Purge old openstack admin access user if changed
If operator has changed admin user, old one will now be stored in /etc/hiera/old_admin_user.yaml as an access hash. Then it will be deleted after new user creation. Change-Id: I30213c02c4a370aee9db1597cf32dd8f08ae6539 Closes-Bug: #1578348
This commit is contained in:
Stanislaw Bogatkin
parent
e35ee4b829
commit
0a36a3bb8c
|
|
@ -0,0 +1 @@
|
|||
class { '::openstack_tasks::keystone::purge_old_admin' :}
|
||||
|
|
@ -104,3 +104,49 @@
|
|||
puppet_manifest: /etc/puppet/modules/openstack_tasks/examples/keystone/workloads_collector_add.pp
|
||||
puppet_modules: /etc/puppet/modules
|
||||
timeout: 1800
|
||||
|
||||
- id: generate_changed_admin_user
|
||||
version: 2.1.0
|
||||
type: upload_file
|
||||
role: master
|
||||
condition:
|
||||
yaql_exp: &changed_username >
|
||||
changed($.access.user)
|
||||
requires: [upload_configuration]
|
||||
required_for: [pre_deployment_end]
|
||||
parameters:
|
||||
path: /etc/fuel/cluster/{CLUSTER_ID}/old_admin_user.yaml
|
||||
data:
|
||||
yaql_exp: '{"old_access" => old($).get("access", {})}.toYaml()'
|
||||
|
||||
- id: copy_changed_admin_user
|
||||
type: copy_files
|
||||
version: 2.1.0
|
||||
role: ['/.*/']
|
||||
condition:
|
||||
yaql_exp: *changed_username
|
||||
required_for: [pre_deployment_end]
|
||||
requires: [generate_changed_admin_user]
|
||||
cross-depends:
|
||||
- name: generate_changed_admin_user
|
||||
role: master
|
||||
parameters:
|
||||
files:
|
||||
- src: /etc/fuel/cluster/{CLUSTER_ID}/old_admin_user.yaml
|
||||
dst: /etc/hiera/old_admin_user.yaml
|
||||
permissions: '0600'
|
||||
dir_permissions: '0700'
|
||||
|
||||
- id: delete_old_admin_user
|
||||
version: 2.1.0
|
||||
type: puppet
|
||||
role: [primary-controller]
|
||||
condition:
|
||||
yaql_exp: *changed_username
|
||||
requires: [post_deployment_start, primary-keystone]
|
||||
required_for: [post_deployment_end]
|
||||
parameters:
|
||||
puppet_manifest: /etc/puppet/modules/openstack_tasks/examples/keystone/purge_old_admin.pp
|
||||
puppet_modules: /etc/puppet/modules
|
||||
timeout: 180
|
||||
cwd: /
|
||||
|
|
|
|||
|
|
@ -0,0 +1,17 @@
|
|||
class openstack_tasks::keystone::purge_old_admin {
|
||||
|
||||
notice('MODULAR: keystone/purge_old_admin.pp')
|
||||
|
||||
$old_access_hash = hiera_hash('old_access', {})
|
||||
$access_hash = hiera_hash('access', {})
|
||||
|
||||
if !empty($old_access_hash) {
|
||||
$old_admin_user = $old_access_hash['user']
|
||||
|
||||
if $old_admin_user != $access_hash['user'] {
|
||||
keystone_user { $old_admin_user:
|
||||
ensure => absent,
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
@ -21,6 +21,7 @@ class osnailyfacter::hiera::hiera {
|
|||
'module/%{calling_module}%{disable_globals_yaml}',
|
||||
'deleted_nodes%{disable_globals_yaml}',
|
||||
'nodes%{disable_globals_yaml}',
|
||||
'old_admin_user%{disable_globals_yaml}',
|
||||
'globals%{disable_globals_yaml}',
|
||||
'astute',
|
||||
]
|
||||
|
|
|
|||
|
|
@ -0,0 +1 @@
|
|||
class { '::openstack_tasks::keystone::purge_old_admin' :}
|
||||
|
|
@ -0,0 +1,19 @@
|
|||
# ROLE: primary-controller
|
||||
|
||||
require 'spec_helper'
|
||||
require 'shared-examples'
|
||||
manifest = 'keystone/purge_old_admin.pp'
|
||||
|
||||
describe manifest do
|
||||
shared_examples 'catalog' do
|
||||
|
||||
access_hash = Noop.hiera('old_access', {})
|
||||
|
||||
if !access_hash.empty?
|
||||
it 'should purge old admin user' do
|
||||
is_expected.to contain_keystone_user(access_hash['user']).with_ensure('absent')
|
||||
end
|
||||
end
|
||||
end
|
||||
test_ubuntu_and_centos manifest
|
||||
end
|
||||
Loading…
Reference in New Issue