Create barbican's creator role by default

Barbican has a very specific set of keystone roles that it uses in order
to properly enforce RBAC. One of them (and the most important) is the
creator role. Which you'll assign to your users in order to allow them
to create and retrieve secrets (the other role that can do this is
admin... but we don't want to rely on this).

For usability, lets create this role automatically as part of the
TripleO installation.

Closes-Bug: #1812209
Change-Id: I9d5f912684a0987a6bdf244321215bd5595a0fa0
This commit is contained in:
Juan Antonio Osorio Robles 2019-01-17 14:17:36 +02:00
parent 0a73e19d01
commit dfd408a73d

View File

@ -319,6 +319,12 @@ class tripleo::profile::base::keystone (
class { '::keystone::roles::admin': class { '::keystone::roles::admin':
admin_roles => $admin_roles, admin_roles => $admin_roles,
} }
if hiera('barbican_api_enabled', false) {
keystone_role { 'creator':
ensure => present
}
}
} }
if $step == 3 and $manage_endpoint { if $step == 3 and $manage_endpoint {