openstack
/
puppet-heat
Code Issues Proposed changes

Rework delegated roles 

In deployments that have keystone only nodes, the keystone nodes will
need to configure the keystone roles, but they will not have a heat.conf
file. This means that the functionality between writing the config file
and configuring the role is split. The old role configuration is left in
engine as a deprecated parameter.

Fixes-bug: #1409977

Change-Id: I84a53c4992bcdfc4440560b78c602d517a18ec39
This commit is contained in:
Matt Fischer 2015-01-12 19:15:50 -07:00
parent 3d32a5289b
commit a4af24cb2f
3 changed files with 48 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
manifests/engine.pp
View File

@ -40,12 +40,13 @@
# Can be "password" or "trusts".
# Defaults to 'trusts'
#
# === Deprecated Parameters
#
# [*trusts_delegated_roles*]
# (optional) Array of trustor roles to be delegated to heat.
# This value is also used by heat::keystone::auth if it is set to
# configure the keystone roles.
# Defaults to ['heat_stack_owner']
# Deprecated: Moved to heat::keystone::auth, will be removed in a future release.
#
# === Deprecated Parameters
#
# [*configure_delegated_roles*]
# (optional) Whether to configure the delegated roles.
@ -87,7 +88,7 @@ class heat::engine (
}
if $configure_delegated_roles {
warning('configure_delegated_roles and trusts_delegated_roles are deprecated in this class')
warning ('configure_delegated_roles is deprecated in this class, use heat::keystone::auth')
keystone_role { $trusts_delegated_roles:
ensure => present,
}

12
manifests/keystone/auth.pp
View File

@ -144,16 +144,16 @@ class heat::keystone::auth (
}
if $configure_delegated_roles {
# Sanity warning - remove after we remove the deprecated items
# Sanity check - remove after we remove the deprecated item
if $heat::engine::configure_delegated_roles {
warning('both heat::engine and heat::keystone::auth are trying to configure delegated roles')
fail('both heat::engine and heat::keystone::auth are both trying to configure delegated roles')
}
# if this is a keystone only node, we configure the role here
# but let engine.pp set the config file. A keystone only node
# will not have a heat.conf file. We will use the value in
# engine.pp as the one source of truth for the delegated role list.
keystone_role { $trusts_delegated_roles:
ensure => present,
}
}
heat_config {
'DEFAULT/trusts_delegated_roles': value => $trusts_delegated_roles;
}
}

43
spec/classes/heat_keystone_auth_spec.rb
View File

@ -19,7 +19,6 @@ describe 'heat::keystone::auth' do
:public_protocol => 'http',
:admin_protocol => 'http',
:internal_protocol => 'http',
:trusts_delegated_roles => ['heat_stack_owner'],
:configure_delegated_roles => false,
}
end
@ -143,20 +142,52 @@ describe 'heat::keystone::auth' do
end
context 'when configuring delegated roles' do
let :pre_condition do
"class { 'heat::engine':
auth_encryption_key => 'abcdef',
configure_delegated_roles => false,
}
"
end
let :facts do
{ :osfamily => 'Debian' }
end
before do
params.merge!({
:configure_delegated_roles => true,
:trusts_delegated_roles => ['role1','role2']
})
end
it 'configures delegated roles' do
should contain_keystone_role("role1").with(
:ensure => 'present'
)
should contain_keystone_role("role2").with(
should contain_keystone_role("heat_stack_owner").with(
:ensure => 'present'
)
end
end
describe 'with deprecated and new params both set' do
let :pre_condition do
"class { 'heat::engine':
auth_encryption_key => 'abcdef',
}
"
end
let :facts do
{ :osfamily => 'Debian' }
end
let :params do
{
:configure_delegated_roles => true,
:password => 'something',
}
end
it 'should fail with deprecated and new params both set' do
expect {
should compile
}.to raise_error Puppet::Error, /both heat::engine and heat::keystone::auth are both trying to configure delegated roles/
end
end
end