ensure => 'present',
+        :roles  => ['admin', 'service']
+      )}
+    end
+
     context 'when setting auth name' do
       before do
         params.merge!( :auth_name => 'foo' )

spec/classes/nova_keystone_authtoken_spec.rb

@@ -42,6 +42,7 @@ describe 'nova::keystone::authtoken' do
         is_expected.to contain_nova_config('keystone_authtoken/memcached_servers').with_value('<SERVICE DEFAULT>')
         is_expected.to contain_nova_config('keystone_authtoken/region_name').with_value('<SERVICE DEFAULT>')
         is_expected.to contain_nova_config('keystone_authtoken/token_cache_time').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_nova_config('keystone_authtoken/service_token_roles').with_value('<SERVICE DEFAULT>')
         is_expected.to contain_nova_config('keystone_authtoken/service_token_roles_required').with_value('<SERVICE DEFAULT>')
       end
     end
@@ -83,7 +84,8 @@ describe 'nova::keystone::authtoken' do
           :manage_memcache_package              => true,
           :region_name                          => 'region2',
           :token_cache_time                     => '301',
-          :service_token_roles_required         => false,
+          :service_token_roles                  => ['service'],
+          :service_token_roles_required         => true,
         })
       end
 
@@ -119,6 +121,7 @@ describe 'nova::keystone::authtoken' do
         is_expected.to contain_nova_config('keystone_authtoken/memcached_servers').with_value('memcached01:11211,memcached02:11211')
         is_expected.to contain_nova_config('keystone_authtoken/region_name').with_value(params[:region_name])
         is_expected.to contain_nova_config('keystone_authtoken/token_cache_time').with_value(params[:token_cache_time])
+        is_expected.to contain_nova_config('keystone_authtoken/service_token_roles').with_value(params[:service_token_roles])
         is_expected.to contain_nova_config('keystone_authtoken/service_token_roles_required').with_value(params[:service_token_roles_required])
       end