Merge "Create swift operator keystone roles"

2013-12-20 22:43:49 +00:00 · 2013-12-20 22:43:49 +00:00 · 5b450c8e25
commit 5b450c8e25
parent af129f0a93 14a2bd8c4f
3 changed files with 44 additions and 1 deletions
--- a/manifests/keystone/auth.pp
+++ b/manifests/keystone/auth.pp
@ -1,3 +1,22 @@
+# == Class: swift::keystone::auth
+#
+# This class creates keystone users, services, endpoints, and roles
+# for swift services.
+#
+# The user is given the admin role in the services tenant.
+#
+# === Parameters
+# [*auth_user*]
+#  String. The name of the user.
+#  Optional. Defaults to 'swift'.
+#
+# [*password*]
+#  String. The user's password.
+#  Optional. Defaults to 'swift_password'.
+#
+# [*operator_roles*]
+#  Array of strings. List of roles Swift considers as admin.
+#
 class swift::keystone::auth(
  $auth_name         = 'swift',
  $password          = 'swift_password',
@ -6,6 +25,7 @@ class swift::keystone::auth(
  $tenant            = 'services',
  $email             = 'swift@localhost',
  $region            = 'RegionOne',
+  $operator_roles    = ['admin', 'SwiftOperator'],
  $public_protocol   = 'http',
  $public_address    = undef,
  $public_port       = undef,
@ -73,5 +93,9 @@ if $address != '127.0.0.1' {
    admin_url    => "http://${real_admin_address}:${port}",
    internal_url => "http://${real_internal_address}:${port}",
  }
+  if $operator_roles {
+    #Roles like "admin" may be defined elsewhere, so use ensure_resource
+    ensure_resource('keystone_role', $operator_roles, { 'ensure' => 'present' })
+  }

 }
--- a/manifests/proxy/keystone.pp
+++ b/manifests/proxy/keystone.pp
@ -4,8 +4,10 @@
 # == Parameters
 #  [operator_roles] a list of keystone roles a user must have to gain
 #    access to Swift.
-#    Optional. Dfeaults to ['admin', 'SwiftOperator']
+#    Optional. Defaults to ['admin', 'SwiftOperator']
 #    Must be an array of strings
+#    Swift operator roles must be defined in swift::keystone::auth because
+#    keystone API access is usually not available on Swift proxy nodes.
 #  [is_admin] Set to true to allow users to set ACLs on their account.
 #    Optional. Defaults to true.
 #
--- a/spec/classes/swift_keystone_auth_spec.rb
+++ b/spec/classes/swift_keystone_auth_spec.rb
@ -40,6 +40,10 @@ describe 'swift::keystone::auth' do
      :admin_url    => 'http://127.0.0.1:8080',
      :internal_url => 'http://127.0.0.1:8080'
    ) }
+
+    ['admin', 'SwiftOperator'].each do |role_name|
+      it { should contain_keystone_role(role_name).with_ensure('present') }
+    end
  end

  describe 'when overriding public_port, public address, admin_address and internal_address' do
@ -133,4 +137,17 @@ describe 'swift::keystone::auth' do

  end

+  describe 'when overriding operator_roles' do
+
+    let :params do
+      {
+        :operator_roles => 'foo',
+      }
+    end
+
+    it { should contain_keystone_role('foo').with(
+      :ensure       => 'present'
+    ) }
+
+  end
 end