From 1c64c2c07bcadefbb74c55fc21b6a2c7e3727e68 Mon Sep 17 00:00:00 2001
From: Sofer Athlan-Guyot <sathlang@redhat.com>
Date: Thu, 18 Oct 2018 18:49:35 +0200
Subject: [PATCH] Enable _member_ role for undercloud install.

During upgrade, as we don't use instack_undercloud anymore, we missing
the _member_ role to the admin user.

This creates the necessary hooks in tht to have the member role
created during upgrade (and install for that matter).

This passes on the keystone_enable_member to puppet-tripleo, but it
needs a patch there as well for this mechanism to fully work.

Change-Id: I2319ed876eba7f21c0e80444bf78ca080fef252a
Depends-On: https://review.openstack.org/611919
Partial-Bug: #1799177
---
 environments/undercloud.yaml  | 1 +
 puppet/services/keystone.yaml | 5 +++++
 2 files changed, 6 insertions(+)

diff --git a/environments/undercloud.yaml b/environments/undercloud.yaml
index f590095eb3..fc98e1b393 100644
--- a/environments/undercloud.yaml
+++ b/environments/undercloud.yaml
@@ -43,6 +43,7 @@ parameter_defaults:
   KernelIpForward: 1
   KernelIpNonLocalBind: 1
   KeystoneCorsAllowedOrigin: '*'
+  KeystoneEnableMember: true
   # Increase the Token expiration time until we fix the actual session bug:
   # https://bugs.launchpad.net/tripleo/+bug/1761050
   TokenExpiration: 14400
diff --git a/puppet/services/keystone.yaml b/puppet/services/keystone.yaml
index ace2487b74..bdd5ae474f 100644
--- a/puppet/services/keystone.yaml
+++ b/puppet/services/keystone.yaml
@@ -284,6 +284,10 @@ parameters:
     default: ''
     description: Indicate whether this resource may be shared with the domain received in the request
                  "origin" header.
+  KeystoneEnableMember:
+    description: Create the _member_ role, useful for undercloud deployment.
+    type: boolean
+    default: False
 
 parameter_groups:
 - label: deprecated
@@ -341,6 +345,7 @@ outputs:
             - cors_allowed_origin_unset
             - {}
             - keystone::cors::allowed_origin: {get_param: KeystoneCorsAllowedOrigin}
+          - keystone_enable_member: {get_param: KeystoneEnableMember}
           - keystone::database_connection:
               make_url:
                 scheme: {get_param: [EndpointMap, MysqlInternal, protocol]}