From 45788081c9b26dda469d110db5605f905a6c9b3c Mon Sep 17 00:00:00 2001
From: Risto Laurikainen <risto.laurikainen@csc.fi>
Date: Fri, 22 Aug 2014 15:32:29 +0300
Subject: [PATCH] Make user creation optional when creating service.

In some cases it is useful to be able to just configure
the service in Keystone and not the service user. This
is the case when e.g. a read only LDAP backend is used.
Added parameters configure_user and configure_user_role
(default to true).

Change-Id: If3d53c2c9070691b4731142f512b1f4bb754be00
Closes-Bug: 1360232
---
 manifests/keystone/auth.pp                  | 32 +++++++++++++-----
 spec/classes/nova_keystone_endpoint_spec.rb | 36 +++++++++++++++++++++
 2 files changed, 60 insertions(+), 8 deletions(-)

diff --git a/manifests/keystone/auth.pp b/manifests/keystone/auth.pp
index d72cf1d1e..4650c680a 100644
--- a/manifests/keystone/auth.pp
+++ b/manifests/keystone/auth.pp
@@ -71,6 +71,14 @@
 #   (optional) Whether to create the v3 endpoint.
 #   Defaults to true
 #
+# [*configure_user*]
+#   (optional) Whether to create the service user.
+#   Defaults to true
+#
+# [*configure_user_role*]
+#   (optional) Whether to configure the admin role for the service user.
+#   Defaults to true
+#
 # [*cinder*]
 #   (optional) Deprecated and has no effect
 #   Defaults to undef
@@ -105,6 +113,8 @@ class nova::keystone::auth(
   $public_protocol        = 'http',
   $configure_endpoint     = true,
   $configure_endpoint_v3  = true,
+  $configure_user         = true,
+  $configure_user_role    = true,
   $admin_protocol         = 'http',
   $internal_protocol      = 'http'
 ) {
@@ -127,16 +137,22 @@ class nova::keystone::auth(
 
   Keystone_endpoint["${region}/${real_service_name}"] ~> Service <| name == 'nova-api' |>
 
-  keystone_user { $auth_name:
-    ensure   => present,
-    password => $password,
-    email    => $email,
-    tenant   => $tenant,
+  if $configure_user {
+    keystone_user { $auth_name:
+      ensure   => present,
+      password => $password,
+      email    => $email,
+      tenant   => $tenant,
+    }
   }
-  keystone_user_role { "${auth_name}@${tenant}":
-    ensure  => present,
-    roles   => 'admin',
+
+  if $configure_user_role {
+    keystone_user_role { "${auth_name}@${tenant}":
+      ensure => present,
+      roles  => 'admin',
+    }
   }
+
   keystone_service { $real_service_name:
     ensure      => present,
     type        => 'compute',
diff --git a/spec/classes/nova_keystone_endpoint_spec.rb b/spec/classes/nova_keystone_endpoint_spec.rb
index 6beb46cd9..7b515e4f0 100644
--- a/spec/classes/nova_keystone_endpoint_spec.rb
+++ b/spec/classes/nova_keystone_endpoint_spec.rb
@@ -137,6 +137,42 @@ describe 'nova::keystone::auth' do
     it { should_not contain_keystone_endpoint('RegionOne/nova_ec2') }
   end
 
+  describe 'when disabling user configuration' do
+    before do
+      params.merge!( :configure_user => false )
+    end
+
+    it { should_not contain_keystone_user('nova') }
+
+    it { should contain_keystone_user_role('nova@services') }
+
+    it { should contain_keystone_service('nova').with(
+      :ensure => 'present',
+      :type        => 'compute',
+      :description => 'Openstack Compute Service'
+    )}
+  end
+
+  describe 'when disabling user and user role configuration' do
+    let :params do
+      {
+        :configure_user      => false,
+        :configure_user_role => false,
+        :password            => 'nova_password'
+      }
+    end
+
+    it { should_not contain_keystone_user('nova') }
+
+    it { should_not contain_keystone_user_role('nova@services') }
+
+    it { should contain_keystone_service('nova').with(
+      :ensure => 'present',
+      :type        => 'compute',
+      :description => 'Openstack Compute Service'
+    )}
+  end
+
   describe 'when configuring nova-api and the keystone endpoint' do
     let :pre_condition do
       "class { 'nova::api': admin_password => 'test' }