Merge "Add default manager role support to bootstrap command"

keystone/cmd/bootstrap.py

@@ -42,6 +42,9 @@ class Bootstrapper(object):
         self.member_role_id = None
         self.member_role_name = 'member'
 
+        self.manager_role_id = None
+        self.manager_role_name = 'manager'
+
         self.admin_role_id = None
         self.admin_role_name = None
 
@@ -68,6 +71,7 @@ class Bootstrapper(object):
         self._bootstrap_admin_user()
         self._bootstrap_reader_role()
         self._bootstrap_member_role()
+        self._bootstrap_manager_role()
         self._bootstrap_admin_role()
         self._bootstrap_service_role()
         self._bootstrap_project_role_assignment()
@@ -177,10 +181,23 @@ class Bootstrapper(object):
         self.member_role_id = role['id']
         self._ensure_implied_role(self.member_role_id, self.reader_role_id)
 
+    def _bootstrap_manager_role(self):
+        role = self._ensure_role_exists(self.manager_role_name)
+        self.manager_role_id = role['id']
+        self._ensure_implied_role(self.manager_role_id, self.member_role_id)
+
     def _bootstrap_admin_role(self):
         role = self._ensure_role_exists(self.admin_role_name)
         self.admin_role_id = role['id']
-        self._ensure_implied_role(self.admin_role_id, self.member_role_id)
+        self._ensure_implied_role(self.admin_role_id, self.manager_role_id)
+        # NOTE(dmendiza): deployments older than 2023.2 did not have a
+        # "manager" role, so we need to clean up the old admin -> member
+        # implied role
+        try:
+            PROVIDERS.role_api.delete_implied_role(self.admin_role_id,
+                                                   self.member_role_id)
+        except exception.ImpliedRoleNotFound:
+            pass
 
     def _bootstrap_admin_user(self):
         # NOTE(morganfainberg): Do not create the user if it already exists.

keystone/cmd/cli.py

@@ -186,6 +186,7 @@ class BootStrap(BaseApp):
         self.service_role_id = self.bootstrapper.service_role_id
         self.reader_role_id = self.bootstrapper.reader_role_id
         self.member_role_id = self.bootstrapper.member_role_id
+        self.manager_role_id = self.bootstrapper.manager_role_id
         self.role_id = self.bootstrapper.admin_role_id
         self.project_id = self.bootstrapper.project_id
 

keystone/tests/unit/test_cli.py

@@ -132,22 +132,24 @@ class CliBootStrapTestCase(unit.SQLDriverOverrides, unit.TestCase):
             bootstrap.username,
             'default')
         admin_role = PROVIDERS.role_api.get_role(bootstrap.role_id)
-        reader_role = PROVIDERS.role_api.get_role(bootstrap.reader_role_id)
+        manager_role = PROVIDERS.role_api.get_role(bootstrap.manager_role_id)
         member_role = PROVIDERS.role_api.get_role(bootstrap.member_role_id)
+        reader_role = PROVIDERS.role_api.get_role(bootstrap.reader_role_id)
         service_role = PROVIDERS.role_api.get_role(bootstrap.service_role_id)
         role_list = (
             PROVIDERS.assignment_api.get_roles_for_user_and_project(
                 user['id'],
                 project['id']))
 
-        role_list_len = 4
+        role_list_len = 5
         if bootstrap.bootstrapper.project_name:
-            role_list_len = 3
+            role_list_len = 4
 
         self.assertIs(role_list_len, len(role_list))
         self.assertIn(admin_role['id'], role_list)
-        self.assertIn(reader_role['id'], role_list)
+        self.assertIn(manager_role['id'], role_list)
         self.assertIn(member_role['id'], role_list)
+        self.assertIn(reader_role['id'], role_list)
 
         if not bootstrap.bootstrapper.project_name:
             self.assertIn(service_role['id'], role_list)