Rework delegated roles
In deployments that have keystone only nodes, the keystone nodes will need to configure the keystone roles, but they will not have a heat.conf file. This means that the functionality between writing the config file and configuring the role is split. The old role configuration is left in engine as a deprecated parameter. Fixes-bug: #1409977 Change-Id: I84a53c4992bcdfc4440560b78c602d517a18ec39
This commit is contained in:
parent
3d32a5289b
commit
a4af24cb2f
|
@ -40,12 +40,13 @@
|
|||
# Can be "password" or "trusts".
|
||||
# Defaults to 'trusts'
|
||||
#
|
||||
# === Deprecated Parameters
|
||||
#
|
||||
# [*trusts_delegated_roles*]
|
||||
# (optional) Array of trustor roles to be delegated to heat.
|
||||
# This value is also used by heat::keystone::auth if it is set to
|
||||
# configure the keystone roles.
|
||||
# Defaults to ['heat_stack_owner']
|
||||
# Deprecated: Moved to heat::keystone::auth, will be removed in a future release.
|
||||
#
|
||||
# === Deprecated Parameters
|
||||
#
|
||||
# [*configure_delegated_roles*]
|
||||
# (optional) Whether to configure the delegated roles.
|
||||
|
@ -87,7 +88,7 @@ class heat::engine (
|
|||
}
|
||||
|
||||
if $configure_delegated_roles {
|
||||
warning('configure_delegated_roles and trusts_delegated_roles are deprecated in this class')
|
||||
warning ('configure_delegated_roles is deprecated in this class, use heat::keystone::auth')
|
||||
keystone_role { $trusts_delegated_roles:
|
||||
ensure => present,
|
||||
}
|
||||
|
|
|
@ -144,16 +144,16 @@ class heat::keystone::auth (
|
|||
}
|
||||
|
||||
if $configure_delegated_roles {
|
||||
# Sanity warning - remove after we remove the deprecated items
|
||||
# Sanity check - remove after we remove the deprecated item
|
||||
if $heat::engine::configure_delegated_roles {
|
||||
warning('both heat::engine and heat::keystone::auth are trying to configure delegated roles')
|
||||
fail('both heat::engine and heat::keystone::auth are both trying to configure delegated roles')
|
||||
}
|
||||
# if this is a keystone only node, we configure the role here
|
||||
# but let engine.pp set the config file. A keystone only node
|
||||
# will not have a heat.conf file. We will use the value in
|
||||
# engine.pp as the one source of truth for the delegated role list.
|
||||
keystone_role { $trusts_delegated_roles:
|
||||
ensure => present,
|
||||
}
|
||||
}
|
||||
|
||||
heat_config {
|
||||
'DEFAULT/trusts_delegated_roles': value => $trusts_delegated_roles;
|
||||
}
|
||||
}
|
||||
|
|
|
@ -19,7 +19,6 @@ describe 'heat::keystone::auth' do
|
|||
:public_protocol => 'http',
|
||||
:admin_protocol => 'http',
|
||||
:internal_protocol => 'http',
|
||||
:trusts_delegated_roles => ['heat_stack_owner'],
|
||||
:configure_delegated_roles => false,
|
||||
}
|
||||
end
|
||||
|
@ -143,20 +142,52 @@ describe 'heat::keystone::auth' do
|
|||
end
|
||||
|
||||
context 'when configuring delegated roles' do
|
||||
let :pre_condition do
|
||||
"class { 'heat::engine':
|
||||
auth_encryption_key => 'abcdef',
|
||||
configure_delegated_roles => false,
|
||||
}
|
||||
"
|
||||
end
|
||||
|
||||
let :facts do
|
||||
{ :osfamily => 'Debian' }
|
||||
end
|
||||
|
||||
before do
|
||||
params.merge!({
|
||||
:configure_delegated_roles => true,
|
||||
:trusts_delegated_roles => ['role1','role2']
|
||||
})
|
||||
end
|
||||
it 'configures delegated roles' do
|
||||
should contain_keystone_role("role1").with(
|
||||
:ensure => 'present'
|
||||
)
|
||||
should contain_keystone_role("role2").with(
|
||||
should contain_keystone_role("heat_stack_owner").with(
|
||||
:ensure => 'present'
|
||||
)
|
||||
end
|
||||
end
|
||||
|
||||
describe 'with deprecated and new params both set' do
|
||||
let :pre_condition do
|
||||
"class { 'heat::engine':
|
||||
auth_encryption_key => 'abcdef',
|
||||
}
|
||||
"
|
||||
end
|
||||
|
||||
let :facts do
|
||||
{ :osfamily => 'Debian' }
|
||||
end
|
||||
|
||||
let :params do
|
||||
{
|
||||
:configure_delegated_roles => true,
|
||||
:password => 'something',
|
||||
}
|
||||
end
|
||||
it 'should fail with deprecated and new params both set' do
|
||||
expect {
|
||||
should compile
|
||||
}.to raise_error Puppet::Error, /both heat::engine and heat::keystone::auth are both trying to configure delegated roles/
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
Loading…
Reference in New Issue