From c1102fd5e34af55d9cac01bae6b021ff0cceba04 Mon Sep 17 00:00:00 2001 From: Mike Dorman Date: Wed, 10 Sep 2014 11:06:43 -0500 Subject: [PATCH] Make user creation optional when creating service. In some cases it is useful to be able to just configure the service in Keystone and not the service user. This is the case when e.g. a read only LDAP backend is used. Added a parameter configure_user (defaults to true). Closes-Bug: 1360232 Change-Id: Ia17fa32744bd951eac3307a858917ac1ba3be37c --- manifests/keystone/auth.pp | 67 ++++++++++++--------- manifests/keystone/auth_cfn.pp | 67 ++++++++++++--------- spec/classes/heat_keystone_auth_cfn_spec.rb | 33 ++++++++++ spec/classes/heat_keystone_auth_spec.rb | 33 ++++++++++ 4 files changed, 144 insertions(+), 56 deletions(-) diff --git a/manifests/keystone/auth.pp b/manifests/keystone/auth.pp index 6205de39e..3302cca81 100644 --- a/manifests/keystone/auth.pp +++ b/manifests/keystone/auth.pp @@ -16,6 +16,12 @@ # [*configure_endpoint*] # Should heat endpoint be configured? Optional. Defaults to 'true'. # +# [*configure_user*] +# Whether to create the service user. Defaults to 'true'. +# +# [*configure_user_role*] +# Whether to configure the admin role for teh service user. Defaults to 'true'. +# # [*service_name*] # Name of the service. Options. Defaults to the value of auth_name. # @@ -47,22 +53,24 @@ # Protocol for public endpoint. Optional. Defaults to 'http'. # class heat::keystone::auth ( - $password = false, - $email = 'heat@localhost', - $auth_name = 'heat', - $service_name = undef, - $service_type = 'orchestration', - $public_address = '127.0.0.1', - $admin_address = '127.0.0.1', - $internal_address = '127.0.0.1', - $port = '8004', - $version = 'v1', - $region = 'RegionOne', - $tenant = 'services', - $public_protocol = 'http', - $admin_protocol = 'http', - $internal_protocol = 'http', - $configure_endpoint = true, + $password = false, + $email = 'heat@localhost', + $auth_name = 'heat', + $service_name = undef, + $service_type = 'orchestration', + $public_address = '127.0.0.1', + $admin_address = '127.0.0.1', + $internal_address = '127.0.0.1', + $port = '8004', + $version = 'v1', + $region = 'RegionOne', + $tenant = 'services', + $public_protocol = 'http', + $admin_protocol = 'http', + $internal_protocol = 'http', + $configure_endpoint = true, + $configure_user = true, + $configure_user_role = true, ) { validate_string($password) @@ -73,19 +81,23 @@ $real_service_name = $service_name } - Keystone_user_role["${auth_name}@${tenant}"] ~> - Service <| name == 'heat-api' |> - - keystone_user { $auth_name: - ensure => present, - password => $password, - email => $email, - tenant => $tenant, + if $configure_user { + keystone_user { $auth_name: + ensure => present, + password => $password, + email => $email, + tenant => $tenant, + } } - keystone_user_role { "${auth_name}@${tenant}": - ensure => present, - roles => ['admin'], + if $configure_user_role { + Keystone_user_role["${auth_name}@${tenant}"] ~> + Service <| name == 'heat-api' |> + + keystone_user_role { "${auth_name}@${tenant}": + ensure => present, + roles => ['admin'], + } } keystone_role { 'heat_stack_user': @@ -106,4 +118,3 @@ } } } - diff --git a/manifests/keystone/auth_cfn.pp b/manifests/keystone/auth_cfn.pp index cc6d11652..36c0fa083 100644 --- a/manifests/keystone/auth_cfn.pp +++ b/manifests/keystone/auth_cfn.pp @@ -16,6 +16,12 @@ # [*configure_endpoint*] # Should heat-cfn endpoint be configured? Optional. Defaults to 'true'. # +# [*configure_user*] +# Whether to create the service user. Defaults to 'true'. +# +# [*configure_user_role*] +# Whether to configure the admin role for the service user. Defaults to 'true'. +# # [*service_name*] # Name of the service. Optional. Defaults to the value of auth_name. # @@ -47,22 +53,24 @@ # Protocol for public endpoint. Optional. Defaults to 'http'. # class heat::keystone::auth_cfn ( - $password = false, - $email = 'heat-cfn@localhost', - $auth_name = 'heat-cfn', - $service_name = undef, - $service_type = 'cloudformation', - $public_address = '127.0.0.1', - $admin_address = '127.0.0.1', - $internal_address = '127.0.0.1', - $port = '8000', - $version = 'v1', - $region = 'RegionOne', - $tenant = 'services', - $public_protocol = 'http', - $admin_protocol = 'http', - $internal_protocol = 'http', - $configure_endpoint = true, + $password = false, + $email = 'heat-cfn@localhost', + $auth_name = 'heat-cfn', + $service_name = undef, + $service_type = 'cloudformation', + $public_address = '127.0.0.1', + $admin_address = '127.0.0.1', + $internal_address = '127.0.0.1', + $port = '8000', + $version = 'v1', + $region = 'RegionOne', + $tenant = 'services', + $public_protocol = 'http', + $admin_protocol = 'http', + $internal_protocol = 'http', + $configure_endpoint = true, + $configure_user = true, + $configure_user_role = true, ) { validate_string($password) @@ -73,19 +81,23 @@ $real_service_name = $service_name } - Keystone_user_role["${auth_name}@${tenant}"] ~> - Service <| name == 'heat-api-cfn' |> - - keystone_user { $auth_name: - ensure => present, - password => $password, - email => $email, - tenant => $tenant, + if $configure_user { + keystone_user { $auth_name: + ensure => present, + password => $password, + email => $email, + tenant => $tenant, + } } - keystone_user_role { "${auth_name}@${tenant}": - ensure => present, - roles => ['admin'], + if $configure_user_role { + Keystone_user_role["${auth_name}@${tenant}"] ~> + Service <| name == 'heat-api-cfn' |> + + keystone_user_role { "${auth_name}@${tenant}": + ensure => present, + roles => ['admin'], + } } keystone_service { $real_service_name: @@ -102,4 +114,3 @@ } } } - diff --git a/spec/classes/heat_keystone_auth_cfn_spec.rb b/spec/classes/heat_keystone_auth_cfn_spec.rb index 8813f4016..d81b3dcea 100644 --- a/spec/classes/heat_keystone_auth_cfn_spec.rb +++ b/spec/classes/heat_keystone_auth_cfn_spec.rb @@ -99,4 +99,37 @@ end end + context 'when disabling user configuration' do + before do + params.merge!( :configure_user => false ) + end + + it { should_not contain_keystone_user('heat_cfn') } + it { should contain_keystone_user_role('heat-cfn@services') } + + it { should contain_keystone_service('heat-cfn').with( + :ensure => 'present', + :type => 'cloudformation', + :description => 'Openstack Cloudformation Service' + )} + end + + context 'when disabling user and role configuration' do + before do + params.merge!( + :configure_user => false, + :configure_user_role => false + ) + end + + it { should_not contain_keystone_user('heat_cfn') } + it { should_not contain_keystone_user_role('heat-cfn@services') } + + it { should contain_keystone_service('heat-cfn').with( + :ensure => 'present', + :type => 'cloudformation', + :description => 'Openstack Cloudformation Service' + )} + end + end diff --git a/spec/classes/heat_keystone_auth_spec.rb b/spec/classes/heat_keystone_auth_spec.rb index 8f546bf2c..dd02f88c7 100644 --- a/spec/classes/heat_keystone_auth_spec.rb +++ b/spec/classes/heat_keystone_auth_spec.rb @@ -107,4 +107,37 @@ end end + context 'when disabling user configuration' do + before do + params.merge!( :configure_user => false ) + end + + it { should_not contain_keystone_user('heat') } + it { should contain_keystone_user_role('heat@services') } + + it { should contain_keystone_service('heat').with( + :ensure => 'present', + :type => 'orchestration', + :description => 'Openstack Orchestration Service' + )} + end + + context 'when disabling user and role configuration' do + before do + params.merge!( + :configure_user => false, + :configure_user_role => false + ) + end + + it { should_not contain_keystone_user('heat') } + it { should_not contain_keystone_user_role('heat@services') } + + it { should contain_keystone_service('heat').with( + :ensure => 'present', + :type => 'orchestration', + :description => 'Openstack Orchestration Service' + )} + end + end