Merge "Add special user options for domain user"
This commit is contained in:
commit
563616967d
@ -328,6 +328,17 @@ class KsClientWrapper(object):
|
|||||||
# FIXME(shardy): Legacy fallback for folks using old heat.conf
|
# FIXME(shardy): Legacy fallback for folks using old heat.conf
|
||||||
# files which lack domain configuration
|
# files which lack domain configuration
|
||||||
return self.create_stack_user(username=username, password=password)
|
return self.create_stack_user(username=username, password=password)
|
||||||
|
# We are creating automated user, for which most of security
|
||||||
|
# compliance restrictions possibly set in Keystone should not apply,
|
||||||
|
# https://docs.openstack.org/keystone/latest/admin/security-compliance.html
|
||||||
|
# TODO(pas-ha) find a way to deal with password_regex and
|
||||||
|
# disable_user_account_days_inactive
|
||||||
|
# TODO(pas-ha) think if we also need to add lock_password too
|
||||||
|
user_options = {
|
||||||
|
"ignore_change_password_upon_first_use": True,
|
||||||
|
"ignore_password_expiry": True,
|
||||||
|
"ignore_lockout_failure_attempts": True
|
||||||
|
}
|
||||||
# We add the new user to a special keystone role
|
# We add the new user to a special keystone role
|
||||||
# This role is designed to allow easier differentiation of the
|
# This role is designed to allow easier differentiation of the
|
||||||
# heat-generated "stack users" which will generally have credentials
|
# heat-generated "stack users" which will generally have credentials
|
||||||
@ -339,7 +350,8 @@ class KsClientWrapper(object):
|
|||||||
# Create user
|
# Create user
|
||||||
user = self.domain_admin_client.users.create(
|
user = self.domain_admin_client.users.create(
|
||||||
name=self._get_username(username), password=password,
|
name=self._get_username(username), password=password,
|
||||||
default_project=project_id, domain=self.stack_domain_id)
|
default_project=project_id, domain=self.stack_domain_id,
|
||||||
|
options=user_options)
|
||||||
# Add to stack user role
|
# Add to stack user role
|
||||||
LOG.debug("Adding user %(user)s to role %(role)s",
|
LOG.debug("Adding user %(user)s to role %(role)s",
|
||||||
{'user': user.id, 'role': role_id})
|
{'user': user.id, 'role': role_id})
|
||||||
|
@ -251,6 +251,9 @@ class KeystoneClientTest(common.HeatTestCase):
|
|||||||
ctx = utils.dummy_context()
|
ctx = utils.dummy_context()
|
||||||
self.patchobject(ctx, '_create_auth_plugin')
|
self.patchobject(ctx, '_create_auth_plugin')
|
||||||
ctx.trust_id = None
|
ctx.trust_id = None
|
||||||
|
user_options = dict(ignore_password_expiry=True,
|
||||||
|
ignore_change_password_upon_first_use=True,
|
||||||
|
ignore_lockout_failure_attempts=True)
|
||||||
|
|
||||||
# mock keystone client functions
|
# mock keystone client functions
|
||||||
self._stub_domain_admin_client()
|
self._stub_domain_admin_client()
|
||||||
@ -266,7 +269,8 @@ class KeystoneClientTest(common.HeatTestCase):
|
|||||||
name='duser',
|
name='duser',
|
||||||
password=None,
|
password=None,
|
||||||
default_project='aproject',
|
default_project='aproject',
|
||||||
domain='adomain123')
|
domain='adomain123',
|
||||||
|
options=user_options)
|
||||||
self.mock_ks_v3_client.roles.grant.assert_called_once_with(
|
self.mock_ks_v3_client.roles.grant.assert_called_once_with(
|
||||||
project='aproject',
|
project='aproject',
|
||||||
role='4546',
|
role='4546',
|
||||||
|
Loading…
x
Reference in New Issue
Block a user