Heat Fixes

- currently non-admin user aren't able to create stacks with i.e.
  Resource OS::Heat::SoftwareDeployment
- added heat domain
        heat domain_admin
        heat_stack_owner and user role
- added missing configuration options
- fixed some smaller ruby /cookstyle offenses
Change-Id: I6ae544dcc6260050304e66e227383e0e944a6bb6

Berksfile

@@ -1,11 +1,10 @@
-source "https://supermarket.chef.io"
+source 'https://supermarket.chef.io'
 
 metadata
 
-cookbook "openstack-identity",
-  github: "openstack/cookbook-openstack-identity"
-cookbook "openstack-common",
-  github: "openstack/cookbook-openstack-common"
-cookbook "openstackclient",
-  github: "cloudbau/cookbook-openstackclient"
-
+cookbook 'openstack-identity',
+  github: 'openstack/cookbook-openstack-identity'
+cookbook 'openstack-common',
+  github: 'openstack/cookbook-openstack-common'
+cookbook 'openstackclient',
+  github: 'cloudbau/cookbook-openstackclient'

Rakefile

@@ -1,40 +1,39 @@
-task default: ["test"]
+task default: ['test']
 
-task :test => [:syntax, :lint, :unit]
+task test: [:syntax, :lint, :unit]
 
-desc "Vendor the cookbooks in the Berksfile"
+desc 'Vendor the cookbooks in the Berksfile'
 task :berks_prep do
-  sh %{chef exec berks vendor}
+  sh %(chef exec berks vendor)
 end
 
-desc "Run FoodCritic (syntax) tests"
+desc 'Run FoodCritic (syntax) tests'
 task :syntax do
-  sh %{chef exec foodcritic --exclude spec -f any .}
+  sh %(chef exec foodcritic --exclude spec -f any .)
 end
 
-desc "Run RuboCop (lint) tests"
+desc 'Run RuboCop (lint) tests'
 task :lint do
-  sh %{chef exec cookstyle}
+  sh %(chef exec cookstyle)
 end
 
-desc "Run RSpec (unit) tests"
-task :unit => :berks_prep do
-  sh %{chef exec rspec --format documentation}
+desc 'Run RSpec (unit) tests'
+task unit: :berks_prep do
+  sh %(chef exec rspec --format documentation)
 end
 
-desc "Remove the berks-cookbooks directory and the Berksfile.lock"
+desc 'Remove the berks-cookbooks directory and the Berksfile.lock'
 task :clean do
   rm_rf [
     'berks-cookbooks',
-    'Berksfile.lock'
+    'Berksfile.lock',
   ]
 end
 
-desc "All-in-One Neutron build Infra using Common task"
+desc 'All-in-One Neutron build Infra using Common task'
 task :integration do
   # Use the common integration task
   sh %(wget -nv -t 3 -O Rakefile-Common https://raw.githubusercontent.com/openstack/cookbook-openstack-common/master/Rakefile)
   load './Rakefile-Common'
-  Rake::Task["common_integration"].invoke
+  Rake::Task['common_integration'].invoke
 end
-

attributes/heat_conf.rb

@@ -18,6 +18,8 @@
 #
 
 default['openstack']['orchestration']['conf']['DEFAULT']['log_dir'] = '/var/log/heat'
+default['openstack']['orchestration']['conf']['DEFAULT']['stack_domain_admin'] = 'heat_domain_admin'
+default['openstack']['orchestration']['conf']['DEFAULT']['stack_user_domain_name'] = 'heat'
 default['openstack']['orchestration']['conf']['oslo_messaging_notifications']['driver'] = 'heat.openstack.common.notifier.rpc_notifier'
 default['openstack']['orchestration']['conf']['keystone_authtoken']['auth_type'] = 'v3password'
 default['openstack']['orchestration']['conf']['keystone_authtoken']['username'] = 'heat'

recipes/common.rb

@@ -50,6 +50,7 @@ end
 
 db_user = node['openstack']['db']['orchestration']['username']
 db_pass = get_password 'db', 'heat'
+stack_domain_admin = node['openstack']['orchestration']['conf']['DEFAULT']['stack_domain_admin']
 
 identity_endpoint = internal_endpoint 'identity'
 identity_admin_endpoint = admin_endpoint 'identity'
@@ -97,6 +98,8 @@ node.default['openstack']['orchestration']['conf_secrets'].tap do |conf_secrets|
     get_password 'service', 'openstack-orchestration'
   conf_secrets['trustee']['password'] =
     get_password 'service', 'openstack-orchestration'
+  conf_secrets['DEFAULT']['stack_domain_admin_password'] =
+    get_password 'user', stack_domain_admin
 end
 
 # merge all config options and secrets to be used in the heat.conf

recipes/identity_registration.rb

@@ -34,7 +34,8 @@ public_heat_endpoint = public_endpoint 'orchestration-api'
 admin_heat_cfn_endpoint = admin_endpoint 'orchestration-api-cfn'
 internal_heat_cfn_endpoint = internal_endpoint 'orchestration-api-cfn'
 public_heat_cfn_endpoint = public_endpoint 'orchestration-api-cfn'
-
+stack_domain_admin = node['openstack']['orchestration']['conf']['DEFAULT']['stack_domain_admin']
+stack_domain_admin_password = get_password 'user', stack_domain_admin
 service_pass = get_password 'service', 'openstack-orchestration'
 service_project_name = node['openstack']['orchestration']['conf']['keystone_authtoken']['project_name']
 service_user = node['openstack']['orchestration']['conf']['keystone_authtoken']['username']
@@ -42,6 +43,7 @@ service_role = node['openstack']['orchestration']['service_role']
 service_type = 'orchestration'
 service_name = 'heat'
 service_domain_name = node['openstack']['orchestration']['conf']['keystone_authtoken']['user_domain_name']
+heat_domain_name = node['openstack']['orchestration']['conf']['DEFAULT']['stack_user_domain_name']
 admin_user = node['openstack']['identity']['admin_user']
 admin_pass = get_password 'user', node['openstack']['identity']['admin_user']
 admin_project = node['openstack']['identity']['admin_project']
@@ -184,3 +186,30 @@ openstack_user service_user do
   connection_params connection_params
   action :grant_domain
 end
+
+openstack_domain heat_domain_name do
+  connection_params connection_params
+end
+
+openstack_user stack_domain_admin do
+  domain_name heat_domain_name
+  role_name 'admin'
+  password stack_domain_admin_password
+  connection_params connection_params
+end
+
+openstack_user stack_domain_admin do
+  domain_name heat_domain_name
+  role_name 'admin'
+  user_name stack_domain_admin
+  connection_params connection_params
+  action :grant_role
+end
+
+openstack_role 'heat_stack_owner' do
+  connection_params connection_params
+end
+
+openstack_role 'heat_stack_user' do
+  connection_params connection_params
+end

spec/identity_registration_spec.rb

@@ -19,6 +19,8 @@ describe 'openstack-orchestration::identity_registration' do
     service_name = 'heat'
     service_type = 'orchestration'
     service_user = 'heat'
+    stack_domain_admin = 'heat_domain_admin'
+    stack_domain_name = 'heat'
     url = 'http://127.0.0.1:8004/v1/%(tenant_id)s'
     region = 'RegionOne'
     project_name = 'service'
@@ -80,6 +82,22 @@ describe 'openstack-orchestration::identity_registration' do
       )
     end
 
+    it do
+      expect(chef_run).to create_openstack_role(
+        'heat_stack_owner'
+      ).with(
+        connection_params: connection_params
+      )
+    end
+
+    it do
+      expect(chef_run).to create_openstack_role(
+        'heat_stack_user'
+      ).with(
+        connection_params: connection_params
+      )
+    end
+
     it do
       expect(chef_run).to grant_role_openstack_user(
         service_user
@@ -91,6 +109,24 @@ describe 'openstack-orchestration::identity_registration' do
       )
     end
 
+    it do
+      expect(chef_run).to create_openstack_domain(
+        stack_domain_name
+      ).with(
+        connection_params: connection_params
+      )
+    end
+
+    it do
+      expect(chef_run).to grant_role_openstack_user(
+        stack_domain_admin
+      ).with(
+        domain_name: stack_domain_name,
+        role_name: 'admin',
+        password: password,
+        connection_params: connection_params
+      )
+    end
     it 'register heat cloudformation service' do
       expect(chef_run).to create_openstack_service(
         'heat-cfn'

spec/spec_helper.rb

@@ -46,6 +46,9 @@ shared_context 'orchestration_stubs' do
     allow_any_instance_of(Chef::Recipe).to receive(:get_password)
       .with('service', 'openstack-orchestration')
       .and_return 'heat-pass'
+    allow_any_instance_of(Chef::Recipe).to receive(:get_password)
+      .with('user', 'heat_domain_admin')
+      .and_return 'heat-pass'
     allow_any_instance_of(Chef::Recipe).to receive(:get_password)
       .with('user', 'admin')
       .and_return 'admin-pass'