Make user creation optional when creating service.

In some cases it is useful to be able to just configure the service in Keystone and not the service user. This is the case when e.g. a read only LDAP backend is used. Added parameters configure_user and configure_user_role (default to true). Change-Id: If3d53c2c9070691b4731142f512b1f4bb754be00 Closes-Bug: 1360232
2014-08-22 15:32:29 +03:00
parent d5e18c4906
commit 45788081c9
2 changed files with 60 additions and 8 deletions
--- a/manifests/keystone/auth.pp
+++ b/manifests/keystone/auth.pp
@@ -71,6 +71,14 @@
 #   (optional) Whether to create the v3 endpoint.
 #   Defaults to true
 #
+# [*configure_user*]
+#   (optional) Whether to create the service user.
+#   Defaults to true
+#
+# [*configure_user_role*]
+#   (optional) Whether to configure the admin role for the service user.
+#   Defaults to true
+#
 # [*cinder*]
 #   (optional) Deprecated and has no effect
 #   Defaults to undef
@@ -105,6 +113,8 @@ class nova::keystone::auth(
  $public_protocol        = 'http',
  $configure_endpoint     = true,
  $configure_endpoint_v3  = true,
+  $configure_user         = true,
+  $configure_user_role    = true,
  $admin_protocol         = 'http',
  $internal_protocol      = 'http'
 ) {
@@ -127,16 +137,22 @@ class nova::keystone::auth(

  Keystone_endpoint["${region}/${real_service_name}"] ~> Service <| name == 'nova-api' |>

-  keystone_user { $auth_name:
-    ensure   => present,
-    password => $password,
-    email    => $email,
-    tenant   => $tenant,
+  if $configure_user {
+    keystone_user { $auth_name:
+      ensure   => present,
+      password => $password,
+      email    => $email,
+      tenant   => $tenant,
+    }
  }
-  keystone_user_role { "${auth_name}@${tenant}":
-    ensure  => present,
-    roles   => 'admin',
+
+  if $configure_user_role {
+    keystone_user_role { "${auth_name}@${tenant}":
+      ensure => present,
+      roles  => 'admin',
+    }
  }
+
  keystone_service { $real_service_name:
    ensure      => present,
    type        => 'compute',
--- a/spec/classes/nova_keystone_endpoint_spec.rb
+++ b/spec/classes/nova_keystone_endpoint_spec.rb
@@ -137,6 +137,42 @@ describe 'nova::keystone::auth' do
    it { should_not contain_keystone_endpoint('RegionOne/nova_ec2') }
  end

+  describe 'when disabling user configuration' do
+    before do
+      params.merge!( :configure_user => false )
+    end
+
+    it { should_not contain_keystone_user('nova') }
+
+    it { should contain_keystone_user_role('nova@services') }
+
+    it { should contain_keystone_service('nova').with(
+      :ensure => 'present',
+      :type        => 'compute',
+      :description => 'Openstack Compute Service'
+    )}
+  end
+
+  describe 'when disabling user and user role configuration' do
+    let :params do
+      {
+        :configure_user      => false,
+        :configure_user_role => false,
+        :password            => 'nova_password'
+      }
+    end
+
+    it { should_not contain_keystone_user('nova') }
+
+    it { should_not contain_keystone_user_role('nova@services') }
+
+    it { should contain_keystone_service('nova').with(
+      :ensure => 'present',
+      :type        => 'compute',
+      :description => 'Openstack Compute Service'
+    )}
+  end
+
  describe 'when configuring nova-api and the keystone endpoint' do
    let :pre_condition do
      "class { 'nova::api': admin_password => 'test' }