From 2f124f8e9b5d0c74638cd272c8ecb7d2144ce9eb Mon Sep 17 00:00:00 2001
From: Matt Crees <mattc@stackhpc.com>
Date: Fri, 8 Nov 2024 09:44:01 +0000
Subject: [PATCH] Update user role assignments

Adds support for setting the system scope to user role assignments.
Also updates the domain assignment so it can be customised.

Note that the scope assignments follow the precedence of
project->domain->system [1]. As such, the previous default value of
domain was being ignored as we always set a project, so the removal of
the default domain in this patch has no effect on existing behaviour.

1. https://docs.ansible.com/ansible/latest/collections/openstack/cloud/role_assignment_module.html#parameter-system

Change-Id: Ie7fe78ab67b1bf8a19def25fef321de5c2d80aa9
---
 ansible/roles/service-ks-register/tasks/main.yml           | 7 ++++---
 .../update-user-role-assignments-c8e487445a6cadef.yaml     | 4 ++++
 2 files changed, 8 insertions(+), 3 deletions(-)
 create mode 100644 releasenotes/notes/update-user-role-assignments-c8e487445a6cadef.yaml

diff --git a/ansible/roles/service-ks-register/tasks/main.yml b/ansible/roles/service-ks-register/tasks/main.yml
index 5620d6598e..8e54baa0da 100644
--- a/ansible/roles/service-ks-register/tasks/main.yml
+++ b/ansible/roles/service-ks-register/tasks/main.yml
@@ -107,15 +107,16 @@
         module_args:
           user: "{{ item.user }}"
           role: "{{ item.role }}"
-          project: "{{ item.project }}"
-          domain: "{{ service_ks_register_domain }}"
+          project: "{{ item.project | default(omit) }}"
+          domain: "{{ item.domain | default(omit) }}"
+          system: "{{ item.system | default(omit) }}"
           region_name: "{{ service_ks_register_region_name }}"
           auth: "{{ service_ks_register_auth }}"
           interface: "{{ service_ks_register_interface }}"
           cacert: "{{ service_ks_cacert }}"
       with_items: "{{ service_ks_register_users + service_ks_register_user_roles }}"
       loop_control:
-        label: "{{ item.user }} -> {{ item.project }} -> {{ item.role }}"
+        label: "{{ item.user }} -> {{ item.project | default(item.domain) | default(item.system) }} -> {{ item.role }}"
       register: service_ks_register_result
       until: service_ks_register_result is success
       retries: "{{ service_ks_register_retries }}"
diff --git a/releasenotes/notes/update-user-role-assignments-c8e487445a6cadef.yaml b/releasenotes/notes/update-user-role-assignments-c8e487445a6cadef.yaml
new file mode 100644
index 0000000000..68904b9b08
--- /dev/null
+++ b/releasenotes/notes/update-user-role-assignments-c8e487445a6cadef.yaml
@@ -0,0 +1,4 @@
+---
+features:
+  - |
+    User role assignments can now customise domain and system scopes.