Create and grant all keystone roles in service-ks-register
This ensures we execute the keystone os_* modules in one place. Also rework some of the task names and loop item display. Change-Id: I6764a71e8147410e7b24b0b73d0f92264f45240c
This commit is contained in:
parent
b7bbbae981
commit
741f6d9be9
ansible/roles
barbican
cloudkitty
heat
monasca
service-ks-register
@ -133,3 +133,9 @@ barbican_ks_users:
|
||||
user: "{{ barbican_keystone_user }}"
|
||||
password: "{{ barbican_keystone_password }}"
|
||||
role: "admin"
|
||||
|
||||
barbican_ks_roles:
|
||||
- "{{ barbican_keymanager_role }}"
|
||||
- "{{ barbican_creator_role }}"
|
||||
- "{{ barbican_observer_role }}"
|
||||
- "{{ barbican_audit_role }}"
|
||||
|
@ -5,20 +5,5 @@
|
||||
service_ks_register_auth: "{{ openstack_barbican_auth }}"
|
||||
service_ks_register_services: "{{ barbican_ks_services }}"
|
||||
service_ks_register_users: "{{ barbican_ks_users }}"
|
||||
service_ks_register_roles: "{{ barbican_ks_roles }}"
|
||||
tags: always
|
||||
|
||||
- name: Creating default barbican roles
|
||||
become: true
|
||||
kolla_toolbox:
|
||||
module_name: os_keystone_role
|
||||
module_args:
|
||||
name: "{{ item }}"
|
||||
auth: "{{ openstack_barbican_auth }}"
|
||||
endpoint_type: "{{ openstack_interface }}"
|
||||
cacert: "{{ openstack_cacert }}"
|
||||
run_once: True
|
||||
with_items:
|
||||
- "{{ barbican_keymanager_role }}"
|
||||
- "{{ barbican_creator_role }}"
|
||||
- "{{ barbican_observer_role }}"
|
||||
- "{{ barbican_audit_role }}"
|
||||
|
@ -140,3 +140,6 @@ cloudkitty_ks_users:
|
||||
user: "{{ cloudkitty_keystone_user }}"
|
||||
password: "{{ cloudkitty_keystone_password }}"
|
||||
role: "admin"
|
||||
|
||||
cloudkitty_ks_roles:
|
||||
- "{{ cloudkitty_openstack_keystone_default_role }}"
|
||||
|
@ -5,15 +5,5 @@
|
||||
service_ks_register_auth: "{{ openstack_cloudkitty_auth }}"
|
||||
service_ks_register_services: "{{ cloudkitty_ks_services }}"
|
||||
service_ks_register_users: "{{ cloudkitty_ks_users }}"
|
||||
service_ks_register_roles: "{{ cloudkitty_ks_roles }}"
|
||||
tags: always
|
||||
|
||||
- name: Creating the rating role
|
||||
become: true
|
||||
kolla_toolbox:
|
||||
module_name: os_keystone_role
|
||||
module_args:
|
||||
name: "{{ cloudkitty_openstack_keystone_default_role }}"
|
||||
auth: "{{ openstack_cloudkitty_auth }}"
|
||||
endpoint_type: "{{ openstack_interface }}"
|
||||
cacert: "{{ openstack_cacert }}"
|
||||
run_once: True
|
||||
|
@ -161,3 +161,12 @@ heat_ks_users:
|
||||
user: "{{ heat_keystone_user }}"
|
||||
password: "{{ heat_keystone_password }}"
|
||||
role: "admin"
|
||||
|
||||
heat_ks_roles:
|
||||
- "{{ heat_stack_owner_role }}"
|
||||
- "{{ heat_stack_user_role }}"
|
||||
|
||||
heat_ks_user_roles:
|
||||
- project: "{{ openstack_auth.project_name }}"
|
||||
user: "{{ openstack_auth.username }}"
|
||||
role: "{{ heat_stack_owner_role }}"
|
||||
|
@ -5,40 +5,6 @@
|
||||
service_ks_register_auth: "{{ openstack_heat_auth }}"
|
||||
service_ks_register_services: "{{ heat_ks_services }}"
|
||||
service_ks_register_users: "{{ heat_ks_users }}"
|
||||
service_ks_register_roles: "{{ heat_ks_roles }}"
|
||||
service_ks_register_user_roles: "{{ heat_ks_user_roles }}"
|
||||
tags: always
|
||||
|
||||
- name: Creating the heat_stack_user role
|
||||
become: true
|
||||
kolla_toolbox:
|
||||
module_name: os_keystone_role
|
||||
module_args:
|
||||
name: "{{ heat_stack_user_role }}"
|
||||
auth: "{{ openstack_heat_auth }}"
|
||||
endpoint_type: "{{ openstack_interface }}"
|
||||
cacert: "{{ openstack_cacert }}"
|
||||
run_once: True
|
||||
|
||||
- name: Creating the heat_stack_owner role
|
||||
become: true
|
||||
kolla_toolbox:
|
||||
module_name: os_keystone_role
|
||||
module_args:
|
||||
name: "{{ heat_stack_owner_role }}"
|
||||
auth: "{{ openstack_heat_auth }}"
|
||||
endpoint_type: "{{ openstack_interface }}"
|
||||
cacert: "{{ openstack_cacert }}"
|
||||
run_once: True
|
||||
|
||||
- name: Add the heat_stack_owner role to the admin project
|
||||
become: true
|
||||
kolla_toolbox:
|
||||
module_name: "os_user_role"
|
||||
module_args:
|
||||
project: "{{ openstack_auth.project_name }}"
|
||||
user: "{{ openstack_auth.username }}"
|
||||
role: "{{ heat_stack_owner_role }}"
|
||||
region_name: "{{ openstack_region_name }}"
|
||||
auth: "{{ openstack_heat_auth }}"
|
||||
endpoint_type: "{{ openstack_interface }}"
|
||||
cacert: "{{ openstack_cacert }}"
|
||||
run_once: True
|
||||
|
@ -367,3 +367,9 @@ monasca_ks_users:
|
||||
user: "{{ monasca_agent_user }}"
|
||||
password: "{{ monasca_agent_password }}"
|
||||
role: "{{ monasca_agent_authorized_roles | first }}"
|
||||
|
||||
monasca_ks_roles:
|
||||
- "{{ monasca_default_authorized_roles }}"
|
||||
- "{{ monasca_agent_authorized_roles }}"
|
||||
- "{{ monasca_read_only_authorized_roles }}"
|
||||
- "{{ monasca_delegate_authorized_roles }}"
|
||||
|
@ -5,22 +5,5 @@
|
||||
service_ks_register_auth: "{{ monasca_openstack_auth }}"
|
||||
service_ks_register_services: "{{ monasca_ks_services }}"
|
||||
service_ks_register_users: "{{ monasca_ks_users }}"
|
||||
service_ks_register_roles: "{{ monasca_ks_roles }}"
|
||||
tags: always
|
||||
|
||||
|
||||
- name: Creating monasca roles
|
||||
become: true
|
||||
kolla_toolbox:
|
||||
module_name: os_keystone_role
|
||||
module_args:
|
||||
name: "{{ item }}"
|
||||
region_name: "{{ openstack_region_name }}"
|
||||
auth: "{{ monasca_openstack_auth }}"
|
||||
endpoint_type: "{{ openstack_interface }}"
|
||||
cacert: "{{ openstack_cacert }}"
|
||||
run_once: True
|
||||
with_items:
|
||||
- "{{ monasca_default_authorized_roles }}"
|
||||
- "{{ monasca_agent_authorized_roles }}"
|
||||
- "{{ monasca_read_only_authorized_roles }}"
|
||||
- "{{ monasca_delegate_authorized_roles }}"
|
||||
|
@ -7,11 +7,34 @@ service_ks_register_endpoint_region: "{{ openstack_region_name }}"
|
||||
service_ks_register_domain: "default"
|
||||
service_ks_register_delegate_host: "{{ groups['control'][0] }}"
|
||||
# A list of services to register with Keystone. Each service definition should
|
||||
# provide a description, service type, and a list of associated endpoints to be
|
||||
# registered.
|
||||
# provide the following fields:
|
||||
# 'name'
|
||||
# 'description'
|
||||
# 'type'
|
||||
# 'endpoints'
|
||||
# The 'endpoints' field should be a list, with each item having the following
|
||||
# fields:
|
||||
# 'url'
|
||||
# 'interface'
|
||||
service_ks_register_services: []
|
||||
# A list of users and associated roles for this service to register with Keystone
|
||||
# A list of users and associated roles for this service to register with
|
||||
# Keystone. Each item should provide the following fields:
|
||||
# 'project'
|
||||
# 'user'
|
||||
# 'password'
|
||||
# 'role'
|
||||
# The project, user and role will be created if they do not exist, and the user
|
||||
# will be granted the role in the project.
|
||||
service_ks_register_users: []
|
||||
# A list of roles to register with Keystone.
|
||||
service_ks_register_roles: []
|
||||
# A list of existing users and associated roles for this service to register
|
||||
# with Keystone. Each item should provide the following fields:
|
||||
# 'project'
|
||||
# 'user'
|
||||
# 'role'
|
||||
# The user will be granted the role in the project.
|
||||
service_ks_register_user_roles: []
|
||||
# Number of retries for each task.
|
||||
service_ks_register_retries: 5
|
||||
# Delay between task retries.
|
||||
|
@ -1,5 +1,5 @@
|
||||
---
|
||||
- name: Creating the {{ project_name }} service
|
||||
- name: "{{ project_name }} | Creating services"
|
||||
become: true
|
||||
kolla_toolbox:
|
||||
module_name: "os_keystone_service"
|
||||
@ -14,12 +14,16 @@
|
||||
run_once: True
|
||||
loop: "{{ service_ks_register_services }}"
|
||||
delegate_to: "{{ service_ks_register_delegate_host }}"
|
||||
loop_control:
|
||||
label:
|
||||
name: "{{ item.name }}"
|
||||
service_type: "{{ item.type }}"
|
||||
register: service_ks_register_result
|
||||
until: service_ks_register_result is success
|
||||
retries: "{{ service_ks_register_retries }}"
|
||||
delay: "{{ service_ks_register_delay }}"
|
||||
|
||||
- name: Creating the {{ project_name }} endpoints
|
||||
- name: "{{ project_name }} | Creating endpoints"
|
||||
become: true
|
||||
kolla_toolbox:
|
||||
module_name: "os_keystone_endpoint"
|
||||
@ -37,12 +41,17 @@
|
||||
- "{{ service_ks_register_services }}"
|
||||
- endpoints
|
||||
delegate_to: "{{ service_ks_register_delegate_host }}"
|
||||
loop_control:
|
||||
label:
|
||||
service: "{{ item.0.name }}"
|
||||
url: "{{ item.1.url }}"
|
||||
interface: "{{ item.1.interface }}"
|
||||
register: service_ks_register_result
|
||||
until: service_ks_register_result is success
|
||||
retries: "{{ service_ks_register_retries }}"
|
||||
delay: "{{ service_ks_register_delay }}"
|
||||
|
||||
- name: Creating the {{ project_name }} service project
|
||||
- name: "{{ project_name }} | Creating projects"
|
||||
become: true
|
||||
kolla_toolbox:
|
||||
module_name: "os_project"
|
||||
@ -61,7 +70,7 @@
|
||||
retries: "{{ service_ks_register_retries }}"
|
||||
delay: "{{ service_ks_register_delay }}"
|
||||
|
||||
- name: Creating the {{ project_name }} service users
|
||||
- name: "{{ project_name }} | Creating users"
|
||||
become: true
|
||||
kolla_toolbox:
|
||||
module_name: "os_user"
|
||||
@ -86,7 +95,7 @@
|
||||
retries: "{{ service_ks_register_retries }}"
|
||||
delay: "{{ service_ks_register_delay }}"
|
||||
|
||||
- name: Creating the {{ project_name }} service roles
|
||||
- name: "{{ project_name }} | Creating roles"
|
||||
become: true
|
||||
kolla_toolbox:
|
||||
module_name: "os_keystone_role"
|
||||
@ -97,14 +106,14 @@
|
||||
interface: "{{ service_ks_register_interface }}"
|
||||
cacert: "{{ service_ks_cacert }}"
|
||||
run_once: True
|
||||
with_items: "{{ service_ks_register_users | map(attribute='role') | unique | list }}"
|
||||
with_items: "{{ service_ks_register_users | map(attribute='role') | unique | list + service_ks_register_roles }}"
|
||||
delegate_to: "{{ service_ks_register_delegate_host }}"
|
||||
register: service_ks_register_result
|
||||
until: service_ks_register_result is success
|
||||
retries: "{{ service_ks_register_retries }}"
|
||||
delay: "{{ service_ks_register_delay }}"
|
||||
|
||||
- name: Granting the {{ project_name }} service user roles
|
||||
- name: "{{ project_name }} | Granting user roles"
|
||||
become: true
|
||||
kolla_toolbox:
|
||||
module_name: "os_user_role"
|
||||
@ -118,7 +127,7 @@
|
||||
interface: "{{ service_ks_register_interface }}"
|
||||
cacert: "{{ service_ks_cacert }}"
|
||||
run_once: True
|
||||
with_items: "{{ service_ks_register_users }}"
|
||||
with_items: "{{ service_ks_register_users + service_ks_register_user_roles }}"
|
||||
delegate_to: "{{ service_ks_register_delegate_host }}"
|
||||
loop_control:
|
||||
label:
|
||||
|
Loading…
x
Reference in New Issue
Block a user